An industry-wide issue has been found with how modern microprocessors implement speculative execution of instructions. There are three main variants of the issue, two of which (CVE-2017-5753 and CVE-2017-5715) are collectively known as “Spectre”, and the third (CVE-2017-5754) is known as “Meltdown”.
The issues allow an unprivileged attacker to read privileged memory.
Our physical cloud hosts (on which customer cloud servers are provisioned) use hardware virtualization through KVM and therefore an attacker cannot exploit Meltdown to read memory between cloud servers. We’ll be applying host updates in due course, but do not need to schedule reboots of our physical hosts at this time for Meltdown.
However, Meltdown can be used within an individual customers’ cloud server to read other privileged memory belonging to that same cloud server.
Updates for Linux distros and Windows are being prepared by the vendors and will be available over the next few days. We recommend you update your cloud server operating systems when the updates are available.
Updates to Cloud SQL instances will be automatically applied within your defined maintenance window.
Meltdown is not a vulnerability that can be directly exploited remotely; it requires an attacker to be able to run arbitrary code on a target system. But it does make other vulnerabilities that allow arbitrary code execution more serious. If you allow your users to run code directly on your systems (such as providing web hosting services to untrusted users) then applying the OS updates to your cloud servers is a particularly high priority.
As with Meltdown, Spectre requires an attacker to have local access to the affected system but is harder to exploit. It’s also harder to fix and updates are currently not fully available. Our physical hosts are vulnerable to Spectre and we’re planning scheduled reboots of all servers over the next week. We’ll notify customers by email of the exact schedule once the updates are fully available.
UPDATE: We now have details of the Spectre updates and are rolling them out over the week starting 15th January, which will involve reboots of all cloud servers. We’re notifying everyone by email about which specific cloud servers are affected and when. Customers still need to apply their own OS updates within their cloud servers to be fully protected.