Scheduled Maintenance for CPU Vulnerabilities

To complete our mitigations against the recent MDS (ZombieLoad) CPU vulnerability, we will be performing maintenance on a subset of our host machines. This maintenance will update the underlying infrastructure that our servers reside on and will not affect the data stored within them.

If you are on an affected host, your maintenance window will be communicated to you via a Support ticket within the next few days. You don’t need to do anything to your websites for this maintenance.

During the actual maintenance window, the server will be cleanly shut down and will be unavailable while we perform the updates. A pair of Private IP’s will automatically assign, and there no need to do anything from your side. After the maintenance has concluded, each server (shared or dedicated) will be returned to its last state (running or powered off). Customers on our Google Cloud Platform and AWS are not affected.

To fully mitigate the MDS vulnerability,we are setting our Configuration Profile to utilize our latest kernel. Servers that use our latest kernel will automatically update upon reboot. 

For more information on this vulnerability and how you can protect your Linode, please see continue reading

Our status page will be updated once maintenance is complete.

On May 14, 2019, Intel and other industry partners shared details and information about a new group of vulnerabilities collectively called Microarchitectural Data Sampling (MDS).

First identified by Intel’s internal researchers and partners, and independently reported to Intel by external researchers, MDS is a sub-class of previously disclosed speculative execution side channel vulnerabilities and is comprised of four related techniques. Under certain conditions, MDS provides a program the potential means to read data that program otherwise would not be able to see. MDS techniques are based on a sampling of data leaked from small structures within the CPU using a locally executed speculative execution side channel. Practical exploitation of MDS is a very complex undertaking. MDS does not, by itself, provide an attacker with a way to choose the data that is leaked.

MDS is addressed in hardware starting with select 8th and 9th Generation Intel® Core™ processors, as well as the 2nd Generation Intel® Xeon® processor Scalable family. More details can be found here. We expect all future Intel® processors include hardware mitigations addressing these vulnerabilities.

Mitigation

For products where MDS is not addressed in hardware, Intel is releasing processor microcode updates (MCU) as part of our regular update process with OEMs. These are coupled with corresponding updates to operating system and hypervisor software.

When these mitigations are enabled, minimal performance impacts are expected for the majority of PC client application based benchmarks. Performance or resource utilization on some data center workloads may be affected and may vary accordingly.

Once these updates are applied, it may be appropriate for some customers to consider additional steps. This includes customers who cannot guarantee that trusted software is running on their system(s) and are using Simultaneous Multi-Threading (SMT). In these cases, customers should consider how they utilize SMT for their particular workload(s), guidance from their OS and VMM software providers, and the security threat model for their particular environment. Because these factors will vary considerably by customer, Intel is not recommending that Intel® HT be disabled, and it’s important to understand that doing so does not alone provide protection against MDS.

More detailed information on mitigations affecting MDS vulnerabilities can be found here.

Assessing Risk

Exploiting the MDS vulnerabilities outside the controlled conditions of a research environment is a complex undertaking. MDS vulnerabilities have been classified as low to medium severity per the industry standard CVSS, and it’s important to note that there are no reports of any real world exploits of these vulnerabilities.

As technologies become more and more complex, we believe it takes the ecosystem working together to keep products and data more secure. We appreciate the research community and our industry partners for their contributions and coordinated disclosure of these issues.

Resources

System manufacturers, operating system vendors, and others not listed here may have published information regarding this situation. You should check for updates or advisories from your system manufacturer or operating system vendor. This list is not comprehensive.

5/5 (2 Reviews)