An Update about Intel’s Recent CVE Announcement

Hi there,

Today, Intel released a statement regarding two Processors Data Leakage security vulnerabilities (Vector Register Sampling and L1D Eviction Sampling) that may allow unintended information disclosure for users of multi-tenant cloud environments. On DigitalOcean’s platform, this means a malicious actor could theoretically use a Droplet to infer partial data used by another Droplet on the same physical host.

These vulnerabilities are similar to L1 Terminal Fault (L1TF) as well as the Microarchitectural Data Sampling (MDS) and Transactional Asynchronous Abort (TAA) processor-level issues we’ve mitigated previously. Vector Register Sampling (CVE-2020-0548) relates closely to MDS vulnerabilities, but has a smaller scope and risk. For L1D Eviction Sampling (CVE-2020-0549), the L1TF mitigations already in place on DigitalOcean partially mitigate the vulnerability.

To further mitigate the impact of these vulnerabilities, we are working with Intel to obtain updated microcode. Once received, our engineering team will begin to rapidly and thoroughly test, and then roll out the updated microcode across our fleet.

These details will be shared in an email to all active customers, and we will send another email once our mitigation efforts are complete. In the meantime, any information and updates from Intel – as well as our progress rolling the microcode out – will be shared here.

The security of our platform and protection of our users’ data is our highest priority. We’re working diligently to ensure this issue is resolved as soon as possible.