Product Status: L1 Terminal Fault

Google’s Mitigations for L1 Terminal Fault

Overview

This document lists affected Google products and their current status of mitigation against the speculative execution side channel issues known as L1 Terminal Fault (L1TF), described in CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646.

The issue has been addressed in many Google products; many other Google products were (and are) not at risk. In some instances users and customers may need to take additional steps to ensure they’re using a protected version of a product, as detailed below.

This list and a product’s status may change as new developments warrant.

Google Products and Services

Product User Action Required?

Google Infrastructure

The infrastructure that runs Google products (e.g., Search, YouTube, Google Ads products, Maps, Blogger, and other services) and stores customer data is protected.

No additional user or customer action needed.

Android

Android devices are unlikely to use the specific Intel processors which are impacted and therefore are not at risk.

No additional user or customer action needed.

Google Apps / G Suite

The infrastructure that runs G Suite (e.g., Gmail, Calendar, Drive, Docs, and other G Suite services) is protected.

No additional user or customer action needed.

Google Cloud Platform

See Google Cloud Platform Products and Services, below.

Some GCP products will require user action.  See Google Cloud Platform Products and Services below.

Google Chrome Browser

The Google Chrome Browser is not at risk from this attack.

No additional user or customer action needed.

Google Chrome OS (Chromebooks, etc.)

The vast majority of Chrome OS users are unaffected because Chrome OS currently uses virtualization only for running Linux App Containers (aka Termina), which is under development and only available in Beta, Dev, and Canary update channels of Chrome OS.

To check the update status for your specific model, see this page.

Users who don't use the Linux apps feature don't need to take action at this point.

Beta, Dev, and Canary users concerned about the attack may temporarily stop using Linux App Containers.

Beta, Dev, and Canary users will receive updates as soon as possible through the auto-update mechanism. The status page will be updated to reflect when fixes are available.

Chrome OS 69 Stable will ship with all necessary fixes for safe usage of Linux App Containers.

Google Search Appliance

Google Search Appliance runs only trusted code from Google and is not at risk.

No additional user or customer action needed.

Google Wifi / OnHub

Google Wifi and OnHub run only trusted code from Google and are not at risk.

No additional user or customer action needed.

 

Google Cloud Platform Products and Services

Product User Action Required?

Google Cloud Infrastructure

The infrastructure that runs Google Cloud products and isolates customer workloads from each other is protected. 

No additional user or customer action needed to protect Google’s Cloud Infrastructure.

For some Cloud products, customers may need to patch their runtime environments; see product-specific entries below for guidance.

Google App Engine

The infrastructure that runs Google App Engine and isolates customer runtime environments from each other is not at risk.

No additional user or customer action needed.

Google App Engine Flexible Environments

The infrastructure that runs Google App Engine Flexible Environments isolates customer runtime environments from each other and is protected against known attacks from outside the customer’s VM.

Google App Engine Flexible Environment customers running multi-tenant workloads on a single Flex instance may be vulnerable. In this environment, it may be possible for one tenant to observe the memory of other tenants or the guest operating system itself.

For most Google App Engine Flexible customers, no additional action is required. 

Customers running multi-tenant workloads on the same Flex instance will need to redeploy their Flex application to pick up a patched guest image. Flex applications may manually redeploy any time after 2018-08-27 to pick up a patched guest image. Flex customers may also wait for the next regular weekly restart to pick up a patched guest image automatically.
 

Google Cloud Composer

The infrastructure that runs Google Cloud Composer and isolates customer workloads from each other is protected against known attacks.

Cloud Composer customers who run additional untrusted software on the GKE Clusters managed by Cloud Composer may be vulnerable. In this environment, it may be possible for a malicious binary to observe the memory of the other containers running on the same GKE Node or for the malicious binary to observe the memory of the GKE Node environment itself.

Google will automatically start patching all Cloud Composer GKE Clusters starting the week of 2018-08-13.

For most Cloud Composer customers, no additional action is needed.


