latest update “An Update on Recent Industry Security Findings”

On Tuesday, March 10, 2020, 08:26:35 PM EDT, Team DigitalOcean <[email protected]> wrote:
DigitalOcean Logo
Hi there,We wanted to provide some detail around three new security vulnerabilities and how they could impact your Droplets. These include the Load Value Injection vulnerability, also referred to as LVI, TRRespass, a Rowhammer-type vulnerability, and Snoop-assisted L1 Data Sampling, a L1TF-type vulnerability.

Load Value Injection. This vulnerability could allow data stored in an Intel SGX enclave to be leaked. Fortunately, DigitalOcean does not use SGX in our production environment. Our infrastructure is not affected, and there is no action required to protect your Droplets.

TRRespass. This vulnerability could potentially allow attackers to gain privileged access to certain systems using DDR4 memory, though targeting a specific system is very difficult in cloud environments. We are currently working with our hardware manufacturers to evaluate the scope of this vulnerability in our infrastructure and will provide updates if any action is required on your end.

Snoop-assisted L1 Data Sampling. This is similar to other L1TF vulnerabilities we’ve seen previously. The mitigations we already have in place sufficiently address this vulnerability, and no further action is required to protect your Droplets.
Additionally, we’re excited to share that we have finished deploying the mitigations across our fleet for the two Processors Data Leakage security vulnerabilities recently disclosed by Intel. As a reminder, there is no action required from users to protect their Droplets from these two vulnerabilities.

The security of our platform and your data is our highest priority. Thank you for being a DigitalOcean customer and if you have any questions please open a ticket with our Support Team.

Team DigitalOcean

Copyright © 2020 DigitalOcean
Floor 10, 101 Avenue of the Americas, New York, NY, 10013
All rights reserved.