Zenbleed incident response and vulnerability mitigation

On 24 July 2023 at 14:28 UTC, a vulnerability known as Zenbleed was made public on the Openwall security mailing list. This vulnerability affects a number of AMD processors present in some—but not all—of our DEV1, GP1, and VC Instance offers. If exploited, the vulnerability could allow data to leak between instances, potentially exposing sensitive data if timed correctly.

Scaleway engaged our incident response process and by 17:20 UTC all affected machines were patched in order to mitigate the vulnerability.

You can check to see if your instance was patched by verifying the output of lscpu from the command line. If the model name is either of “AMD EPYC 7282" or "AMD EPYC 7402P”, you can expect a slight performance impact as a result of the mitigation. Furthermore, AMD have released an official microcode update for the affected processors and we will be applying that update over the course of the day (25 July 2023).

⚠️ Note that it is not possible to know whether the vulnerability was exploited on a given instance. If your instance was patched, we advise you to engage your incident response process—at a minimum, rotate your secrets and keep an eye on your logs and other observability tooling.

If you have further questions or concerns, feel free to open a support ticket or reach out on our public Slack community.