Cloud infrastructure vendors begin responding to chip kernel vulnerability

Several cloud vendors began responding to the chip kernel vulnerability that has the industry reeling today. Each Infrastructure as a Service vendor clearly has a stake here because each one is selling CPU cycles on their platforms.

TechCrunch sent a request for comment to six major cloud vendors, including AWS, Microsoft, Google, IBM, Rackspace and DigitalOcean. At the time of publication, we had heard directly from three of the companies: Microsoft, Rackspace and DigitalOcean. In the case of Google and AWS, we learned their response indirectly through published blog posts. We have not yet heard from IBM.

AWS

“This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD and ARM across servers, desktops and mobile devices. All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours, with associated instance maintenance notifications.

While the updates AWS performs protect underlying infrastructure, in order to be fully protected against these issues, customers must also patch their instance operating systems. Updates for Amazon Linux have been made available, and instructions for updating existing instances are provided further below along with any other AWS-related guidance relevant to this bulletin.”

(See the full blog post for additional details.)

Microsoft

“We’re aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and are releasing security updates today to protect Windows customers against vulnerabilities affecting supported hardware chips from AMD, ARM and Intel. We have not received any information to indicate that these vulnerabilities had been used to attack our customers.”

Google

“As soon as we learned of this new class of attack, our security and product development teams mobilized to defend Google’s systems and our users’ data. We have updated our systems and affected products to protect against this new type of attack. We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web. These efforts have included collaborative analysis and the development of novel mitigations.” (See here, here, here and here for additional blog posts from Google outlining their responses.)

DigitalOcean

“DigitalOcean has been actively investigating the Intel chip issue which was disclosed earlier today. We’ve been working to gather as much information as we can to ensure our customers remain protected. Intel unfortunately has not made it easy to get a full picture of the issue due to their information embargo.

At this time we are working under the assumption that this flaw will impact all of our customers and we’re presuming that rebooting Droplets (a DigitalOcean cloud server) will be necessary. We will be providing advanced notification to any and all customers impacted as we learn more.

This is a developing issue and we are unable to forecast timeframes for implementing a fix at this time.”

(See DigitalOcean’s blog post for additional details.)

Rackspace

“On 2 January 2018, Rackspace was made aware of a suspected Intel CPU architecture vulnerability. The full extent and performance impact of this vulnerability and potential remediation are currently unknown as the vulnerability has not yet been publicly disclosed.

Our engineers are engaging with the appropriate vendors and reviewing the Rackspace environment and will take appropriate action. Should actions that would impact customer environments be taken Rackspace will communicate to affected customers.”

Should additional responses become available, we will continue to update this article.