The vulnerability named ‘Meltdown’ has been securely patched on all Hetzner Managed servers. Stable patches for ‘Spectre’ are not yet available.
What happened?
Last year Google’s security team identified serious problems with one of the techniques used industry wide to improve performance in modern microprocessors.
It was found that these security vulnerabilities could be used for malicious purposes to improperly gather sensitive data from computing devices that are operating as designed.
CPU manufacturers (Intel, AMD and ARM) worked with vendors on creating fixes before publicly announcing the vulnerabilities in an effort to prevent their exploitation, but were forced to make the announcement on 3 Jan 2018, due to inaccurate media reports.
This issue applies to a wide range of products, including home PC’s, cell phones and web servers. Developers on all platforms have rushed to roll out patches. While patches for Meltdown were released within days of the announcement for most applications, fixing Spectre is proving difficult, and some patches are causing more harm than good.
What is Hetzner doing about it?
Our system engineers are keeping abreast of these technical developments: they responded swiftly and applied the Meltdown fixes to all Hetzner managed servers.
They are ready to apply Spectre patches as soon as stable versions are released.
Self-Managed server customers need to apply the patches themselves. As the vulnerabilities can’t be fixed on the hardware level, OS developers are updating their operating systems to work around the error. For this reason, customers with Self-managed servers need to patch the relevant OS on their server.
What is the risk to my server or website?
Before the vulnerabilities are patched:
While vulnerabilities are always a security risk, these particular ones are hard to exploit and are considered very important but low risk.
Worst-case scenarios are that a malicious user could run JavaScript code hosted on a webpage and gain access to kernel memory, or that users on shared hardware resources could access other clients’ sensitive data.
After the vulnerabilities are patched:
The firmware updates and software patches could cause some systems to run slower. We are unable to comment on what the impact on our hosting servers may be; and it will vary from server to server, depending on the exact type of work the server does.
In our Shared hosting environment, we aim to run our CPUs at an average of under 50% usage, so have good headroom to absorb a performance hit. While this doesn’t provide guarantees, we are optimistic that the impact will not be noticeable. For Dedicated servers, the headroom will vary depending on the customer’s use of the server.
