Widespread CPU Security Flaw Just Announced and the Measures We Took
Update from 11.01.2018:
Tests of the OS kernel's new versions have been successful! We updated part of our ALL SSD cluster hypervisors to measure a possible slowdown in the performance speed. At this stage, no performance changes have been noticed. Part of the shared hosting and Managed VPS services have also been updated. They do not demonstrate audible slowdown in the performance either.
Part of the services (hypervisors running Xen and Cent OS 6) we use for some of our unmanaged services (VPS), are still facing an issue with the current versions of the Linux kernel which can fix Spectre and Meltdown. We are waiting a kernel update for them.
By Sunday we plan to finish updating all shared hosting and Managed VPS servers of our ALL SSD platform as well as the bigger part of the shared hosting servers working on bare metal.
We apologize for the slight delay in our initial schedule, but there are factors beyond our control. By the end of the next week we are expected to finish updating all our services.
We will keep updating this article upon new information.
An alert for massive security flaws in Intel, AMD and ARM processors that have been manufactured during the last 10 years was disclosed on January 3, 2018. This lead to describing two critical vulnerabilities - Spectre and Meltdown. In short: these vulnerabilities disclose the OS core's RAM and other processes to malicious programs that can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. All modern computers, servers, smartphones and tablets are affected.
On January 3, 2018 patches for Linux's core were also released. Linux is the OS we use in all our services. The patches restrict to a considerable extend the possible malicious activities performed via Spectre and Meltdown. Using them, however, might lead to slowing down server operation in some cases.
Microsoft has also announced that they will release updates to neutralize the Spectre and Meltdown vulnerabilities.
As a responsible company for which our customers’ security is a top priority, we immediately started analyzing how the detected flaws will affect our services. We are already testing the available patches as for now the results are positive and we do not expect considerable negative impact and slowing down our infrastructure.
The steps we are going to take:
- For the hosting and Managed VPS services we are currently rolling out the available patches and if all tests are satisfactory we will apply all existing types of protection by the end of the next week (January 14). We need to take immediate measures and it is possible for some of our customers to experience short technical interruptions (for up to 20 minutes after midnight) for which we might not be able to notify all customers in advance.
- For the virtual servers we will do our best to update the hypervisors, but customers will need to update their OS and the respective virtual servers.
- For the dedicated servers our customers will need to update their OS by themselves.
- Due to the emergency situation we are doing our best for the technical interruptions to be up to 20 minutes after midnight so that they do not affect the websites' user experience.
Unfortunately, we still do not know how Spectre and Meltdown are exploited, neither all the negative sides of the available methods for protection. We are monitoring the situation and will update you on any upcoming news.