Cloud Composer customers who run additional untrusted software on the GKE Clusters managed by Cloud Composer, should consider manually upgrading their Composer GKE Clusters as soon as the Kubernetes Engine patch becomes available the week of 2018-08-13, rather than waiting for Google's automatic updates to patch these GKE Clusters.
 

Google Cloud Dataflow

The infrastructure that runs Google Cloud Dataflow and isolates customer workloads from each other is protected against known attacks.

Cloud Dataflow customers who run additional untrusted software on the Compute Engine VMs managed by Dataflow may be vulnerable. In this environment, it may be possible for a malicious binary to observe the memory of the other processes running on the same VM or for the malicious binary to observe the memory of the guest operating system.
 

The Cloud Dataflow worker VM image will be updated to the patched version when it becomes available starting 2018-08-20.

Cloud Dataflow customers who run additional untrusted software on the Compute Engine VM managed by Dataflow, or are otherwise concerned about intra-guest attacks, should consider updating any streaming pipelines that were launched before 2018-08-20 and are currently running, and restart any batch pipelines that were launched before 2018-08-20. Pipelines launched after 2018-08-20 will be protected. 

In cases where updating the streaming pipelines is not possible, Cloud Dataflow customers can drain the pipelines and restart them.

Google Cloud Dataproc

The infrastructure that runs Google Cloud Dataproc clusters and isolates customer workloads from each other is protected against known attacks.

Cloud Dataproc customers who run multiple, untrusted workloads on the same Cloud Dataproc cluster are vulnerable. In this environment, it may be possible for a malicious workload to observe the memory of the other workloads running on the same VM or for the malicious workload to observe the memory of the guest operating system.

Cloud Dataproc customers who run multiple, untrusted workloads on the same Cloud Dataproc cluster should update these shared clusters to patched images. Customers should subscribe to Dataproc release notes to get notified when patched images are available.

For customers who deploy ephemeral Dataproc clusters on-demand, using the default latest image or specifying a <major>.<minor> image version, new cluster deployments will automatically use the newest patched images as soon as they become available, and no additional customer action is needed.

Customers who have long-lived Dataproc clusters or pin to a specific <major>.<minor>.<patch> version number should unpin and/or redeploy to use the latest patched images.

Google Cloud Functions

The infrastructure that runs Google Cloud Functions and isolates customer execution environments from each other is not at risk.

No additional user or customer action is required.

Google Cloud SQL

The infrastructure that runs Google Cloud SQL isolates database instances from each other is protected against known attacks.

No additional user or customer action is required.

Google Compute Engine

The infrastructure that runs Compute Engine and isolates customer workloads from each other is protected against known attacks.

Compute Engine customers running multi-tenant workloads on a single VM may be vulnerable. In this environment, it may be possible for one tenant to observe the memory of other tenants or the guest operating system itself.

Compute Engine customers running multi-tenant workloads on the same VM should prioritize patching those environments, but as always, all Compute Engine customers are encouraged to follow security best practices when it comes to keeping runtime environments patched and protected against known security vulnerabilities.

See the Compute Engine security bulletin page for guidance on updating your Compute Engine VMs, the list of patched image versions, and links to additional information from operating system providers.

Google Kubernetes Engine

The infrastructure that runs Kubernetes Engine and isolates customer Clusters and Nodes from each other is protected against known attacks.

Kubernetes Engine customers running containers from different customers on the same GKE Node are vulnerable. In this environment, it may be possible for one container to observe the memory of other containers on the same Node or the Node environment itself.

Kubernetes Engine customers running containers from different customers on the same GKE Node should prioritize updating those environments.

Kubernetes Engine customers who use our Container-Optimized OS image, and who have autoupgrade enabled, will be automatically updated to patched versions of our COS image as they become available starting the week of 2018-08-20.

Kubernetes Engine customers who do not have autoupgrade enabled should consider manually upgrading as patched versions of our COS image become available.

See the Kubernetes Engine security bulletin for additional information.
 

 

Published on August 14, 2018

Update log:

2018-08-20: Redeployment date for Flex applications changed from 2018-08-21 to 2018-08-27.