Published on May 21, 2018
Along with the rest of the IT industry, Intel has made OVH aware of some specific vulnerabilities concerning certain processor architectures. Two of these vulnerabilities make it possible to carryout side-channel attacks, based on the same kind of mechanism as previously disclosed in January 2018 named ‘Spectre’.
These new vulnerabilities are variants of ‘Spectre’ and are called ‘Spectre Variant 3a’ (CVE-2018-3640, and ‘Spectre Variant 4’ (CVE-2018-3639), also known as ‘SpectreNG’ or ‘Spectre New Generation’. Though they are closely related to ‘Spectre’, they have enough difference to be considered specific flaws and will require additional action(s) for certain CPU architectures.
Once made aware of these vulnerabilities, OVH immediately mobilized its team to understand the implication, evaluate risks and develop an action plan to secure its infrastructures. We will continue to work with Intel, our partners, and manufactures to mitigate any risks to our customers.
Published on March 12, 2018
Vulnerabilities patching status update
Our global technology teams continue to manage deployments of the Spectre and Meltdown vulnerability patches. Access the complete automation, test, schedule and validation list for patches here.
- All lab testing and performance validation has been completed successfully. No major performance degradation was found with the current set of patches during ESXi and OS level testing.
- We have begun production deployments as of 3/5/2018. Please contact your Customer Service Representative for details and scheduling.
Published on February 21, 2018
ESXi patching status and schedule update
- Complete automation, test, and validation for patches listed here – Original ETA 2/2/2018
- We have completed all deployment automation and testing validation required to support available ESXi patches from VMware. Our test teams are taking extra time to run OS level performance tests to validate if any performance degradation to customers will occur with the patch.
- Testing completion dates are revised to ETA 2/23
- Start customer deployments – Original ETA 2/5/2018
- Deployment start dates are revised to ETA 2/26/2018
Published on February 8, 2018
Vulnerabilities patching status and schedule update
Update for ESXi:
1. Automation, testing, and validation has been delayed from estimated date of 2/2/2018 to allow for release of more effective deployment automation and stability testing.
2. Testing is targeted to start on 2/6/2018 and estimated to complete by 2/9/18.
3. Updated customer deployment ETA revised from 2/5/2018 to 2/12/2018. This is the date OVH can begin supporting ESXi patching for customers. Specific customer dates will be coordinated with customers through change management scheduling and customer communications.
Published on January 31, 2018
Patching recall update and impact to OVH customer patching schedule
vCloud® Air™ powered by OVH services are dependent on patch releases from VMware to properly mitigate recently exposed vulnerabilities relating to Intel®, AMD, and ARM processors.
VMware has pulled down the security patches originally released on 1/9/2018, per guidance from Intel, resulting in a delay to the planned patching schedule communicated to customers on 1/9/2018. We are following revised guidance from VMware and targeting recommended patches which contain fixes for some of the known vulnerabilities. We will target other microcode patches, including BIOS and CPU updates, as they are released by our vendors at a later time.
Targeted patching schedule:
- 2/2/2018: Complete automation, testing, and validation for selected patches
- 2/5/2018: Begin customer deployments
We are committed to our products and the security of our customers.
As always, please feel free to contact the Customer Support Team (CST) or your account manager with questions.
Published on January 9, 2018
About the “Spectre” and “Meltdown” vulnerabilities
What are the vulnerabilities?
The Intel® vulnerabilities were discovered by Google's Project Zero and are known as Meltdown and Spectre and include three distinct attack vectors:
- CVE-2017-5715 (branch target injection - Spectre)
- CVE-2017-5753 (bounds check bypass - Spectre)
- CVE-2017-5754 (rogue data cache load - Meltdown)
These vulnerabilities enable CPU data cache timing abuse by software, which then leaks information out of mis-speculated CPU execution, leading to (at worst), arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts. For vCloud® Air™ powered by OVH, this means there is a possibility that one VM could read mis-speculated CPU execution data created by another VM on an ESXi host.
Our teams are also actively following development of any corrective measures that need to be taken to protect against other non-Intel processor vulnerabilities.
vCloud® Air™ powered by OVH customer risk
Customer Management Stack
- Our public facing web components (Customer portal\DR\VCD) are isolated and/or these applications do not natively allow local OS elevation through the app. This makes this exploit a non-risk for customer facing components servicing customer management connectivity. We will apply OS level patches and application patches as they are released following our established service patching guidelines. The priority will be on mitigating the risk in the customer environments, specifically ESXi.
- ESXi Updates: We will be focusing primarily on customer ESXi patching. Additionally, any other security patching that is available at the time of the deployment within the customer environments will be targeted. This could include vCenter\vCloud Director\NSX.
- About the ESXi Patch: We will be leveraging cumulative hot patches from VMware, which were released today, 1/9/2018. The link to these patches can be found here: VMware recommended patches
Impact to customers
- VM uptime and network availability: No customer VM or network downtime is expected for any infrastructure patching. The update for the security concern itself requires an update of ESXi and a ESXi reboot; this is non-impactful to customers and will be deployed in a maintenance widow.
- Customer VM management: We may apply other available, applicable security updates for customer management components at the time of this patch. This may require a short window, where management availability will be minimally impacted during maintenance.
- Customer notifications for patching: We will provide advanced notice to customers about patching and impacts through existing Change Management Communications. The OVH Customer Support Team is available 24/7 to take any calls and answer any questions you may have.
Frequently Asked Questions
Published January 9, 2018
More information is available on the VMware Knowledge base.
Contact our Customer Service Team 24/7, online or by calling: +1 (844) 325-6233
To date, OVH has not received any information demonstrating that the concerned vulnerabilities have been exploited outside of a research laboratory setting.
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. (Source: https://spectreattack.com)
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre
Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches. (Source: https://spectreattack.com)
Spectre affects all Intel processors which are OOO (Out Of Order processors, starting from 1993) certain processors by AMD and ARM as well. (Source: https://googleprojectzero.blogspot.fr/2018/01/reading-privileged-memory-with-side.html)
OVH is 100% mobilized on securing your technology stacks and environments against the vulnerabilities relating to Intel® processors. Our dedicated team of security experts is in close contact with our partners, operating system vendors, and hardware manufacturers on mitigation plans. When patching, OVH will focus primarily on customer ESXi patching along with any other security patching that is available within the customer stack based on availability of other patches. This could include VC\NSX\ESXi.
Cumulative vulnerability patches were released by VMware on January 9, 2018. Those patches were later recalled by VMware on January 23, 2018. Read the recall notification from VMware.
VMware is delaying new releases of updates while it works with Intel to resolve patch issues as quickly as possible. We are following revised guidance from VMware, and targeting recommended patches which contain fixes for some of the known vulnerabilities. We will target other microcode patches, including BIOS and CPU updates, as they are released by our vendors at a later time.
We will provide advanced notice to customers through existing change management communications and email notification.
Ready to get started?
We’ll be in touch!
Please enter your name, email address and phone number along with any other information that will be helpful to get you started. An OVHcloud expert will be in touch as soon as possible.
Sending your request...
Thank you! We’ll call you soon!
An OVHcloud expert has been notified of your request. We’ll return your call promptly, within normal business hours.