On October 25, 2023, VMWare disclosed a vulnerability in its vCenter Server Security Issues. This vulnerability enables a malicious actor with network access to a vCenter Server to trigger an out-of-bounds write – potentially leading to remote code execution. The CVE ID CVE-2023-34048 is assigned to this vulnerability and has a Critical severity with Common Vulnerability Scoring System (CVSS) of 9.8 score.
| Product Ranges | Product | Impacted | Mitigated | Patch Status |
|---|---|---|---|---|
IONOS Cloud customers access their Private Cloud’s vCenter server via an IONOS-provided dedicated Virtual Private Network (VPN). Every Private Cloud customer has a dedicated VPN, and another customer of IONOS cannot access the vCenter Server instance of another. This reduces the attack surface from external entities. Therefore, we consider this issue to be Medium for our customer environment as the reachability of the attack is not public but restricted.
We do not see any active sign of exploitation of this vulnerability, and no public exploit is known yet.
IONOS Cloud provides VServer over a secure virtual private network, which mitigates the risk of exploitation from external entities. We have already initiated the steps to remediate the vulnerability by upgrading the VMWare vCenter version. IONOS Cloud owns the patching responsibility, and there is no action required from the customer.
IONOS Cloud will start to update all VMware vCenter servers on November 6, 2023.
During the upgrade, you can restrict access to vCenter for up to 1 hour.
If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.
vCenter Server
Yes
No
Not Started
On October 9, 2023, Acronis disclosed another vulnerability in its Acronis Agent for Windows. The vulnerability can be fixed by upgrading to build version 36497.
| Product Ranges | Product | Impacted | Mitigated | Patch Status |
|---|---|---|---|---|
The IONOS Cloud team constantly communicates with Acronis and will soon allow customers to download the patched Windows agent. Acronis has ensured no active sign of exploitation, and IONOS Cloud customer backups do not have an impact due to this vulnerability. For more information, see Acronis Cyber Protect Cloud Agent update C23.10.
IONOS Cloud will publish the non-vulnerable versions of agents when Acronis shares the information, estimated to be by the end of November 2023.
If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.
Managed Services
Backup Service
No
Not applicable
Not applicable
Managed Services
Acronis Agent for Windows
Yes
No
Will be available in late November
On August 8th, 2023, Advanced Micro Devices (AMD) disclosed a vulnerability in its recent computer processor microarchitecture. This vulnerability, known as the Return Form Procedure (RET) Speculation or Inception, may allow an attacker to obtain sensitive information from a system.
If an attacker can exploit this vulnerability, they could potentially exfiltrate information contained within different security contexts such as other Virtual Machines (VM) or even the host device.
The CVE ID CVE-2023-20569 is assigned to this vulnerability and classified as a medium severity by AMD.
| Product Ranges | Product | Impacted | Mitigated | Patch Status |
|---|---|---|---|---|
IONOS Cloud is committed to the privacy and security of our customers' data. We are aware of this vulnerability and have already initiated the required steps to mitigate this vulnerability. We are also investigating the exposure and risk of this vulnerability for our customer’s products and instances.
We will provide necessary updates as we learn more.
If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.
Compute
Dedicated Core Servers
Yes
Yes
Done
Compute
vCPU Servers
Yes
Yes
Done
Compute
Cloud Cubes
Yes
In Progress
In Progress
On August 8th, 2023, Intel disclosed a vulnerability in its recent computer processor microarchitecture. This vulnerability, known as "Gather Data Sampling (GDS)" or "Downfall", may allow an attacker to obtain sensitive information from a system. This vulnerability is assigned CVE ID as CVE-2022-40982 and has been given a medium severity by Intel.
CVE-2022-40982 is a transient execution side-channel vulnerability that affects Intel® Core processors from the 6th Generation (Skylake) to the 11th Generation (Tiger Lake). It allows an attacker with local access to infer stale data from previously used vector registers on the same physical core. A detailed description can be found in the “Downfall: Exploiting Speculative Data Gathering” paper.
If an attacker is able to exploit this vulnerability, they could potentially exfiltrate information contained within different security contexts (i.e., other virtual machines or even the host device).
| Product Ranges | Product | Impacted | Mitigated | Patch Status |
|---|---|---|---|---|
IONOS Cloud is committed to the privacy and security of our customers' data. We are aware of this vulnerability and have already initiated the required steps to mitigate this vulnerability. We are also investigating the exposure and risk of this vulnerability for our customer’s products and instances.
We will provide necessary updates as we learn more.
If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.
Compute
Dedicated Core Servers
Yes
Yes
Done
Compute
vCPU Servers
Yes
Yes
Done
Compute
Cloud Cubes
Yes
Yes
Done
DBaaS
MongoDB
No
Not Applicable
Not Required
DBaaS
Postgres
No
Not Applicable
Not Required
Managed Services
Cloud DNS
No
Not Applicable
Not Required
Managed Services
Application
No
Not Applicable
Not Required
Managed Services
Classic
No
Not Applicable
Not Required
Managed Services
Network
No
Not Applicable
Not Required
Managed Services
Managed Kubernetes
No
Not Applicable
Not Required
Managed Services
Container Registry
No
Not Applicable
Not Required
Managed Services
Stackable Data Platform
No
Not Applicable
Not Required
Managed Services
S3 Object Storage
No
Not Applicable
Not Required
Managed Services
Backup Service
No
Not Applicable
Not Required
Managed Services
Monitoring Services
No
Not Applicable
Not Required
Managed Services
NAT Gateway
No
Not Applicable
Not Required
On October 9, 2023, Acronis disclosed a vulnerability in its Acronis Agent for Linux, Mac, and Windows. This vulnerability may allow an unauthorized attacker to view and manipulate antivirus and antimalware protection plans applied to a specific agent. CVE-2023-45247 ID has been assigned to this vulnerability and classified as having high severity.
| Product Ranges | Product | Impacted | Mitigated | Patch Status |
|---|---|---|---|---|
IONOS and Acronis are in constant communication to gain a deeper understanding of this vulnerability and also ensure that:
There are no signs of active exploitation resulting from the vulnerability. For more information, see Acronis Cyber Protect Cloud Agent update C23.10.
The vulnerability does not allow unauthorized access to IONOS Cloud customers’ backup data. IONOS Cloud will publish the non-vulnerable versions of agents when Acronis shares the information, estimated to be by the end of November 2023.
If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.
The Vulnerability Register reports security vulnerabilities affecting IONOS Cloud products and services. The information provided is part of an ongoing effort to help you manage security risks and protect your systems.
| CVE ID | CVSS Base Score | Severity | Is Patch Available | Patch Deployed on and Status | Patch Responsibility |
|---|---|---|---|---|---|
Disclaimer: You will leave our site by clicking on external links. We do not have control over the content or availability of the linked websites, nor do we endorse or guarantee their accuracy, relevance, or completeness. We are not responsible for any issues from accessing or using these external websites, and we recommend reviewing the terms and privacy policies.
We highly recommend using the NIST (National Institute of Standards and Technology) public vulnerability database as an invaluable resource for your security efforts. The NIST public vulnerability database provides comprehensive information on known vulnerabilities, including detailed descriptions, severity ratings, and mitigation strategies.
For third-party dependant assets and services provided by IONOS Cloud, we recommend that you closely monitor the below external resources for the latest security-related information.
| Product | Asset | Vulnerability Register |
|---|---|---|
To stay informed about the latest security vulnerabilities affecting various software, operating systems, and network components, regularly monitoring and referencing the above resources are crucial. By doing so, you can proactively assess and address potential security risks within your infrastructure.
| Product | Asset | Vulnerability Register |
|---|---|---|
Managed Services
Backup Service
No
Not applicable
Not applicable
Managed Services
Acronis Agent for Windows, Linux, and Mac
Yes
No
Will be available in late November
8.8
High
Yes
16.11.2023
IONOS Cloud
9.8
Critical
Yes
06.11.2023
IONOS Cloud
4.7
Medium
Yes
13.10.2023 (Ongoing)
IONOS Cloud
6.6
Medium
No
IONOS Cloud
7.1
High
No
IONOS Cloud
6.5
Medium
Yes
14.08.2023
IONOS Cloud
Images & Snapshots
Windows Images
Images & Snapshots
Ubuntu Images
Images & Snapshots
Debian Images
Images & Snapshots
AlmaLinux Images
Images & Snapshots
Rocky Linux Images
Images & Snapshots
RHEL Images
Images & Snapshots
ClearOS Images
Images & Snapshots
Microsoft SQL Server Images
Managed Kubernetes
Kubernetes resources
Backup Service
Backup Agent
Database as a Service
PostgreSQL resources
Database as a Service
MongoDB resources
On November 14th, 2023, Intel disclosed a vulnerability in its recent computer processor microarchitecture. This vulnerability, known as Redundant REX Prefix, may allow an attacker to confuse the system, resulting in unpredictable behavior. If an attacker successfully exploits this vulnerability, they could crash or hang the target system and, in some scenarios, allow an escalation of privilege, which may allow an attacker to obtain sensitive information from the system. This vulnerability is assigned CVE ID CVE-2023-23583 and has been given a high severity of 8.8 score by Intel.
| Product Ranges | Product | Impacted | Mitigated | Patch Status |
|---|---|---|---|---|
IONOS Cloud is committed to the privacy and security of our customers' data. We have already completed the required steps to mitigate this vulnerability by upgrading the affected systems' firmware. IONOS Cloud owns the patching responsibility, and no action is required from the customer.
If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.
Compute
Dedicated Core Servers
Yes
Yes
Done
Compute
vCPU Servers
Yes
Yes
Done