OVH - Spectre Variant 4 and 3a disclosure
Along with the rest of the IT industry, OVH was made aware of some specific security vulnerabilities ("Spectre variant 4" and "Spectre Variant 3a") concerning certain processor architectures, affecting Intel products but maybe other CPU vendors. Two of these vulnerabilities make it possible to carry out side-channel attacks, based on the same kind of mechanism as a previous vulnerability disclosed in January 2018 named “Spectre” (CVE-2017-5753 and CVE-2017-5715).
Stemming from Spectre
OVH closely monitor the situation
Once made aware of these vulnerabilities, OVH immediately mobilized its teams to clearly understand the implication of these flaws, evaluate risks, and develop an action plan to secure its infrastructures as well as determine the best course of action for its customers. We will communicate in the coming hours a list of all concerned OVH product and services with the relative actions launched and planned by OVH, and actions needed on customers side to protect their infrastructures. Mitigation of these flaws will need an addition of CPU microcode and software/operating system updates. As usual, we will continue to test every microcode or sensible update internally before deploying anything live, to ensure the security and the stability of our customers infrastructure. From a SysAdmin point of view, we also strongly suggest to monitor operating system and hypervisor updates and keep theses systems up-to-date. For individual customers, we put as a reminder that since January 2018, all major web browsers have been patched to mitigate Spectre Variant 1 in their managed runtimes. These patches make it more difficult to exploit side channel attacks via a web browser and we can assume that these patches, to some degree, could be applicable to Variant 4. With the current level of information available, OVH strongly urges its individual customers and public to verify and keep their web browser(s) up-to-date. In a more global manner, we are actively and closely working with Intel, our partners and manufacturers on this topic and we are currently investigating potential risks represented by these flaws. We will keep you informed in real time of any information that we receive and will apply any potential security measures on the services concerned. As always, we will also keep our customers and public informed about any corrective actions required on their side to reduce their machines and/or infrastructures exposure.