Advisory on CVE-2022-40982
Information disclosure in Intel processors
On August 8th, 2023, Intel disclosed a vulnerability in its recent computer processor microarchitecture. This vulnerability, known as "Gather Data Sampling (GDS)" or "Downfall", may allow an attacker to obtain sensitive information from a system. This vulnerability is assigned CVE ID as CVE-2022-40982 and has been given a medium severity by Intel.
What is the vulnerability?
CVE-2022-40982 is a transient execution side-channel vulnerability that affects Intel® Core processors from the 6th Generation (Skylake) to the 11th Generation (Tiger Lake). It allows an attacker with local access to infer stale data from previously used vector registers on the same physical core. A detailed description can be found in the “Downfall: Exploiting Speculative Data Gathering” paper.
What is the risk?
If an attacker is able to exploit this vulnerability, they could potentially exfiltrate information contained within different security contexts (i.e., other virtual machines or even the host device).
Impacted IONOS Cloud Products
| Product Ranges | Product | Impacted | Mitigated | Patch Status |
|---|---|---|---|---|
Compute | Dedicated Core Servers | Yes | Yes | Done |
Compute | vCPU Servers | Yes | Yes | Done |
Compute | Cloud Cubes | Yes | Yes | Done |
DBaaS | MongoDB | No | Not Applicable | Not Required |
DBaaS | Postgres | No | Not Applicable | Not Required |
Managed Services | Cloud DNS | No | Not Applicable | Not Required |
Managed Services | Application | No | Not Applicable | Not Required |
Managed Services | Classic | No | Not Applicable | Not Required |
Managed Services | Network | No | Not Applicable | Not Required |
Managed Services | Managed Kubernetes | No | Not Applicable | Not Required |
Managed Services | Container Registry | No | Not Applicable | Not Required |
Managed Services | Stackable Data Platform | No | Not Applicable | Not Required |
Managed Services | S3 Object Storage | No | Not Applicable | Not Required |
Managed Services | Backup Service | No | Not Applicable | Not Required |
Managed Services | Monitoring Services | No | Not Applicable | Not Required |
Managed Services | NAT Gateway | No | Not Applicable | Not Required |
What has IONOS Cloud done?
IONOS Cloud is committed to the privacy and security of our customers' data. We are aware of this vulnerability and have already initiated the required steps to mitigate this vulnerability. We are also investigating the exposure and risk of this vulnerability for our customer’s products and instances.
We will provide necessary updates as we learn more.
How can I get help?
If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.
Last updated