A word on Meltdown & Spectre vulnerabilities
By now you've probably already heard about the Meltdown and Spectre CPU flaws (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754). We'd like to inform you that we're actively following up on these security issues.
By now we have rolled out patched Ubuntu kernels across most of our AWS infrastructure, mitigating the Meltdown vulnerability (CVE-2017-5754). Unfortunately there are no updates released yet for Spectre (CVE-2017-5715 and CVE-2017-5753).
Our ECS based clusters have been updated with the newest Amazon Linux images as soon as they were released.
Our Linode instances are running a patched kernel for mitigating Meltdown. Meanwhile maintenances are being scheduled by Linode in the following days for patching the underlying infrastructure and machines will automatically reboot.
Our Digital Ocean infrastructure running Ubuntu 16.04 are using an updated kernel for mitigating Meltdown. There's no update for Spectre yet.
What's the vulnerability about?
In short every CPU released in the last 2 decades uses a technique called "Speculative Execution" to optimize processor performance. However it was now descovered that due to these design decisions it is possible for an attacker to gain access to kernel memory and read sensitive information.
For more information, you can find some nice articles explaining further on:
What are we doing about it?
On the AWS side patches are already being rolled out and depending on instance type, a reboot might be required.
Digital Ocean is investigating the impact on their systems, but will most likely also need a reboot.
Linode is also investigating the impact on their systems. Same here, a reboot of all instances is likely to be required.
We will notify you if your instances are affected and do our best to minimize downtimes during the maintenance windows.
Server operating systems
The operating systems of the instances themselves also need to be patched. We use Ubuntu as standard OS and thus far no patches have been released yet. As soon as Canonical releases the required patches, we'll be automatically rolling out the updates.
We will keep you further informed with updates.
You can follow the status on Canonical's side via:
Status for AWS:
Status for Digital Ocean:
Status for Linode: