We're hiring! Scaleway is scaling, scale with us.

Last updated 10 January 2017 16pm UTC


Spectre and Meltdown

Vulnerabilities Status Page

Meltdown Spectre Illustration

Blog post

Our blog post updated in real time about the situation of Spectre & Meltdown on the Scaleway platform.

Status page

Dedicated status page about the security vulnerability impacting x86 and ARM processors.

Resources

This page centralizes all information and FAQs about Meltdown and Spectre CVEs.


Security Contact

Found a way to exploit Spectre or Meltdown?

We take security reports seriously and sincerely appreciate private advanced notification of issues, in a responsible manner, before public disclosures that could put our customers at risk. Use the following link to download Scaleway Security public key and report it by mail to security at scaleway.com.

To encrypt your communications with Scaleway, or to verify signed messages you receive from Scaleway you can use the PGP key below.

  • Key id: 4DA50618
  • Key type: RSA
  • Key size: 4096
  • User ID: security@scaleway.com
  • Fingerprint: 9C1F 4DF9 128D 519F 1A0F 110F B98F 60B2 4DA5 0618


Global Status

Operating Systems

Operating system

CVE-2017-5754
Meltdown

CVE-2017-5753
Spectre 1

CVE-2017-5715
Spectre 2

Additional information

ArchlinuxMitigatedPendingPendingCVE-2017-5754, CVE-2017-5753, CVE-2017-5715
DebianMitigated in security repository for Wheezy, Stretch, Sid, Jessie. Pending for BusterPendingPendingCVE-2017-5754, CVE-2017-5753, CVE-2017-5715
GentooMitigated in 4.14, 4.9, 4.4 (Not stable yet)PendingPendingMeltdown & Spectre
Proxmox 5 4Patch available but buggy (Do not use it for now)PendingPendingMeltdown & Spectre linux kernel fixes
Redhat 7.3 7.2 7 6.7 6.6 6MitigatedMitigatedMitigated - microcode update requiredCVE-2017-5754, Meltdown, CVE-2017-5753, CVE-2017-5715, Kernel Side-Channel Attacks
Redhat 5.9 5PendingPendingPendingCVE-2017-5754, Meltdown, CVE-2017-5753, CVE-2017-5715, Kernel Side-Channel Attacks
Redhat MRG 2MitigatedMitigatedMitigated - microcode update requiredCVE-2017-5754, Meltdown, CVE-2017-5753, CVE-2017-5715, Kernel Side-Channel Attacks
Redhat OpenStack 12 11 10 9 8 7 6PendingPendingPendingCVE-2017-5754, Meltdown, CVE-2017-5753, CVE-2017-5715, Kernel Side-Channel Attacks
Redhat Virtualization 4 3 ELS 3MitigatedMitigatedMitigated - microcode update requiredCVE-2017-5754, Meltdown, CVE-2017-5753, CVE-2017-5715, Kernel Side-Channel Attacks
Suse 12 GA LTSSPendingPendingPendingCVE-2017-5754, CVE-2017-5753, CVE-2017-5715
Suse 11 SP3 LTSS 11 SP4 12 SP1 LTSSMitigatedPendingPendingCVE-2017-5754, CVE-2017-5753, CVE-2017-5715
Suse 12 SP2 12 SP3MitigatedMitigatedMitigated - microcode update requiredCVE-2017-5754, CVE-2017-5753, CVE-2017-5715
Ubuntu ZestyBionicPendingPendingPending~kernel-ppa/mainline/, ~ubuntu-security/cve/pkg/linux.html
Ubuntu PreciseTrusty XenialArtfulMitigatedPendingPending~kernel-ppa/mainline/, ~ubuntu-security/cve/pkg/linux.html
VMWare ESXi 5.5Not impactedPendingMitigated - microcode update requiredVMSA-2018-0002
VMWare ESXi 6.0 6.5Not impactedMitigatedMitigated - microcode update requiredVMSA-2018-0002
Windows Server 2016 2012 R2 2008 R2MitigatedMitigatedMitigated - microcode update requiredWindows Server guidance to protect against speculative execution side-channel vulnerabilities
Windows Server 2012 2008PendingPendingPendingWindows Server guidance to protect against speculative execution side-channel vulnerabilities
XenCan be mitigated by running guests in HVM or PVH modePendingPendingXSA-254
FreeBSDPendingPendingPendingAbout the Meltdown and Spectre attacks

Scaleway Platform:

