This is mind blowing. We can't update kernels on our own? A patched kernel should be deployed within hours of a vulnerability - not weeks or months.
This is possibly the largest oversight of any vendor I've ever seen. Even no-named web hosts have this capability. Good luck when millions of droplets fall victim to a kernel exploit only to find out DigitalOcean isn't concerned about patching kernels.
Bad news for your lawyers, too. You've documented that you know about this issue and you're not prioritizing it. It's been two years since this has been made public but still no movement.
My business is adding several servers a month - they will no longer be at DigitalOcean. Anyone at least slightly concerned with security should be removing their DigitalOcean servers immediately. With two CentOS kernel exploits just in the past two weeks, it's completely unacceptable to rely on your platform to patch it when there are several already working alternatives provided by CentOS itself.
Again - my mind is blown....
I too tried to follow to procedure at https://www.digitalocean.com/community/tutorials/how-to-update-a-digitalocean-server-s-kernel-using-the-control-panel but was unable to upgrade the kernel after going from debian wheezy to jessie. I don't know if it's something I'm doing wrong, or if it's simply not supported.
I'd like to add my voice to the chorus of disappointment here. I'm concerned, even more generally, at DO's bootloading procedure. And since they have disabled access to iPXE (during the power up) -- which was working about a year ago -- DO users are further hobbled, not helped.
BTW, the disabling of iPXE for pxe boots happened within 3 days of a video hitting youtube which described how to pxe boot a droplet (Shane Spencer, "Digital Ocean: Droplet iPXE install of Debian Linux 7.0 Minimal", https://www.youtube.com/watch?v=hd0Ln2jL8Lo).
I'm also disappointed at the way DO handles informing users of what is going on related to something they ask about on community or (formerly?) uservoice. It usually goes like this. Someone, like Moisey, will say on a discussion group that they plan to roll out an enhancement/fix for X in N months; N months go by, then someone (or more people) ask what is the status of the enhancement/fix; there is no response from DO; you go out and ask about it on, say, Twitter; no response or an evasive response. It gets tiring.