CVE-2017-5754 (aka. "Meltdown") is an information-leak vulnerability that exploits a defect in Intel processors. This vulnerability allows unprivileged processes to read from protected kernel memory. 


CVE-2017-5715 and CVE-2017-5753 (aka. "Spectre") are a class of information-leak vulnerability that are "timing attacks": the ability to glean information based on how long the processor takes to do something. These vulnerabilities allow unprivileged processes to read from any memory on the computer.


What is the impact of these vulnerabilities?


Meltdown allows an attacker with local execution to read kernel memory; which could likely in turn be used to gain superuser access (i.e. "root" on Linux or "Administrator" on Windows).  This is limited to within a single virtual machine.


Spectre is more general and allows an attacker to potentially read memory from anywhere on the host hardware. In theory, this would allow a malicious BinaryLane customer to gain information from other customer's VPS on the same host.


There are currently no known "real-world" exploits for the three vulnerabilities.


What is BinaryLane doing?


We need to update the kernel on each of our host nodes to prevent malicious customers from exploiting the two "Spectre" vulnerabilities. At the time of writing, patch from our vendor is expected on 9th January 2018.


BinaryLane utilises KernelCare across its fleet of host nodes, which allows for updating the kernel without rebooting - a "live update". However there is a caveat; each new kernel release needs to be specially prepared by the KernelCare team for live-updating, a process that typically takes a few days. The developers have advised on their blog that these particular updates have a higher difficulty than normal and there may be a delay in availability.


We will continue to evaluate the information provided by the KernelCare team in the days leading up to release of vendor patches.  If the delay to receive KernelCare updates is considered too long - particularly if a real-world exploit is known to be available - we will perform "rolling restarts" of our host nodes.  This would require restarting all customer VPS - between 00:00 and 06:00 AEDT. The process would be performed one host at a time to minimize impact on customers using multiple VPS for high availability.


The earliest we could commence this process will be when patch is available from our vendor - currently expected to be Tuesday 9th January.  If we do conclude that we cannot wait on KernelCare and must perform rolling restarts, we will send an advisory via email to all customers.


Do I need to do anything?


Yes, you should update your own operating system as soon as an update is available from the vendor (Microsoft, CentOS, Ubuntu, etc) and then reboot your VPS.