AWS Statement: Processor Speculative Execution Research Disclosure (opens in new tab)

(aws.amazon.com)

115 pointsbryanh8y ago14 comments

14 comments

8 comments · 3 top-level

vosper8y ago· 2 in thread

I hoped they might discuss the supposed decrease in performance that the patches introduce (I imagine they did some testing) but I guess they're leaving it up to their users to discover whether their instances are slower now.

unclebucknasty8y ago

Agreed. Also this:

>All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected.

As of when?

Goes on to say that the "underlying infrastructure" is protected, but OS patches are required. What does it mean that instance infrastructure is protected, but the OS is not, and which step would introduce the performance degradation?

smn12348y ago

I assume, per the shared responsibility model, this implies guest OS (your instance) requires you to patch. Underlying host, hypervisor, would be patched.

1 more reply

wahnfrieden8y ago· 2 in thread

This says operating systems must be patched. I don't see any notice from Ubuntu yet. Does this apply to upgrading Ubuntu as well?

pfg8y ago

The vulnerabilities affect multiple layers in a virtualized environment. Amazon patching the virtualization host is what would prevent things like guests reading host memory (essentially a guest escape - one VM gaining access to other VMs running on the same system). Patching the guest VM is what's needed to mitigate other attack vectors (like unprivileged code reading kernel memory).

I don't think updated packages are available for any of the major distributions as of now. So far I've only seen fixed packages for Amazon Linux and Google's Container-Optimized OS.

perennate8y ago

They have a wiki article now, https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAn...

sparrish8y ago· 1 in thread

I'm getting a 404 from that URL now.

edwhitesell8y ago

I did on first attempt to load it, then it worked on an immediate refresh. Probably a cold cache or something.

j / k navigate · click thread line to collapse