Information regarding "Meltdown" and "Spectre"
Recently, two important security vulnerabilities code-named Meltdown and Spectre have been discovered independently by several parties including researchers at Graz University of Technology and Google Project Zero. They were first published in a blog post by Google Project Zero on 2018-01-03 after rumors spread during the holiday season.
At cloudscale.ch we take these new threats very seriously and do our best to ensure the safety of our cloud infrastructure. With this update we would like to inform you about the current status of the mitigations.
- Measures taken so far
- Detailed information regarding Meltdown
- Detailed information regarding Spectre
Measures taken so far
To ensure these vulnerabilities cannot be exploited at cloudscale.ch, we have already applied Linux kernel updates containing software mitigations for the most severe vulnerability (Meltdown). We will test further updates in our lab as they become available. Once we are confident that no regression occurs, we will apply them to our infrastructure. We will keep you up to date regarding our maintenance schedule and will do our best to minimize the operational impact.
Please note that you need to apply the relevant security updates to your cloud servers as well in order to fix the vulnerabilities.
Detailed information regarding Meltdown (CVE-2017-5754)
We have already applied the Linux kernel update that fixes the Meltdown vulnerability on all of our compute nodes on 2018-01-10. To protect yourself against attacks from inside your cloud servers you need to apply the corresponding security updates provided by your Linux distribution as well.
Detailed information regarding Spectre (CVE-2017-5715, CVE-2017-5753)
Mitigation of the Spectre vulnerability in the Linux kernel is ongoing. Currently, neither the upstream Linux kernel nor the Linux distribution we use on our compute nodes have released updates to fix it. Proposed code changes are under review by the Linux kernel community and we expect those to be released soon. A CPU microcode update and a kernel update will be needed in order to fix this vulnerability on our compute nodes. Furthermore, additional updates to the virtualization layer are required that will update the virtual CPU type of your cloud servers.
Once the relevant patches have been released, an additional Linux kernel upgrade as well as a shutdown and restart of all your cloud servers will be required. We will inform all of our customers as soon as the virtual CPU type has been updated. Only then will you be able to fix the Spectre vulnerability from inside your cloud servers.
If you have any further questions, please do not hesitate to contact us.
Best regards from Zurich - Switzerland,
your cloudscale.ch team