Microarchitectural Data Sampling (MDS) Advisory: On 14 May 2019, Intel released a statement regarding Microarchitectural Data Sampling (MDS), a significant security vulnerability that affects cloud providers with multi-tenant environments, including DigitalOcean. In addition to the steps we are taking described on our blog, we strongly recommend that you update your internal Droplet kernels to ensure you have the latest available bug fixes and security patches.
Here are the steps to patch your Droplet for the Intel MDS vulnerability (also known as Zombieload) and to verify the patch applied successfully.
Full steps, including explanations, for how to upgrade your Droplets’ kernels can be found on our article How to Upgrade to the Latest Kernel. Make sure you power off and power on the Droplet when done, as explained in that article.
If your Droplet is running a Linux OS (Ubuntu, Debian, CentOS, Fedora), you can use the following command to verify that it has been patched:
A patched Droplet returns:
Mitigation: Clear CPU buffers; SMT Host state unknown
That file path only exists if the Droplet has been patched, so an unpatched Droplet returns:
cat: /sys/devices/system/cpu/vulnerabilities/mds: No such file or directory
If you’re using FreeBSD, you can find more information on this FreeBSD Security Advisory.