A serious vulnerability has been discovered by Google security researcher Tavis Ormandy in AMD’s Zen 2 processors and was made public yesterday. The vulnerability is now known as Zenbleed and has been designated CVE-2023-20593.
The vulnerability affects all processors from AMD’s Zen 2 product line, including AMD’s EPYC (“Rome”) data center processors. It exploits the ability to steal sensitive information stored on the processor, such as encryption keys and login credentials. Moreover, the attack can be carried out remotely through JavaScript on a website, which means that an attacker does not need physical access to the affected computer or server. This makes the vulnerability even more serious.
Many of our servers use AMD processors. We have taken immediate action to minimize the risk of the vulnerability being exploited. As the vulnerability was previously reported to AMD, they already have a microcode update that fixes the vulnerability. All our potentially affected and vulnerable servers have been updated.
To date, we have not observed any signs of the vulnerability being actively exploited. We continue to monitor the situation closely to ensure that your data and the security of all customers is protected.