Dear Cloud Riders,
As you may know, yesterday was the publication of multiple Intel new security vulnerabilities that may affect cloud service providers.
Quick summary. Impact on our infrastructures:
- Dedibox impacted
- C2 Bare Metal Instances impacted
- New Development and General Purpose Cloud Instances not impacted
- Start and C1 Instances not impacted
Formally known as CVE-2018-12127, 12126, 12130, CVE-2019-11091, they are a family of flaws roughly in the same category as Spectre and Meltdown.
To dig a bit deeper into the attacks, this current batch targets the data stored in buffers using the speculative execution built-into the CPU. Thus may allow attackers to gain access to sensitive data.
- On the Online by Scaleway (Dedibox) business, most Intel CPUs are vulnerable. You have to know that there were CPU microcode updates released by Intel over the last few months, if your operating system (OS) is updated, there is no threat on you for these attacks. Please follow the procedure for update of your OS to be on the last kernel and have the right CPU microcode running. How to deploy the firmware?
- Bare Metal Instances C2S, C2M and C2L are vulnerable and should be updated if you run untrusted code or multi-user environment, we will soon release a kernel image with the vulnerability patched into it, so you will have to reboot your server with it. You will receive a notification as soon as we release new kernel image.
- Scaleway Instances (Development, General Purpose, Start and C1) are not vulnerable to these attacks on shared lineups, as they were already addressed in hardware on the CPU used, please also note that AMD is not vulnerable.
You can find more information about the attacks and their implications on the Intel website.
- Intel’s statement
- Reference CVE CVE-2018-12126
- Reference CVE CVE-2018-12127
- Reference CVE CVE-2018-12130
- Reference CVE CVE-2019-11091
We believe security and privacy are crucial. We apologize for any inconvenience that we are not directly responsible. Hopefully this gives a comprehensive overview of what happened in the breach and we stay available if you have any question.