Rackspace Response to Meltdown and Spectre¶
On 3 January 2018, Rackspace was made aware of a vulnerability affecting certain processors by Intel, AMD and ARM. Multiple vendors have subsequently released statements regarding the vulnerability and its impact on their respective environments.
These issues were originally uncovered by Google's Project Zero. Their research findings show that an unauthorized party may read sensitive information in the system's memory such as passwords, encryption keys, or sensitive information open in applications.
The remainder of this update is addressed to our Fanatical Support for AWS customers specifically. For updates about our other Rackspace supported hosting environments, please refer to the Rackspace blog.
Details about the security vulnerabilities can be found in CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754. Amazon's security bulletin regarding these vulnerabilities can be found here. The website spectreattack.com provides a good overview of these vulnerabilities.
There is not a single fix¶
There is no single fix for all three security vulnerabilities. Many vendors have patches available for one or more of these attacks.
Amazon Web Services (AWS) Response¶
These vulnerabilities affect many CPUs, including those used by Amazon EC2. As of 2018/01/04 15:30 PST, Amazon reports that "all instances across the Amazon EC2 fleet are protected...against these threats from other instances."
This is an important first step in mitigating the security risk that these vulnerabilities represent for your environments. As a result of this fix to the EC2 infrastructure, attackers will no longer be able to exploit EC2 infrastructure to view the contents of memory allocated to a different virtual machine running on the same hypervisor as their attacking software.
Actions that customers are responsible for taking¶
Despite the actions taken by Amazon to patch EC2 infrastructure, a risk remains that malicious software running within your guest operating system may be able to exploit these security vulnerabilities to gain access to private data stored in memory on your EC2 instances. To protect against this risk, Rackspace will be communicating with you over the next several days with guidance and options for patching your EC2 instances.
Watch this page for updates¶
Please check back at this web page for updates on this security issue. Rackspace will post updates as additional details become available from affected vendors, and we will add additional guidance to this page over the next several days.
|2018/01/04 18:03 CST||Initial revision of this security update|
|2018/01/05 08:02 CST||Update title; Update status to reflect that Amazon have completed EC2 infrastructure patching|
|2018/01/04 14:57 CST||Minor update to wording to better align to Amazon's security bulletin|