On April 7 at 4:35 pm UTC, Scaleway encountered a major incident in the fr-par-1 Availability Zone that impacted our Load Balancer product. Post Mortem on the incident.
On 24 July 2023 at 14:28 UTC, a vulnerability known as Zenbleed was made public on the Openwall security mailing list. This vulnerability affects a number of AMD processors present in some—but not all—of our DEV1, GP1, and VC Instance offers. If exploited, the vulnerability could allow data to leak between instances, potentially exposing sensitive data if timed correctly.
Scaleway engaged our incident response process and by 17:20 UTC all affected machines were patched in order to mitigate the vulnerability.
You can check to see if your instance was patched by verifying the output of lscpu from the command line. If the model name is either of “AMD EPYC 7282" or "AMD EPYC 7402P”, you can expect a slight performance impact as a result of the mitigation. Furthermore, AMD have released an official microcode update for the affected processors and we will be applying that update over the course of the day (25 July 2023).
⚠️ Note that it is not possible to know whether the vulnerability was exploited on a given instance. If your instance was patched, we advise you to engage your incident response process—at a minimum, rotate your secrets and keep an eye on your logs and other observability tooling.
Security is and will always be a two-way street: it requires effort from both the user and the platform. Learn best practices to secure your account.