Document History

2019-05-15 Created

Summary

Intel has published a security advisory INTEL-SA-00233 with details on newly discovered CPU vulnerabilities, titled MDSUM, MFBDS, MLPDS and MSBDS by Intel, that affect workloads running on common Intel processors. 

These vulnerabilities are tracked as CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091.

While we consider the vulnerabilities severe, based on the difficulty and practicality of the attacks, we believe the risk to Aiven services low.

Following security best practices, however, we will perform the necessary actions and security updates to protect your data and services from these vulnerabilities. These actions are implemented as automatic or scheduled maintenance tasks, require no user intervention and result in no impact on availability of the services.

CVE Status per Cloud Provider

Given that Aiven services are implemented on virtualized resources on the selected cloud providers, the vulnerabilities may theoretically allow for unauthorized access to data stored in Aiven services from a co-located virtual machine running on a CPU shared with the Aiven virtual machine. In practice, however, an attacker cannot target a specific virtual machine and thus a specific Aiven service.

The vulnerability can only be addressed on the infrastructure level, and we're closely following the status summaries from our cloud providers.

Here's the current status per provider:

Amazon Web Services

Not vulnerable

"AWS has designed and implemented its infrastructure with protections against these types of bugs, and has also deployed additional protections for MDS. All EC2 host infrastructure has been updated with these new protections, and no customer action is required at the infrastructure level."

https://aws.amazon.com/security/security-bulletins/AWS-2019-004/

Google Cloud Platform

Not vulnerable

"The host infrastructure that runs Compute Engine isolates customer workloads from each other. Unless you are running untrusted code inside your VMs, no further action is required."

https://cloud.google.com/compute/docs/security-bulletins#20190514

Microsoft Azure

Not vulnerable

"Microsoft Azure has released operating system updates and is deploying new microcode, as it is made available by Intel, throughout our fleet to protect our customers against these new vulnerabilities."

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190013

DigitalOcean

"We have received updated microcode from Intel and developed a set of kernel updates to mitigate the vulnerability, and we are rapidly rolling out these mitigations with no downtime to our users."

https://blog.digitalocean.com/may-2019-intel-vulnerability/

UpCloud

No public announcement yet.

Packet

Not vulnerable

"Rather than virtualized resources, Packet provides fully isolated dedicated servers."

Updates and Contact Information

Latest updates will be added to this help article at 

https://help.aiven.io/incident-reports/aiven-statement-on-intel-ridl-fallout-and-mds-vulnerabilities

For any further questions, please contact Aiven support.

Did this answer your question?