Intel has released new microcode to address a new set of side-channel information disclosure attacks - CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091. These vulnerabilities are otherwise going by the names “ZombieLoad,” “RIDL,” and “Fallout.”

Generally, these are considered easier than Spectre but more difficult than Meltdown to exploit. We disabled hyper-threading a long time ago, which is the most likely method for cross-virtual machine attacks to be successful.

Mitigation requires both updates of the host server to prevent attacks in between virtual machines and updates within the virtual machine to prevent information leaks between processes or kernel and user space. In both cases, the new CPU instructions provided by the updated microcode are required. We will follow up later via email with the schedule and plan for updates.