Blog

A Message about Intel’s L1TF Security Vulnerability

Today, Intel released a statement regarding L1 Terminal Fault (L1TF), a severe security vulnerability that affects many multi-tenant environments running virtual machines, including DigitalOcean. This vulnerability exposes data to any guest running on the same processor core.

In DigitalOcean’s environment, this means an attacker could theoretically use one Droplet to view another Droplet’s memory. However, they should have no ability to target a specific Droplet or user.

The security implications of this vulnerability are significant and require us to move rapidly to ensure our platform remains protected. In the wake of previous vulnerabilities, Intel has improved their communications flow with us and shared more information sooner, which enabled us to start our mitigation efforts yesterday. However, due to the condensed timeline, unforeseen issues may arise during these efforts. We will continue to work with Intel to enhance their multi-party vulnerability disclosure process so we can improve our agility and efficiency in the future, and better address these types of issues.

Remediation efforts will be completed within a few weeks, and during this time we will take all possible steps to ensure customer Droplets and data remain safe. We do not anticipate any downtime for our users as a result of our mitigation efforts.

We are closely monitoring this situation, and we will update this blog post as more information becomes available. We will notify customers directly should there be any action required of them, or any action taken that may impact their DigitalOcean account.

You can read Intel’s initial statement here.

Josh Feinblum leads security and compliance for DigitalOcean and serves as Chief Security Officer. Prior to DigitalOcean, he was the head of security at Rapid7 and started several security programs across hyper-growth, technology-oriented healthcare companies. He is deeply involved in the security community and has more than 14 years of experience managing security teams, overseeing major clients at large managed service providers, and starting privacy and security related programs across commercial and federal financial service firms.