CoSo Cloud secure against Spectre and Meltdown
January 9, 2018
CoSo Cloud is closely watching recently disclosed vulnerabilities regarding the side-channel analysis of speculative execution on modern computer processors (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754), also known as “Spectre” and “Meltdown.” This vulnerability has existed in modern processors for more than a decade and impacts processor architectures from numerous vendors. Specific details about the vulnerabilities can be found here.
Unlike with public cloud vendors like Amazon Web Services, CoSo Cloud’s customers have limited exposure to these exploits with its private single-tenant secure managed service. This is because the exploits require malicious code running on a shared physical host. With public clouds, you have no control over what other virtual machines share the same physical host with your application, and the very nature of a public cloud means that a malicious actor can run their attack software on any host. The vulnerabilities may allow such malicious software running in one virtual machine to access confidential data stored in another virtual machine on the same host. CoSo Cloud runs only software that has been tested and approved, and unlike with shared public clouds, never allows arbitrary software to run anywhere in our environment.
This being said, CoSo Cloud will be implementing vendor patches and hotfixes to further protect our environments from these vulnerabilities. These updates will be tested in our staging and development environments, then rolled out to our production environments. This is to ensure our customers will maintain a highly available, performant, secure end-user experience.
If you have further questions or need clarification on our security position, reach out to your Customer Success Manager, or CoSo Security at CoSoSecurity@cosocloud.com.