As explained in our initial update, we have been assessing and testing mitigations for Meltdown and Spectre vulnerabilities.
Intel’s poor communication to providers left just about everybody in the dark with very little means to properly prepare and secure their infrastructure. Thanks to an initial initiative between OVH and Online to ensure the best possible actions are carried out, a large number of providers got together to share information and coordinate with processor vendors. We joined this effort early on and are still active on this front.
The situation now
As it stands, our DE-FRA-1
site is the only one providing
mitigations for all published CVEs. To ensure the best possible
protection, you are encouraged to restart your VM instances in
DE-FRA-1
(using “stop”, then “start” on our portal or through the
API).
Since most CVE mitigations need Intel microcode releases, some still
pending, AT-VIE-1
, CH-DK-2
, and CH-GVA-2
are still impacted by
Spectre. We will start migration and reboot campaigns as soon as these
microcodes are released and our validation ensures that no regression
will occur.
Updated templates
All distributions now have mitigations for Meltdown. You can update your instances now (and reboot) to get this layer of protection in all our zones. For Spectre, mitigation of the second variant is only available in DE-FRA-1 zone. Moreover, only CentOS and Windows 2016 offer the appropriate mitigations. After update, be sure to stop your instance then start from our portal. Otherwise, the needed CPU features won’t be present. For Windows 2016, also have a look at the guide published by Microsoft.