An Update about Intel’s Recent CVE Announcement

Posted 2020-01-27  in Trust & Security
Tyler Healy

UPDATE (3/10/2020):

We’re excited to update you that we have finished deploying the mitigations across our fleet for the two Processors Data Leakage security vulnerabilities.

As a reminder, there is no action required from users to protect their Droplets from these two issues.

We appreciate your patience and understanding throughout this process.

UPDATE (2/28/2020):

Today, we’re happy to share that we have started deploying the final mitigations across our fleet for the two Processors Data Leakage security vulnerabilities recently disclosed by Intel.

Over the past several weeks, we were awaiting a reliable production microcode while actively testing and validating the beta microcode. Now that production microcode is in hand, we expect to complete the entire mitigation process within the next few weeks.

There is no action required from users to protect their Droplets from these two Processors Data Leakage security vulnerabilities.

We will continue to share updates here.

ORIGINAL POST:

Hi there,

Today, Intel released a statement regarding two Processors Data Leakage security vulnerabilities (Vector Register Sampling and L1D Eviction Sampling) that may allow unintended information disclosure for users of multi-tenant cloud environments. On DigitalOcean’s platform, this means a malicious actor could theoretically use a Droplet to infer partial data used by another Droplet on the same physical host.

These vulnerabilities are similar to L1 Terminal Fault (L1TF) as well as the Microarchitectural Data Sampling (MDS) and Transactional Asynchronous Abort (TAA) processor-level issues we’ve mitigated previously. Vector Register Sampling (CVE-2020-0548) relates closely to MDS vulnerabilities, but has a smaller scope and risk. For L1D Eviction Sampling (CVE-2020-0549), the L1TF mitigations already in place on DigitalOcean partially mitigate the vulnerability.

To further mitigate the impact of these vulnerabilities, we are working with Intel to obtain updated microcode. Once received, our engineering team will begin to rapidly and thoroughly test, and then roll out the updated microcode across our fleet.

These details will be shared in an email to all active customers, and we will send another email once our mitigation efforts are complete. In the meantime, any information and updates from Intel – as well as our progress rolling the microcode out – will be shared here.

The security of our platform and protection of our users’ data is our highest priority. We’re working diligently to ensure this issue is resolved as soon as possible.