Trust & Security

An Update about Intel’s Recent CVE Announcement

Tyler Healy

Posted: January 27, 20202 min read

UPDATE (3/10/2020):

We’re excited to update you that we have finished deploying the mitigations across our fleet for the two Processors Data Leakage security vulnerabilities.

As a reminder, there is no action required from users to protect their Droplets from these two issues.

We appreciate your patience and understanding throughout this process.

UPDATE (2/28/2020):

Today, we’re happy to share that we have started deploying the final mitigations across our fleet for the two Processors Data Leakage security vulnerabilities recently disclosed by Intel.

Over the past several weeks, we were awaiting a reliable production microcode while actively testing and validating the beta microcode. Now that production microcode is in hand, we expect to complete the entire mitigation process within the next few weeks.

There is no action required from users to protect their Droplets from these two Processors Data Leakage security vulnerabilities.

We will continue to share updates here.

ORIGINAL POST:

Hi there,

Today, Intel released a statement regarding two Processors Data Leakage security vulnerabilities (Vector Register Sampling and L1D Eviction Sampling) that may allow unintended information disclosure for users of multi-tenant cloud environments. On DigitalOcean’s platform, this means a malicious actor could theoretically use a Droplet to infer partial data used by another Droplet on the same physical host.

These vulnerabilities are similar to L1 Terminal Fault (L1TF) as well as the Microarchitectural Data Sampling (MDS) and Transactional Asynchronous Abort (TAA) processor-level issues we’ve mitigated previously. Vector Register Sampling (CVE-2020-0548) relates closely to MDS vulnerabilities, but has a smaller scope and risk. For L1D Eviction Sampling (CVE-2020-0549), the L1TF mitigations already in place on DigitalOcean partially mitigate the vulnerability.

To further mitigate the impact of these vulnerabilities, we are working with Intel to obtain updated microcode. Once received, our engineering team will begin to rapidly and thoroughly test, and then roll out the updated microcode across our fleet.

These details will be shared in an email to all active customers, and we will send another email once our mitigation efforts are complete. In the meantime, any information and updates from Intel – as well as our progress rolling the microcode out – will be shared here.

The security of our platform and protection of our users’ data is our highest priority. We’re working diligently to ensure this issue is resolved as soon as possible.

Share

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!Sign up

Related Articles

Announcing the Public Launch of DigitalOcean’s Paid Bug Bounty Program
trust-security

Announcing the Public Launch of DigitalOcean’s Paid Bug Bounty Program

April 5, 20244 min read

Fine-Grained RBAC For GitHub Action Workflows With GitHub OIDC and HashiCorp Vault
trust-security

Fine-Grained RBAC For GitHub Action Workflows With GitHub OIDC and HashiCorp Vault

February 3, 202327 min read

Enabling Engineering Teams Through Developer-First Secrets Management
trust-security

Enabling Engineering Teams Through Developer-First Secrets Management

January 26, 20238 min read