Spotinst is aware of and constantly monitoring recent Common Vulnerabilities and Exposures
CVE-2017-5754, more commonly known as
Spectre. The vulnerabilities exploit CPU speculative and independent branch execution though side-channel analysis of cache. While public disclosure did not occur until January 3, 2018, the platforms Spotinst provides services for, Amazon Web Services (AWS), Microsoft Azure and Google Compute Platform (GCP) have known about and have been implementing remediations for months. As of January 5, 2018 all three platforms have patched and replaced vulnerable kernels. Each provider has also released a statement explaining respective mitigation tactics.
- AWS Security Bulletin: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/
- GCP Security Bulletin: https://cloud.google.com/compute/docs/security-bulletins
- Microsoft Announcement: https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/
Spotinst Elastigroups are protected because of the actions taken by AWS, GCP, and Azure. Elastigroup compute is run directly on these platforms. Spotinst operates API calls of each platform on behalf of our customers and we do not directly provide CPU, OS or kernel services for Elastigroups. Furthermore, the platforms that Spotinst relies on to provide our services have been updated with all relevant patches. At Spotinst, customer security is paramount in everything that we do. We will continue to monitor these as well as future CVE disclosures and take action as necessary.
Vice President, Architecture