Offers

CVE-2017-5754
Meltdown

CVE-2017-5753
Spectre 1

CVE-2017-5715
Spectre 2

VC1S VC1M VC1LMitigated Update to one of the following bootscripts: 4.14.12, 4.9.75 and 4.4.110Pending Need to recompile software and kernel with LFENCEPending
C2S C2M C2LMitigated Update to one of the following bootscripts: 4.14.12, 4.9.75 and 4.4.110Pending Need to recompile software and kernel with LFENCEPending
X64-15GB X64-30GB X64-60GB X64-120GBMitigated Update to one of the following bootscripts: 4.14.12, 4.9.75 and 4.4.110Pending Need to recompile software and kernel with LFENCEPending Microcode update validated, waiting for Kernel patches
ARM64-2GB ARM64-4GB ARM64-8GB ARM64-16GB ARM64-30GB ARM64-60GB ARM64-120GBNot impactedNot impactedNot impacted
C1Not impactedNot impactedNot impacted

Online Services

Products

CVE-2017-5754
Meltdown

CVE-2017-5753
Spectre 1

CVE-2017-5715
Spectre 2

C14Not impactedNot impactedNot impacted
ODSNot impactedNot impactedNot impacted
Web HostingMitigatedPending Need to recompile software and kernel with LFENCEPending
Web Hosting CloudMitigatedPending Need to recompile software and kernel with LFENCEPending

Online Dedibox Servers

Offers

References

CVE-2017-5754
Meltdown

CVE-2017-5753
Spectre 1

CVE-2017-5715
Spectre 2

XC BlackFriday 2016 XC 2015 XC DEALS 1701.2 BlackFriday 2016 XC DEALS 1701.1A1SA2Mitigated Can be mitigated OS dependent, checkout OS table.Pending Need to recompile software and kernel with LFENCEPending
Classic 2016X10SDEMitigated Can be mitigated OS dependent, checkout OS table.Pending Need to recompile software and kernel with LFENCEMitigated Microcode fix deployed / Check OS table
LT 2016 MD 2016X11SSE-FMitigated Can be mitigated OS dependent, checkout OS table.Pending Need to recompile software and kernel with LFENCEMitigated Microcode fix deployed / Check OS table
LT 2017 MD 2017X10E-9NMitigated Can be mitigated OS dependent, checkout OS table.Pending Need to recompile software and kernel with LFENCEMitigated Microcode fix deployed / Check OS table
Classic+ LT 2013 ST-12 MD 2013 PRO HP MD DEALS 1706.2 QC HP LT DEALS 1706.1 LT DEALS 1706.2 ST DEALS 1706.1 DC HPDL120G7Mitigated Can be mitigated OS dependent, checkout OS table.Pending Need to recompile software and kernel with LFENCEPending
Enterprise HP limited edition 201420 HPDL160G6Mitigated Can be mitigated OS dependent, checkout OS table.Pending Need to recompile software and kernel with LFENCEPending
PRO 2013 ENT DEALS 1701.3 ENT 2014 ENT DEALS 1701.7 mWOPR DEALS 1701.2 mWOPR DEALS 1701.3 WOPR DEALS 1701.8 WOPR DEALS 1701.2 WOPR DEALS 1701.3 ENT 2013 WOPR BG 2014 MINI WOPR 2014 WOPR 2013 WOPR 2014 Xmas2014 ENT DEALS 1701.5 WOPR BG mWOPR DEALS 1701.1 WOPR DEALS 1701.7 WOPR 2014 ENT DEALS 1701.6 WOPR DEALS 1701.1 ENT DEALS 1701.8DL160G6Mitigated Can be mitigated OS dependent, checkout OS table.Pending Need to recompile software and kernel with LFENCEPending
ST12 2014DL320eGEN8Mitigated Can be mitigated OS dependent, checkout OS table.Pending Need to recompile software and kernel with LFENCEPending
MD 2014 MD DEALS 1701.1 MD DEALS 1706.3 MD DEALS 1701.2 MD DEALS 1706.1 PRO 2014DL320eGEN8v2Mitigated Can be mitigated OS dependent, checkout OS table.Pending Need to recompile software and kernel with LFENCEPending
DOUBLE WOPR 2014DL560G8Mitigated Can be mitigated OS dependent, checkout OS table.Pending Need to recompile software and kernel with LFENCEPending
PRO 2016DSS1510Mitigated Can be mitigated OS dependent, checkout OS table.Pending Need to recompile software and kernel with LFENCEMitigated Microcode fix deployed / Check OS table
mWOPR 2016 ST 48 2017 ENT 2016 WOPR 2016 mWOPR DEALS 1706.1 PST 24 2017 PST 30 2017DSS2500Mitigated Can be mitigated OS dependent, checkout OS table.Pending Need to recompile software and kernel with LFENCEMitigated Microcode fix deployed / Check OS table
SC 2016DSS51OOMitigated Can be mitigated OS dependent, checkout OS table.Pending Need to recompile software and kernel with LFENCEPending
DC DELL QC DELL Classic+ gen2 LT 2014 Classic+ PRO DELL ST8 2016 LT DEALS 1701.3 limited edition 4814 Classic 2014v2 Classic 2015R210Mitigated Can be mitigated OS dependent, checkout OS table.Pending Need to recompile software and kernel with LFENCEPending
LT DEALS 1701.1 LT 2014v2 LT 2015 LT DEALS 1701.2R220Mitigated Can be mitigated OS dependent, checkout OS table.Pending Need to recompile software and kernel with LFENCEPending
MD 2014v2 PRO 2014v2 MD 2015 PRO 2015 Gen2 PRO 2015 ST12 2015 MD 2015 Gen2 ST 18 2017 MD 2014v2R320Mitigated Can be mitigated OS dependent, checkout OS table.Pending Need to recompile software and kernel with LFENCEMitigated Microcode fix deployed / Check OS table
Enterprise DELLR410Mitigated Can be mitigated OS dependent, checkout OS table.Pending Need to recompile software and kernel with LFENCEPending
ST72R510Mitigated Can be mitigated OS dependent, checkout OS table.Pending Need to recompile software and kernel with LFENCEPending
ST72 v2 ST488R515Mitigated Can be mitigated OS dependent, checkout OS table.Pending Need to recompile software and kernel with LFENCEPending
ENT 2015 ENT 2014v2 mWOPR 2014v2 WOPR 2015 WOPR DEALS 1701.5 WOPR DEALS 1701.6 ENT DEALS 1701.1 mWOPR DEALS 1706.2 mWOPR DEALS 1706.3 WOPR 2014v2 WOPR DEALS 1701.4 ENT DEALS 1701.2 ENT DEALS 1706.2 ENT DEALS 1701.4R720Mitigated Can be mitigated OS dependent, checkout OS table.Pending Need to recompile software and kernel with LFENCEPending
ENT 2015 Gen2 WOPR 2015 Gen2 mWOPR 2015 Gen2 ST12 2016 ST24 2016R730Mitigated Can be mitigated OS dependent, checkout OS table.Pending Need to recompile software and kernel with LFENCEMitigated Microcode fix deployed / Check OS table

