wave
rectangle square backgroundrectangle square backgroundrectangle square backgroundrectangle square backgroundrectangle square backgroundrectangle square backgroundNews

A Message about Intel’s L1TF Security Vulnerability

Posted: August 14, 20182 min read

UPDATE (9/17/2018):

Over the past several weeks, we’ve been deploying initial mitigations across our platform. These efforts address key concerns posed by the L1TF vulnerability, and future related issues that may arise. Today, we’re pleased to share that we’ve finished this first phase of mitigations. We are continuing to work with Intel to ensure our customers are protected against L1TF and we are also proceeding with a longer-tail mitigation response aimed at reducing our reliance on hardware to keep both Droplets and data protected.

There is currently no action required from our users to protect their Droplets from the L1TF vulnerability. We will continue to share updates here, and will reach out to you directly if we believe there may be any impact to your account, or should you need to take any action.

Original post:

Today, Intel released a statement regarding L1 Terminal Fault (L1TF), a severe security vulnerability that affects many multi-tenant environments running virtual machines, including DigitalOcean. This vulnerability exposes data to any guest running on the same processor core.

In DigitalOcean’s environment, this means an attacker could theoretically use one Droplet to view another Droplet’s memory. However, they should have no ability to target a specific Droplet or user.

The security implications of this vulnerability are significant and require us to move rapidly to ensure our platform remains protected. In the wake of previous vulnerabilities, Intel has improved their communications flow with us and shared more information sooner, which enabled us to start our mitigation efforts yesterday. However, due to the condensed timeline, unforeseen issues may arise during these efforts. We will continue to work with Intel to enhance their multi-party vulnerability disclosure process so we can improve our agility and efficiency in the future, and better address these types of issues.

Remediation efforts will be completed within a few weeks, and during this time we will take all possible steps to ensure customer Droplets and data remain safe. We do not anticipate any downtime for our users as a result of our mitigation efforts.

We are closely monitoring this situation, and we will update this blog post as more information becomes available. We will notify customers directly should there be any action required of them, or any action taken that may impact their DigitalOcean account.

You can read Intel’s initial statement here.

Josh Feinblum leads security and compliance for DigitalOcean and serves as Chief Security Officer. Prior to DigitalOcean, he was the head of security at Rapid7 and started several security programs across hyper-growth, technology-oriented healthcare companies. He is deeply involved in the security community and has more than 14 years of experience managing security teams, overseeing major clients at large managed service providers, and starting privacy and security related programs across commercial and federal financial service firms.

Share

TwitterFacebookLinkedInHackerNews

Optimize your streaming business

Download our guide to learn how streaming businesses can optimize their architecture to save costs.

Download now

Related Articles

Currents research 2019
news

Currents research 2019

December 11, 20193 min read

JournalDev joins DigitalOcean
news

JournalDev joins DigitalOcean

July 14, 20223 min read

Faster and More Accessible: The New digitalocean.com
news

Faster and More Accessible: The New digitalocean.com

November 28, 20193 min read

Sea floor left
Sea floor middle
Sea floor right