To this days all first tier cloud providers have taken action against the Spectre and Meltdown security vulnerabilities. The cloud giants are better armed to address those issues as they have all been aware of the attack vectors for quite some time. Google has been able to patch their host systems without even rebooting the guests.
Smaller providers were not so lucky but some of them banded together to help each other and share information (Linode, Vultr, DigitalOcean, Scaleway, OVH and Packet). They are still one step behind though.
The date for the disclosure was initially coordinated to be on January 9th but as the news became widely available on Jan 2nd, the major providers decided to take action immediately. Tier 2 providers that are dependent on information from Intel and OS publishers to patch their systems are still struggling to figure out what patches to install.
The performance impact according to Google, Amazon and Microsoft is negligible.
This is the status for all VPS providers tested at vpsbenchmarks.com on Jan 6th 17:00 PST.
Processor Speculative Execution Research Disclosure
- All EC2 hosts were patched before Jan 5th 21:00 PST.
- AWS recommends the guests instances.
Google Cloud Platform
Answering your questions about “Meltdown” and “Spectre”
- Google started working on those security flaws in June 2017.
- "G Suite and Google Cloud Platform (GCP) are updated to protect against all known attack vectors. Some customers may worry that they have not been protected since they were not asked to reboot their instance. Google Cloud is architected in a manner that enables us to update the environment while providing operational continuity for our customers"
Securing Azure customers from CPU vulnerability
- As of Jan 3rd "The majority of Azure infrastructure has already been updated to address this vulnerability".
A Message About Intel Security Findings
- DigitalOcean is still awaiting patches from Intel, Canonical.
- Next update on January 9th.
CPU Vulnerabilities: Meltdown & Spectre
- Still waiting on external dependencies as of Jan 5th.
- Patched kernels are available to customers to patch their guest OS.
Intel CPU Vulnerability Alert
- Vultr claims "Our engineers have already applied updates to our infrastructure to ensure the security of our platform" but it's not clear if that includes the hypervisor hosts.
- Vultr will email customers ahead of scheduled reboot of instances.
- There is no article about the vulnerabilities on Atlantic.net blog.
- However they sent an email to their customers:
- "As with all major cloud providers, Atlantic.Net is working together with hardware and software vendors to patch these exploitations as soon as we can. The solutions to these exploitations will be highly dependent on the type of hosting environment that you have with Atlantic.Net."
Important note about the security flaw impacting ARM & Intel hardware
- There is a large picture of young engineers looking concerned on the blog post, one of them is staring at a picture on his screen that was most certainly downloaded from the future. So they obviously understand how critical the situation is. More seriously, they are the provider that published the most frequent updates on the status of their servers.
- Scaleway provides regular updates about the progress of their work on twitter.
- Patched kernels are available to their customers for install.
- By now they should have patched all impacted hypervisors according to the blog post: "A maintenance window has been scheduled between the 01/04/18, starting at 7am UTC and the 01/06/18, ending at 7am UTC".
Information regarding the Intel CPU vulnerability (Meltdown)
- The Upcloud status page has detailed information about the progress of the updates.
- As of Jan 6 20:49 UTC "Most of the emergency infrastructure updates are now complete. We estimate that over 95% of customer servers did not experience any notable disturbances due to updates."
Reboot for Meltdown / Spectre patching
- VPSDime sent emails to their customers to inform them of scheduled reboots to patch their hypervisors.
- In the case of vpsbenchmarks.com, the email was unfortunately sent just 20 minutes before the reboot.
- "Today, Saturday January 6th, 2018, we will be rebooting host nodes serving all VPSDime Linux VPS to execute a new kernel patched against the recently discovered Meltdown and Spectre exploits."
No information on the topic that I could find.
I saved the best for last.
Me: What are you planning to do about the Meltdown and Spectre security Vulnerabilities?
IOZoom: Please give us your root password, we'll check it out for you.