Product Status: CPU Speculative Execution Attack Methods

Google’s Mitigations Against CPU Speculative Execution Attack Methods

Overview

This document lists affected Google products and their current status of mitigation against CPU speculative execution attack methods. Mitigation Status refers to our mitigation for currently known vectors for exploiting the flaw described in CVE-2017-5715CVE-2017-5753, CVE-2017-5754, CVE-2018-3639CVE-2018-3640CVE-2018-3665, and CVE-2018-3693.

The issue has been mitigated in many Google products (or wasn’t an issue in the first place). In some instances users and customers may need to take additional steps to ensure they’re using a protected version of a product, as detailed below.

This list and a product’s status may change as new developments warrant.

Google Products and Services

Product Mitigation Status

Google Infrastructure

The infrastructure that runs Google products (e.g., Search, YouTube, Google Ads products, Maps, Blogger, and other services), and the customer data held by Google, are  protected.

No additional user or customer action needed.

Android

On the Android platform, exploitation has been shown to be difficult and limited on the majority of Android devices.

The Android 2018-01-05 Security Patch Level (SPL) includes mitigations reducing access to high precision timers that limit attacks on all known variants on ARM processors.

The Android 2018-05-05 Security Patch Level (SPL) includes Kernel Page Table Isolation (KPTI).

Future Android security updates will include additional mitigations. These changes are part of upstream Linux.

Timing mitigation for ARM processors included in the 2018-01-05 SPL as CVE-2017-13218.

Kernel Page Table Isolation (KPTI) included in the 2018-05-05 SPL as CVE-2017-5754.

Google Apps / G Suite

The infrastructure that runs G Suite (e.g., Gmail, Calendar, Drive, Docs, and other G Suite services) is protected.

No additional user or customer action needed.

Google Chrome Browser

Current versions of Chrome include mitigations to protect against exploitation​ Learn more about Chrome's response.

Chrome also provides an optional feature called Site Isolation which can be enabled to provide additional protection by isolating websites into separate address spaces. Learn more about Site Isolation and how to take action to enable it. A future version of Chrome will enable Site Isolation by default.

Desktop (all platforms), Chrome 63 and later:

  • Full Site Isolation can be turned on by enabling a flag found at  chrome://flags/#enable-site-per-process.
  • Enterprise policies are available to turn on Site Isolation for all sites, or just those in a specified list. Learn more about Site Isolation by policy.

Android:

  • Site Isolation is available in chrome://flags but may have additional functionality and performance issues.

iOS:

  • Chrome on iOS uses Apple’s WKWebView, so JS compilation mitigations are inherited from Apple.

Google Chrome OS (Chromebooks, etc.)

Chrome on Chrome OS includes the Chrome browser mitigations mentioned above, including Site Isolation.

OS versions prior to 63 are not patched. To check the update status for your specific model, see this page. Chrome OS systems started receiving version 63 on 2017-12-15.

Chromebox for Meetings devices run only trusted code from Google and are not at risk from this attack.

Kernels for Intel Chrome OS devices are patched with Kernel Page Table Isolation (KPTI) as follows:

  • 3.18 and 4.4 - Chrome OS 63 and above
  • 3.14 - Chrome OS 65 and above
  • 3.8 - Chrome OS 66 and above

Known Meltdown attacks do not affect existing ARM Chrome OS devices, but these devices will also be patched with KPTI in a future release.

Google Cloud Platforms

See Google Cloud Platform Products and Services, below.

 

Google Home / Chromecast

Google Home and Chromecast run only trusted code from Google and are not at risk from this attack.

Currently known attacks do not affect this platform.

Google Search Appliance

Google Search Appliances run only trusted code from Google and are not at risk from this attack.

Currently known attacks do not affect this platform.

Google Wifi / OnHub

Google Wifi and OnHub wireless routers run only trusted code from Google and are not at risk from this attack.

Currently known attacks do not affect this platform.

Google Cloud Platform Products and Services

Product Mitigation Status

Google Cloud Infrastructure

The infrastructure that runs Google Cloud products and isolates customer workloads from each other is protected. Some Cloud products require that customers also patch/update their runtime environments and applications. See the product-specific entries below for details.

No additional user or customer action needed.

Google App Engine

The infrastructure that runs Google App Engine and isolates customer workloads from each other is protected against known attacks for all three variants. There is no additional customer action needed.

No additional user or customer action needed.

Google Cloud Dataflow

The infrastructure that runs Google Cloud Dataflow and isolates customer workloads from each other is protected against known attacks for all three variants.

If Cloud Dataflow customers run additional untrusted software on the Compute Engine VMs run by Dataflow or are otherwise concerned about intra-guest attacks, they should  update any streaming pipelines that were launched before 2018-01-05 and are currently running, and restart any batch pipelines that were launched before 2018-01-05. Pipelines launched after 2018-01-05 will be protected. 

In cases where updating the streaming pipelines is not possible, Cloud Dataflow customers can drain the pipelines and restart them.

Infrastructure patched against known attacks. Customers must patch/update guest environment.

Google Cloud Datalab

Google Cloud Datalab runs on Google Compute Engine which isolates customer workloads from each other is protected against known attacks for all three variants. This also means that customer VMs are protected against known, infrastructure-based attacks from other malicious VMs. Customers must update their instances to protect from intra-guest attacks.

Any new Datalab VM instances created using the Datalab CLI tool will automatically use the latest and patched guest images.

Customers with CPU instances older than 2017-12-08 should consider recreating their instances to automatically pick up the newer patched images.

Customers with GPU instances (which use Ubuntu 16.04) should read our Security Bulletins page for more information on OS provider patch status, and patched image versions.

