What do ServerMania customers need to do?

ServerMania dedicated server customers should update their servers’ operating systems to install the patches that fix the vulnerability. Any server on which a malicious actor can run code is vulnerable.

What are we doing to keep your customers safe?

We have already begun the rollout of patches to our cloud platforms. We will be booking maintenance windows with clients on our hybrid cloud platform to install the necessary operating system patches.

What are Spectre and Meltdown?

Spectre and Meltdown exploit flaws in processor architecture to break through the protections that prevent ordinary code from accessing sensitive data.

Modern processors use a technique called speculative execution to improve performance. The processor is continuously trying to guess what computation it thinks you will ask it to perform next. The processor executes multiple instructions at once, sometimes out of order, and if the CPU is on the right execution path you will see a performance increase.  If the right computation is executed, the processor has a head start. If the results aren’t needed, they’re discarded with no performance penalty. Most of the time, the processor gets it right, resulting in improved performance.

But, in the process of speculative execution, sensitive data that should only be readable by the kernel may be exposed to ordinary processes. You can see full details of how Spectre and Meltdown work and how they can be exploited in articles from Google’s Project Zero and the Webkit project.

What are the practical consequences of the vulnerabilities?

Let’s have a look at two scenarios in which a bad actor could exploit Spectre and Meltdown.

Public cloud hosting. On public cloud platforms, several customers share the same physical hardware. Using Spectre and Meltdown, a malicious customer might run code that can access sensitive information owned by the host operating system and other virtual machines running on the server.

Web browsing. Web browsers run arbitrary code from the internet. They have built-in protections to prevent that code from breaking out of its own area of memory and affecting other processes and data on the system. As the Webkit project has explained: by using Spectre and Meltdown together, it is possible to write JavaScript code that bypasses those protections.

In short, any scenario in which arbitrary code can be run on a server is a risk.

Update your servers immediately

While there is no evidence that Spectre and Meltdown have been widely exploited, that’s likely to change. The full details of both vulnerabilities are publicly available. Updating your servers’ operating system is the best way to protect it.