This FAQ answers questions that OUTSCALE users may be asking following the announcement of a serious vulnerability in Intel processors.
What is the Downfall vulnerability?
According to the researcher Daniel Moghimi, who discovered the vulnerability:
"This vulnerability, identified as CVE-2022-40982, enables a user to access and steal data from other users who share the same computer. For instance, a malicious app obtained from an app store could use the Downfall attack to steal sensitive information like passwords, encryption keys, and private data such as banking details, personal emails, and messages. Similarly, in cloud computing environments, a malicious customer could exploit the Downfall vulnerability to steal data and credentials from other customers who share the same cloud computer."
Who is concerned by this vulnerability?
All PCs and laptops equipped with Intel Core processors of the Skylake 6th generation up to the Tiger Lake 11th generation included are affected by this vulnerability. Intel corresponding Xeon processors are also affected.
The latest Intel Core 12th and 13th generations are not concerned.
As part of OUTSCALE's IaaS service, the servers hosting the VMs of our customers are in principle affected by this vulnerability for the v5 (Skylake) and v6 (Ice Lake) generations: see Instance Types.
However, the vulnerability is already mitigated on part of our infrastructure. This is notably the case for deployments with the "dedicated" option on the VMs.
What is OUTSCALE doing to address this vulnerability?
We are currently integrating a patch and validating the mitigation.
This patch will then progressively be deployed on all our infrastructure concerned by this vulnerability.
What is the impact on the services?
Intel has announced performance losses of up to 50% depending on workloads. However, OUTSCALE observes no degradation in most cases.
We will continue to assess impacts that are representative of our customers' usages. If you believe that your use case may be particularly sensitive, please do not hesitate to contact your technical account manager.
What can customers do?
There is no known mitigation from the "guest" system. However, in the case of a nested virtualization, updating the kernel of your operating system can mitigate the risk between your workloads.
If you want to explicitly mitigate the risk concerning this vulnerability, you may deploy critical workloads on dedicated resources: see About Instances > Instance Tenancy and Dedicated Instances.
Comments
0 comments
Please sign in to leave a comment.