Frequently asked questions

What do I need to know about the 2-decades long Intel bug?

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
There are 3 variants and 3 CVEs:

  • Spectre (variant-1)[CVE-2017-5753]: bounds check bypass - will be fixed by patching the operating system and applications which execute untrusted code.
  • Spectre (variant-2)[CVE-2017-5715]: branch target injection - will be fixed by installing and enabling a CPU microcode update from the CPU vendor (e.g., Intel's IBRS microcode), or applying a software mitigation (e.g., Google's Retpoline) to the hypervisor, operating system kernel, system programs and libraries, and user applications.
  • Meltdown (variant-3)[CVE-2017-5754]: rogue data cache load, memory access permission check performed after kernel memory read - will be fixed by patching the operating system. For ex: KPTI is the patch for Linux. Other operating systems/providers should implement similar mitigations.

Where do the names come from?

Spectre: this name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time.
Meltdown: this name has been chosen because vulnerability basically melts security boundaries which are normally enforced by the hardware

Who is impacted?

Most probably everyone, including laptops and cell-phones.

Has the bug been exploited?

At the moment, no known attack(exploit) has been reported yet. But nobody is really able to confirm because it's undetectable.

What should I do?

We are handling the Hardware part, the OSes and hypervisors on which your servers run, however 2 actions are required:

  • Stay up to date.
  • You need to patch your managed OSes.

We'll keep you posted regularly with the latest information in our blog.

What is the cloud providers task force?

It is a working group created by Scaleway to find efficient solutions (in order to mitigate the attacks) working both with Intel and the main kernel developers.
Big cloud players have joined the task force. Please refer to the following article for more information.

How is Scaleway handling this situation?

We are putting all our efforts to be the most efficient possible, doing the following actions:

  • Our security & SRE teams work hard to track any possible attack
  • Working on different scenarios to minimize the impact on our clients
  • Keeping our customers updated
  • Putting pressure on hardware manufacturers to get regular updates in order to act quickly
  • We created the task force

Besides the global actions, there are 2 main areas:

  • Hardware: We are upgrading our hardware to be the most secure possible with the latest firmware and microcodes to be protected from the Spectre(variant-2) vulnerability.
  • Software: We are applying the necessary patches needed at the OS level to mitigate the following vulnerabilities: Meltdown(variant-3), Spectre(variant-2) and Spectre(variant-1).

Glossary (terms to know):