Trust & Security

DigitalOcean mitigated the AMD vulnerability

Tyler Healy

Posted: May 10, 20222 min read

Today, AMD publicly disclosed a vulnerability that affected DigitalOcean’s Premium AMD Droplets.

What happened

The vulnerability resulted from a bug in AMD CPU’s core logic that could allow a potential malicious user to cause the CPU core to hang by executing specific code from an unprivileged VM. For DigitalOcean customers specifically, it means that the hypervisors that host Premium AMD Droplets could have enabled a malicious actor to impact the performance or availability of their own Droplets as well as other Droplets on the same hypervisor.

The AMD vulnerability was successfully patched and there were no products or customer data affected. Currently, the risks have been mitigated and no action is required by customers.

How we responded

When AMD first notified DigitalOcean about the potential vulnerability a few weeks ago, our security, engineering, and operations teams developed a plan to 1) rapidly mitigate the risk, and 2) minimize interruption to our services and customers. AMD sent our infrastructure team patched microcode that required a hypervisor restart. So, we “live migrated” Droplets, which means shifted Droplets in real time from the vulnerable hypervisors to patched ones, and then patched the empty vulnerable hypervisor. We repeated this process until we fixed all the vulnerable hypervisors. Throughout this process, customers did not experience any issues and the availability of our services wasn’t impacted.

Again, the AMD vulnerability was successfully patched and there were no products or customer data affected. As a result, risks have been mitigated and no action is required by customers.

DigitalOcean will continue to proactively detect, protect, and respond to such issues so that you can focus on your applications while we focus on platform security. We’re dedicated to being your trusted partner in your journey to build and successfully grow your business worry-free.

Tyler Healy

VP, Security

Share

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!Sign up

Related Articles

Announcing the Public Launch of DigitalOcean’s Paid Bug Bounty Program
trust-security

Announcing the Public Launch of DigitalOcean’s Paid Bug Bounty Program

April 5, 20244 min read

Fine-Grained RBAC For GitHub Action Workflows With GitHub OIDC and HashiCorp Vault
trust-security

Fine-Grained RBAC For GitHub Action Workflows With GitHub OIDC and HashiCorp Vault

February 3, 202327 min read

Enabling Engineering Teams Through Developer-First Secrets Management
trust-security

Enabling Engineering Teams Through Developer-First Secrets Management

January 26, 20238 min read