[Important Notice] January 19 Alibaba Cloud Platform Security Update Notice

Recently, a serious security vulnerability affecting Intel processors was disclosed. This vulnerability can result in operating system kernel information leakage. Applications can access kernel data without authorization. Before the public disclosure, Alibaba Cloud began working with Intel to mitigate the impact of this vulnerability. As of this announcement, we have not detected any use of this vulnerability against our platform.

The fix for the vulnerability consists of two parts. Part one consists of updates to our cloud platform virtualization hosts. Part two is applying updates to the operation system inside the guest. Alibaba Cloud has already started work on updating our cloud platform infrastructure. The deployment is expected to be completed no later than Beijing time 24:00 on January 12, 2018 January 19, 2018. The solution will leverage hot upgrades so it will not impact business under most circumstances.

Because almost all Intel CPUs produced in the last 10 years have this vulnerability, there will be some situations where we cannot apply a hot upgrade. For systems which cannot be hot upgraded, we will issue a warning in advance of any changes we make. Please watch for SMS and email notifications from us, plan your operations accordingly, and be sure to back up key business data.

After deploying the fixes for this vulnerability across our cloud platform architecture, customers will still need to apply operating system patches themselves across their instances. Alibaba Cloud is actively working with Intel, Microsoft and Linux distribution vendors on the necessary patches. We will update you as patches are released.

This notice will be updated continuously. We suggest you visit this notice regularly to check for status updates. Should you have any questions, please feel free to contact us by submitting a ticket.

[Jan. 18 Update]
1. For the vulnerabilities of cloud platform underlying infrastructure: Alibaba Cloud has completed most of the region's vulnerability repair. After the remaining resources are fixed, we will update the notice again.
2. For the vulnerabilities at customer operating system layer, the latest operating system patch releases are as follows:
      1) Ubuntu (completely updated)

[Jan. 12 Update]
1. For the vulnerabilities at customer operating system layer, the latest operating system patch releases are as follows:
      1) Aliyun Linux 15.01

[Jan. 11 Update]
1. For the vulnerabilities of cloud platform underlying infrastructure: In order to ensure the stability of the user's business, we will refine the repair batches and reduce the repair frequency. Therefore, the last batch is expected to be completed by January 19. We will update this notice as soon as the repair is completed.

[Jan. 10 Update]
1. For the vulnerabilities at customer operating system layer, the latest operating system patch releases are as follows:
      Ubuntu and Debain released CVE-2017-5754 patch
      Ubuntu and Debain repair method is updated

[Jan. 8 Update]
1. For the vulnerabilities of cloud platform underlying infrastructure: Alibaba Cloud will use the hot upgrade approach to repair Intel CPU security vulnerabilities. The latest hot upgrade approach will cover all affected product series. Under normal circumstances, there will be no perceptible disturbance during the repair. The repair on products that are based on SGX technology has now been completed.
2. For the vulnerabilities at customer operating system layer, the latest operating system patch releases are as follows:
      openSUSE (partial vulnerability has been updated)

[Jan. 7 Update]
1. For the vulnerabilities of cloud platform underlying infrastructure: is currently underway in batches.
2. For the vulnerabilities at customer operating system layer, the latest operating system patch releases are as follows:
      CoreOS 1465.8.0 (some vulnerabilities have been updated)

[Jan. 6 Update]
1. For the vulnerabilities of cloud platform underlying infrastructure: Alibaba Cloud has completed repairing based on the commercial products of SGX technology.
2. For the vulnerabilities at customer operating system layer, the latest operating system patch releases are as follows:
      Debian 9 (some vulnerabilities have been updated)
      SUSE Linux Enterprise Server 12 sp3

[Jan. 5 Update]
1. For the underlying cloud platform infrastructure vulnerabilities, Alibaba Cloud has started to repair and update, which is currently in progress.
2. For the user operating system layer vulnerabilities, customers still need to perform patch repair at the operating system layer. Up to now, released operating system patch updates are as follows:
      Windows 2008 R2/2012 R2/2016 R2/Version 1709
      CentOS
      Redhat el6/el7
      SUSE Linux Enterprise Server 11.4/12.2
Please refer to this link for specific circumstances and precautions: https://www.alibabacloud.com/forum/read-2878-1

Note: It is currently discovered that a patch on Linux systems may cause some performance impact. This vulnerability can only be obtained through local authorization to gain access to sensitive information. To ensure the stability of the service, users are required to decide whether they need to upgrade or not to fix the vulnerability according to their own business situations. Please make sure that you finish business validation and necessary data backup before the repair.

[Jan. 4 Update]
Alibaba Cloud has begun to implement the repair, the most repair will be carried out using hot upgrade. Under normal circumstances there will be no business impact. It will be finished by Beijing time 24:00 on January 12. A very small number of customers whose instances do not support hot fix will be notified in advance.
Our implementation of the fix is underlying infrastructure cloud platform vulnerabilities, for thoroughly fixing the vulnerability, the guest operating system also need to perform patch updates. Alibaba Cloud is also working with Intel, Microsoft and Linux distribution vendors to actively study and provide guest-side repair plan. We will keep you updated on the progress.

[Jan. 3 Update]
In order to solve the security problem of the processor chip, Alibaba Cloud will upgrade the underlying virtualization at Beijing time 1:00 AM on January 12, 2018. By then, Alibaba Cloud will adopt a hot upgrade approach, most customers will not be affected. However, some customers may need to restart manually. It is recommended to prepare operation plans and backup your data in advance. Please pay attention to Alibaba Cloud official website notice for detailed upgrade time and he affected area, and make sure your contact information (phone, email) is available.