An Important Message about Intel’s Recent CVE Announcements and Your DigitalOcean Account

Don’t worry too much about this announcement, are working hard to get it resolve with Intel, however take precaution, always update your data.

On Monday, January 27, 2020, 05:52:38 PM EST, Team DigitalOcean <[email protected]> wrote:
DigitalOcean Logo
Hi there,

Today, Intel released a statement regarding two Processors Data Leakage security vulnerabilities (Vector Register Sampling and L1D Eviction Sampling), that may allow unintended information disclosure for users of multi-tenant cloud environments. On DigitalOcean’s platform, these two vulnerabilities may allow malicious actors to theoretically use a Droplet to infer partial data used by previously run software or by another Droplet on the same physical host.

These vulnerabilities are similar to L1 Terminal Fault (L1TF) as well as the Microarchitectural Data Sampling (MDS) and Transactional Asynchronous Abort (TAA) processor-level issues we’ve mitigated previously. However, the Vector Register Sampling vulnerability has a smaller scope and lower risk than MDS, and the L1TF mitigations DigitalOcean applied previously will help prevent a malicious Droplet from attacking a host with L1D Eviction Sampling.

To further mitigate the impact of these two vulnerabilities, we are working with Intel to obtain updated microcode, which we hope to receive soon. Once received, our engineering team will begin to rapidly and thoroughly test, and then roll out the updated microcode across our fleet.

Updates from Intel and our own mitigation efforts will be ongoing. As new information becomes available, we’ll share updates here. We’ll also follow up with another email message once we’ve finalized mitigations and our platform is protected.

Team DigitalOcean

Copyright © 2020 DigitalOcean
Floor 10, 101 Avenue of the Americas, New York, NY, 10013
All rights reserved.