At the beginning of 2018, two classes of attacks on computer processors (CPUs) were announced, Meltdown and Spectre, which will require updates to be applied both to desktop and server systems. These vulnerabilities affect almost all computers worldwide.
dxw would like to reassure all our clients and the organisations that we work with, that we are aware of these attacks and are taking appropriate action. We thought it was worthwhile sharing some more information with you about what we’re doing and how we will continue to ensure that mitigations have been applied to your services.
There is lots of ongoing mitigation work happening at dxw, however, we will focus this post on what we are doing about patching servers.
Most of our infrastructure is provided by Amazon Web Services, who have announced they have patched all EC2 instances (cloud servers). This should mitigate against attacks where a process running on one EC2 instance could read the memory of another EC2 instance hosted on the same physical hardware. This reduces the risk of this happening.
dxw deploy Ubuntu Long-term Support on EC2 instances (currently 16.04) and updates for Ubuntu were made available on 10th of January. There were some early reports of problems with these updates, so we initially paused our update process, but we haven’t experienced any problems with later versions of these updates. These updates address a potential escalation issue if an attacker’s code is somehow able to be executed. Updates are being applied in a way that minimises disruption to service. In most cases, there will be zero disruption.
These updates do not necessarily address all variants of the attacks, so we expect new updates addressing this issue over the coming months. But to be clear, these are not open and remotely exploitable vulnerabilities, they are mechanisms by which already successful attacks can increase their capabilities. They need to be addressed, but this is not as urgent as some previous security issues.
We anticipated some processor performance issues as a result of these updates. In observation, negative effects have been minimal but we continue to monitor for any signs that this is changing.
If you have any questions about this process and how it might affect the services we provide to you, or about security in general, please get in touch, and we’ll be happy to help.