Yesterday, not only a serious vulnerability in AMD’s Zen 2 CPUs was disclosed, but also a very easy-to-use exploit for this vulnerability was published. By exploiting this vulnerability, sensitive data, such as passwords, can be read from other processes and virtual machines running on the same CPU. This makes this vulnerability especially critical for virtualization environments and large multi-user systems (e.g. login nodes / dialogue servers).

As the GWDG currently uses AMD Epyc CPUs with Zen 2 architecture in the OpenStack (GWDG Cloud Server Service) as well as in the VMware environment, we took appropriate countermeasures to secure our environments shortly after the vulnerability became known yesterday.

An intermediate solution was used for the OpenStack environment, which prevents the attack while reducing CPU performance until the microcode update from AMD can be installed in the next few days.

For the VMware environment, the microcode update from AMD was independently applied to the systems, and it was successfully verified that the vulnerability can no longer be exploited. Unfortunately, there are no official updates from VMware yet. As soon as they are available, we will install them.

In both environments, the attack, as published, can no longer be exploited

In the HPC environment, we have also equipped all nodes with Epyc Zen 2 processors of the Scientific Compute Cluster and the NHR systems with the microcode updates.

For a good explanation of the vulnerability, we refer to a blog post by Cloudflare:
https://blog.cloudflare.com/zenbleed-vulnerability/

More technical details of the vulnerability can be found in:

the original publication by Tavis Ormandy:
https://lock.cmpxchg8b.com/zenbleed.html

and the official Advisory of AMD:
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html