We are aware of the recent public security disclosure made by the Xen project regarding potential information disclosures. There are 3 types of vulnerabilities. To the best of our knowledge, 2 of the vulnerabilities, CVE-2017-5753 and CVE-2017-5715 (also known as Spectre) have no known mitigations or patches as of yet. The third vulnerability, CVE-2017-5754 (also known as Meltdown) can be mitigated. The Xen project has promised mitigations for PV mode systems within the next few days.
Patches for the Linux kernel have been in development in public for approximately 2 months. While these exploits were not as well known to the public before today, we have no reason to believe that anything has fundamentally changed due to today’s disclosures.
Generally, we consider the impact of this vulnerability to be less severe than a privilege escalation bug, but we advise users to cycle sensitive information, such as passwords and private keys, once the mitigations for CVE-2017-5754 are fully applied. If you are using password-based authentication for SSH we recommend you switch to public-key authentication, which is our default on newly provisioned systems and has been for several years. This helps with all potential information disclosures including this one.
You may also be required to update the operating system inside your VPS to be fully protected from CVE-2017-5754. To the best of our knowledge, PV VPSs will not need to apply kernel upgrades, though regardless we encourage you to consult security disclosures for your particular operating system.
The current expected customer impact for PV VPSs is that individual VPSs are going to require a reboot but at this time we do not know of a need for a host server reboot. When it is possible to reboot VPSs to apply the update we will send an email with a deadline for performing the reboot yourself. If you do not reboot by the deadline we will reboot your VPS for you.
We are currently evaluating whether HVM VPSs will require reboots and if so, how many will be required and on what schedule.
If you are using the legacy management console your VPS is PV (paravirtualized.) For the latest management console to learn whether your VPS is PV (paravirtualized) or HVM (hardware virtualized), select option a to view the system details.