Upcoming Critical Security Patching & Maintenance
Incident Report for SiteHost
Update
Another quick update on Meltdown and Spectre - we have rolled out images for Ubuntu, Debian and CentOS 7 which include updated kernels relevant to the vulnerabilites. We are still waiting on an updated CentOS 6 image but for other distributions, any new provisions will be updated out of the box. It is also worth noting that our testing has shown that within our infrastructure individual Linux virtual servers are not vulnerable to the Meltdown exploit. With our Windows images, Server 2012 and 2016 are in final internal testing with a view to being rolled out on Monday next week at which time we will also post more details about the impact of these patches.

For existing managed servers, we'll be in contact with customers directly on Tuesday next week with regard to our maintenance plans. We'll do our best to schedule these maintenances for off-peak times however the impact of these vulnerabilities means we may need to act quickly to ensure security for our customers.

Unmanaged customers: we recommend that you update as soon as you can, based on your OS vendor's recommendations. We've noted problems with the latest (at the time of writing) CentOS 6 kernels and don't recommend upgrading to it just yet, but outside of that we're not aware of any issues with the updates currently available. We will be preparing some knowledge base articles outlining the steps you need to take to be secure based on what we've learned over the last two weeks and hope to have those available for you early next week.

We will continue to update our status page with detail as more news becomes available.
Posted 2 days ago. Jan 19, 2018 - 17:26 NZDT
Update
It’s time for another update about Meltdown and Spectre. Like almost every cloud service provider we have been learning more about these vulnerabilities every day as more information comes to light and more patches are made available.

One of the unique aspects of Meltdown and Spectre is that different hardware, virtualisation software, and guest operating systems are vulnerable in different ways. That means there’s no silver bullet across our entire fleet or product range.

That being said, we are currently testing updated images for Ubuntu, Debian, CentOS, CoreOS and Windows. Our goal is to release these early/mid next week once we’re confident in their stability and understand any potential performance impact they may have. From there we’ll be looking at if and when we need to apply these updates to managed servers.

If your server is unmanaged but a patch is available you can update to the latest kernel or OS version when ready by following the vendors documentation. Please do note that we cannot vouch for the stability or potential performance impact of any of these patches.

Patching customer servers is only part of the picture though. The underlying hardware nodes also need patching which is where our hardware and virtualisation vendors come in. In most cases we are still waiting on patches, but we are using this time to investigate our options to ensure our infrastructure is safe and secure in as timely fashion as possible while having minimal impact to reliability and performance.

We’ll post another update as soon as we have more news.
Posted 9 days ago. Jan 12, 2018 - 16:18 NZDT
Update
Some key upstream vendors are still working on patches for these flaws and we're continuing to work with them. We expect to have more news later this week.
Posted 12 days ago. Jan 09, 2018 - 10:43 NZDT
Investigating
Due to two severe vulnerabilities released today that impact almost all computers and cloud providers there will be some short notice critical maintenance that will require downtime in the coming days. We are currently investigating patches and as soon as we have them verified and tested we will confirm the exact timing of the outage windows on this site and via email. At this stage we believe this very likely affects all customers, but we believe our Dedicated and Private Cloud customers to be at a much lower risk.

– https://meltdownattack.com/
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5753
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5754

We will provide updates as we learn more.
Posted 17 days ago. Jan 04, 2018 - 12:18 NZDT