Intel "Foreshadow" Vulnerability
16 Aug 2018Intel released a statement on the 14th of August regarding three newly discovered security vulnerabilities present in all of their desktop and server CPU’s. These vulnerabilities theoretically allow memory to be read between virtual machines that share the same CPU core.
These vulnerabilities are known as Foreshadow and more information on them can be found here.
These vulnerabilities affect all of Memset’s virtual machines, IAAS instances and some full servers depending on how they are used. They potentially allow the contents of the memory of one virtual machine to be read from another.
Due to the severity of these vulnerabilities, we are working hard to assess what measures need to be taken to protect all affected systems and roll them out as rapidly as possible.
What Memset Is Doing
Fixing these vulnerabilities requires applying security patches to the host OS, the hypervisor and the VPS. As of writing this post, patches are not available for all three of these components so we are closely watching update channels for information and patches.
When these patches become available, and we have tested them, we will create a timetable for applying them.
This work will require a reboot which will be performed out-of-hours. We will notify all affected clients as soon as we have a time and date for the work.
IAAS / OpenStack Instances
Cloud IaaS hypervisors have been patched against L1TF/foreshadow.
Update:07/11/18
We have been working hard to test the L1TF patches as they have become available over the last few weeks. We have performed an internal roll out these patches to all of our non-customer infrastructures in order to thoroughly test our implementation procedure. We are now confident that we can begin patching customer-facing infrastructure. Most notably we will being applying the L1TF patches to the virtual machine host servers.
This work will start during the week beginning Monday 12th November and carry on through the following weeks.
If you have a Memset Miniserver or a Cloud VPS you will have received a maintenance email letting you know when your server will get taken offline. We do not anticipate that your server will be offline for longer than 15 minutes.
All maintenance will be carried out after 10 pm.
What You Need To Do
Unfortunately, as no OS patches have been made available we do not have any specific instructions yet. We will update our documentation when these become available.
However, the following general advice should be followed for OS versions that are still maintained. Any End Of Life OS’s will not receive patches from their vendors. Please see here of a list of maintained and EOL operating systems.
Update: 07/11/18
If you have any Memset virtual machine, either a Miniserver or a Cloud VPS running Windows or Linux, we strongly recommend that you reboot the server a day or two before the maintenance window at a time that is convenient for you.
This will ensure that your server is able to re-boot without any problems which in turn means that your server will be offline for the shortest possible interval during the maintenance work.
Classic Miniservers - Linux
You do not need to do anything apart from reboot your server. This is because classic Miniservers use a Linux kernel that is created and supplied by Memset. The new kernel which will get applied during the maintenance work.
Classic Miniserver - Windows
The Windows kernel is supplied by Microsoft so you will need to ensure that the latest security updates are applied and the server rebooted before the maintenance work.
Cloud VPS’s - Windows and Linux
These virtual machines run the kernel supplied by the Linux distribution. They should be upgraded via the local package manager with a regular system update followed by a reboot before the maintenance work.
Dedicated Servers - Windows and Linux
Dedicated servers will be not rebooted during the maintenance window. However, you should always ensure that your server is updating regularly with the latest security patches.
IAAS / OpenStack Instances
Memset will not be rebooting any IAAS/OpenStack infrastructure during this maintenance period the patches have already been applied. However, just as with full and Cloud VPS servers, you should maintain a regular security update schedule in order to keep your servers secure.
All affected servers must have the Spectre / Meltdown mitigations applied if you have not yet done so. Instructions can be found here.