DigitalOcean mitigated the AMD vulnerability CVE-2021-26339

Today, AMD publicly disclosed a vulnerability that affected DigitalOcean’s Premium AMD Droplets.

What happened

The vulnerability resulted from a bug in AMD CPU’s core logic that could allow a potential malicious user to cause the CPU core to hang by executing specific code from an unprivileged VM. For DigitalOcean customers specifically, it means that the hypervisors that host Premium AMD Droplets could have enabled a malicious actor to impact the performance or availability of their own Droplets as well as other Droplets on the same hypervisor.

The AMD vulnerability was successfully patched and there were no products or customer data affected. Currently, the risks have been mitigated and no action is required by customers.

How we responded

When AMD first notified DigitalOcean about the potential vulnerability a few weeks ago, our security, engineering, and operations teams developed a plan to 1) rapidly mitigate the risk, and 2) minimize interruption to our services and customers. AMD sent our infrastructure team patched microcode that required a hypervisor restart. So, we “live migrated” Droplets, which means shifted Droplets in real time from the vulnerable hypervisors to patched ones, and then patched the empty vulnerable hypervisor. We repeated this process until we fixed all the vulnerable hypervisors. Throughout this process, customers did not experience any issues and the availability of our services wasn’t impacted.

Again, the AMD vulnerability was successfully patched and there were no products or customer data affected. As a result, risks have been mitigated and no action is required by customers.

DigitalOcean will continue to proactively detect, protect, and respond to such issues so that you can focus on your applications while we focus on platform security. We’re dedicated to being your trusted partner in your journey to build and successfully grow your business worry-free.

Tyler Healy

VP, Security