L1 Terminal Fault (L1TF), a.k.a. Foreshadow

Table of Contents
Is your VM at risk?
What should you do?
What does SURFsara do?
Security maintenance downtime
Background information

Is your VM at risk?

Yes, because currently, the hosts in the HPC Cloud are not yet patched.

Your application, the VM, runs in a virtualised environment alongside VMs from other users. These other VMs might, with malicious software, try to read parts of your VM’s memory that might contain sensitive information.

Exception: In case a HPC Cloud host server is assigned exclusively to your project, your VMs are the only ones on it. This reduces the risk of malicious software dramatically.

We are waiting for the latest patches to settle down and plan a maintenance window.

If you need more information or help assessing the risk for your VMs, please write to the helpdesk@surfsara.nl.

What should you do?

What does SURFsara do?

SURFsara follows the developments closely. We expect more updates to become available in the coming weeks.

The HPC Cloud and all its VMs will have to go down to install the expected security update.

Security maintenance downtime

We will have to bring all VMs in the HPC Cloud down to install the security updates on our hosts. A downtime has been planned on 11 and 12 December 2018. You shall receive notifications regarding this.


What is L1 Terminal Fault (L1TF), a.k.a. Foreshadow?

“L1 Terminal Fault” is a bug in Intel CPUs that may disclose data to attackers, possibly containing passwords or other information that should be kept secret. These bugs are not in the operating system, but in the CPU itself. This implies that all operating systems are vulnerable, including your PC. Note that the bug is currently only known to exist in Intel processors.

Some mitigations are available for BIOS and operating systems.


Complete mitigation of the L1 Terminal Fault requires three changes:

Each of these changes independently provides some protection against different parts of an attack.

Additional (technical) resources: