The first week of January news started to spread about new CPU vulnerabilities that have been discovered. This affects millions of devices, not only cloud computing platforms such as Google Cloud and AWS, but even your own desktops, laptops, and mobile devices. Security is of the utmost importance to us here at Kinsta, so we want to keep you in the loop regarding how this impacts our service and platform. More details below.
Last June, the Google Project Zero security team discovered vulnerabilities that affect modern day CPUs, including those from AMD, ARM, and Intel. Google had a set date to originally disclose this on January January 9, 2018, but the media essentially started leaking information about this early and so they’ve now gone ahead and released the details in full regarding the security flaws.
Here’s how Google summarizes it:
We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.”
So far, there are three known variants of the issue, also referred to as Spectre and Meltdown:
- Variant 1: bounds check bypass (CVE-2017-5753)
- Variant 2: branch target injection (CVE-2017-5715)
- Variant 3: rogue data cache load (CVE-2017-5754)
To put in layman’s terms, these are not only security flaws, but they also have an impact on performance. Read more in detail in this article from Project Team Zero. Google has also published a help page explaining which products and services are affected.
How This Impacts Kinsta
Regarding Kinsta there are two different layers which are affected. First, our host machines run on Google Compute Engine and these have already been updated to prevent all known vulnerabilities. Google uses their live VM migration technology to perform the updates with no user impact, no forced maintenance windows, and no required restarts.
The second is that all operating systems running on the virtual machines on top of our host machines need to also be patched. We utilize Ubuntu here at Kinsta and they have announced that they are accelerating their release dates for the fixes. Due to the seriousness of this threat, we are watching for these updates carefully.
and as soon as updates are available we’ll be applying them. All of our virtual machines have been updated and are now Spectre and Meltdown protected.
What You Should Do
In regards to your WordPress sites at Kinsta, there is nothing you need to do. As far as your own devices, here are some things to be aware of:
- If you’re on a PC, Microsoft is pushing out an emergency update for their OS.
- Apple has apparently already protected against Meltdown in macOS High Sierra 10.13.2 (released on December 6), according to developer Alex Ionescu. They also released a supplemental update on January 8 to mitigate the effects of Spectre.
- Linux developers are working to address this in a new kernel update.
- Microsoft has patched Internet Explorer and Edge with KB4056890.
- Mozilla Firefox already includes a fix in their latest version (57).
- Google is pushing out a fix for Chrome in version 64.
If you’re a current Kinsta customer and have any additional questions regarding these recent security flaws, feel free to reach out to our support team or leave us a comment below.