Infrastructure patched against known attacks. Customers must patch/update guest environment.

Google Cloud Dataproc

The infrastructure that runs Google Cloud Dataproc and isolates customer workloads from each other is protected against known attacks for all three variants. 

Cloud Dataproc customers who run multiple, untrusted workloads on the same Cloud Dataproc cluster should update these shared clusters to patched images as they become available.

Customers who deploy ephemeral Dataproc clusters on-demand using the default latest image or specifying a <major>.<minor> image version, new cluster deployments will automatically use the newest patched images as soon as they become available, and no customer action is needed

Customers who have long-lived Dataproc clusters or pin to a specific <major>.<minor>.<patch> version number, should subscribe to Dataproc release notes to receive ongoing information about patches as they become available, possibly over the course of multiple patch versions. Customers should then unpin and/or redeploy to use the latest patch versions as soon as they become available.

Infrastructure patched against known attacks. Customers must patch / update guest environment.

Google Cloud Functions

The infrastructure that runs Google Cloud Functions and isolates customer workloads from each other is protected against known attacks for all three variants. There is no additional customer action needed.

Patched against known attacks.

Google Cloud Launcher

The infrastructure that runs Google Cloud Launcher solutions and isolates customer workloads from each other is protected against known attacks for all three variants. 

Cloud Launcher customers with currently-running images must update them with the appropriate vendor operating system mitigations as they are made available. Further information can be found in the Google Compute Engine Security Bulletin.

Google is actively working with our technology partners to ensure that all Cloud Launcher solutions are updated to use patched/protected images and guest environments as the updated versions are made available by our various providers.
 

Infrastructure patched against known attacks; customers must patch/update guest environment.

Read the Google Compute Engine Security Bulletins page for more information on OS provider patch status, patched image versions, and instructions for patching/updating your guest environments.

Google Cloud Machine Learning Engine

The infrastructure that runs Google Cloud Machine Learning Engine and isolates customer workloads from each other is protected against known attacks.

Cloud ML Engine customers with active training jobs should consider restarting the jobs once the patched guest images are available.

Cloud ML Engine customers should subscribe to the Cloud ML Engine release notes to receive ongoing information about patched images as they become available.

Infrastructure patched against known attacks; customers must patch/update guest environment.

Google Compute Engine

The infrastructure that runs Compute Engine and isolates customer workloads from each other is protected against known attacks. This also means that customer VMs are protected against known, infrastructure-based attacks from other malicious VMs.

Compute Engine customers must update their virtual machine operating systems and applications so that their virtual machines are protected from intra-guest attacks.

Compute Engine customers should work with their operating system provider(s) to download and install the necessary patches.

Read our Security Bulletins page for more information on OS provider patch status, patched image versions, and instructions for patching/updating your guest environments.

We will continually update our Security Bulletins page with the list of patched image versions as they become available.

The following Cloud products and services built on Compute Engine are already protected against known infrastructure-based attacks from other malicious VMs. Google will additionally be updating the operating systems running in the VMs to mitigate additional intra-guest attacks, though the risk of such attacks is greatly reduced as these products are typically used for single tenant workloads or only provide access to specific services on the VM:

  • App Engine flexible environment
  • Cloud Shell

Infrastructure patched against known attacks. Customers must patch/update guest environment.

Read our Security Bulletins page for more information on OS provider patch status, patched image versions, and instructions for patching/updating your guest environments.

Google Kubernetes Engine:

The infrastructure that runs Google Kubernetes Engine and isolates customer workloads from each other is protected against known attacks for all three variants.

Kubernetes Engine customers must update their runtime environments so that applications within each runtime environment are protected from each other.

Google Kubernetes Engine customers who use our Container-Optimized OS image, and who have autoupgrade enabled, will be updated to patched versions of our COS image as they become available. The COS images for 1.6.13-gke.1, 1.7.11-gke.1, 1.8.4-gke.1, and newer, have been patched for variants 1 and 3. Variant 2 patches are in development and are expected to be released in early March.

If you do not have autoupgrade enabled, you must manually upgrade instead. 

Patches for Ubuntu images are being validated and are expected  to be released by 2018-01-09. For more information, see Ubuntu’s blog post.

Patched for infrastructure; Google will automatically upgrade clusters that have autoupgrade enabled as any additional patches are released. Other customers must manually upgrade their clusters.

 

Published on January 3, 2018

Update log:

2018-01-18: Reference to Cloud SQL removed from GCE section - Cloud  SQL completed all guest OS rollouts with the fix as of 2018-01-09.

2018-01-08: Clarified ChromeOS status by recommending all users check status for their devices.

2018-01-08: Added statement about Google Search Appliance.

2018-01-05: Updated mitigation instructions for Cloud Dataflow customers, based on the statement from Google Compute Engine.

2018-01-05: GKE - Updated with timeline for patches from Ubuntu.

2018-01-05: Added statement about Chromebox for Meetings.

2018-01-04: GKE - spell out Container-Optimized OS image

2018-01-04: Clarified status of Cloud products running on Compute Engine.

2018-01-04: Removed incorrect statement about inter-VM attack/risk for Google Compute Engine and Cloud Datalab.

2018-01-03: GKE - Ubuntu patches

2018-05-21: Added references to CVEs 2018-3639 and 2018-3640 to Overview. Refreshed Android, Chrome, and Chrome OS sections.

2018-06-13: Added reference to CVE-2018-3665.

2018-07-10: Added reference to CVE-2018-3693.

Was this helpful?

How can we improve it?
false
Google apps
Main menu
1829685668905095486
true
Search Help Center
true
true
true
true
true
5016068
false
false