Intel announced yesterday that they found three critical vulnerabilities in their processors. This affects consumer products and server processors. For two out of three security leaks there is a fix available, the third leak, which affects virtual machines, does not have a fix yet. They are working hard to fix these vulnerabilities.
Once again a weak spot in the speculative execution Just like the vulnerabilities in processors earlier this year - known under the name Spectre and Meltdown - these security leaks are located in an optimization technique named Speculative Execution.
What happens with Foreshadow/L1TF?
Data is continuously being preloaded by the processor in the cache memory. Investigators proved that this data can be leaked from the L1-cache. The L1-cache is a very fast memory where data for the processor is preloaded. The now available patches make sure that the L1-cache will be emptied first so that this cannot be read by another process. This does not fix the problem for virtual servers.
Virtual servers make use of hyper threading. This technique allows multiple virtual machines (VM) to use a single core. With this, one physical core will be divided into multiple virtual cores. This VM will then also have access to the L1-cache of other virtual cores which causes a security risk. On the website of the investigators you will find information about this investigation and their results.
What does TransIP do?
We do use Intel processors for our systems as well. All measures that could be taken to reduce the impact, have already been made. Currently we are investigating all possible measures to permanently fix this issue and try to keep the impact for our users as minimum as possible.
We are also in direct contact with our suppliers about kernel-, firmware and microcode-updates and will carry these out as quickly as possible on our platforms. The official security updates for Linux kernels will be out this week, which we will immediately use on our systems.
What can you do now?
The first two leaks can be fixed with the software updates. You will obviously need to have the latest security updates on your server. In the item 'How to update my server' you can read how to update your VPS, so that your applications and kernel will be up-to-date.
The last vulnerability, affecting virtual machines, does not have a permanent solution. Developers from around the globe are working extremely hard to fix this problem.