January 6, 2018
Meltdown and Spectre Intel Vulnerabilities

Along with the rest of the IT industry, Intel has made OVH aware of some specific vulnerabilities concerning certain processor architectures.  Two of these vulnerabilities make it possible to carryout side-channel attacks, based on the same kind of mechanism as previously disclosed in January 2018 named ‘Spectre’.

These new vulnerabilities are variants of ‘Spectre’ and are called ‘Spectre Variant 3a’ (CVE-2018-3640, and ‘Spectre Variant 4’ (CVE-2018-3639), also known as ‘SpectreNG’ or ‘Spectre New Generation’.  Though they are closely related to ‘Spectre’, they have enough difference to be considered specific flaws and will require additional action(s) for certain CPU architectures.  

We know that ‘Spectre Variant 4’ may be carried out in a language-based runtime environment.  The most common use of runtime is JavaScript, which is used in web browsers.  However, we are not aware of any successful web browser exploitation at this time.  We recommend customers and the public to verify and keep their browser(s) up-to-date.

Once made aware of these vulnerabilities, OVH immediately mobilized its team to understand the implication, evaluate risks and develop an action plan to secure its infrastructures.  We will continue to work with Intel, our partners, and manufactures to mitigate any risks to our customers.