The L1TF vulnerabilities exploit flaws in the concept of speculative execution on modern processors. This is a continuation of flaws disclosed earlier in 2018 with the Spectre and Meltdown vulnerabilities. However, despite enormous collaboration across industries, the mitigations put in place to prevent future speculative execution attacks may not be sufficient to protect from L1TF.
There exists three disclosed L1TF vulnerabilities, some of which present a critical risk to virtual machines in multi-tenant environments. These types of virtual environments are now common throughout public and private cloud providers, including Nexcess Cloud. In simplest terms, the L1TF vulnerability can expose in-memory data from one guest virtual machine to any other guest virtual machine sharing the same physical processor core.
Risk to Customers
The L1TF vulnerabilities present a risk only to Nexcess Cloud customers on our dedicated Cloud tiers (Large, XLarge, and 2XLarge). Although we dedicate resources to these tiers, the physical CPU cores are not mapped directly to virtual CPU cores. Instead, the Linux kernel scheduler manages processor demand in order to achieve this resource dedication relative to our core density setup. This creates the ideal circumstances under which L1TF can be taken advantage of.
The L1TF vulnerabilities pose no risk to Nexcess Cloud customers on shared tiers (XSmall, Small, and Medium), which are based on bare-metal cloud. The underlying hardware is directly mapped into a virtual machine, and no other virtual machine guest environments are in use on these systems.
Our customers on classic, non-Cloud accounts are unaffected by this vulnerability. In the event of any changes to this risk assessment, we will notify our customers through this blog.
We are acting quickly to protect our customers before exploits become publicly available. In the coming days and weeks, we will implement Linux kernel updates, Intel processor microcode updates, and modifications to our virtual environment configurations. It is likely that some of these changes will require us to reboot virtual machine environments. We will apply all updates during scheduled maintenance windows and provide as much advance notice to our customers as possible.
We continue to monitor the state of speculative execution attacks and collaborate with the security response group formed in response to Spectre and Meltdown last January. If we discover information that alters our mitigation plan, we will notify our customers through this blog.
For questions and concerns, please contact our Support Team, and thank you for your patience as we work to improve our service.