Several recent Linux kernel vulnerabilities have required a swift response from infrastructure operators.

Among them, Copy Fail and Dirty Frag drew attention because they involve local privilege escalation scenarios. Copy Fail is tracked as CVE-2026-31431.

Dirty Frag covers two distinct vulnerabilities, CVE-2026-43284 and CVE-2026-43500, tied to Linux kernel components.

At Clever Cloud, we treated these vulnerabilities as critical infrastructure matters. Our goal was twofold: quickly shrink the exposure window, then sustainably improve our kernel selection and deployment process.

This article reviews our approach, the decisions made, and the changes brought to our operations pipeline

Why these vulnerabilities called for a fast response

Copy Fail and Dirty Frag belong to the family of local privilege escalation vulnerabilities. In this type of scenario, an attacker must already be able to execute code locally, but can then attempt to gain higher privileges on the affected machine.

Dirty Frag rests on two Linux kernel flaws.

They notably affect modules related to ESP, used by IPsec, and to RxRPC. On a cloud platform, this type of vulnerability calls for a rapid analysis. The risk is not limited to a single isolated machine.

Scenarios tied to shared environments, containerized workloads, and isolation mechanisms must also be assessed.

What we verified

We analyzed the potential impact of these vulnerabilities on our environments. This step is not just about reading security advisories. It also involves verifying whether a theoretical scenario can become relevant in our operating context.

In the case of Copy Fail, the flaw came under embargo together with its patch. We published a new system image with the patch applied in the days that followed.

Our customers' applications were redeployed shortly after.

In the case of Dirty Frag, our internal analyses confirmed that these vulnerabilities had to be taken seriously. ESP modules are enabled in our kernels to support some specific customer needs. Fortunately, RxRPC-related modules are not present in our environment, as they serve no purpose for our usage.

We do not detail the technical steps of the exploitation here, since the purpose of this article is to inform our customers, not to publish a reproducible procedure.

This validation confirmed the operational decision: handle the matter immediately, reduce the exposed surface, then force the necessary redeployments.

Our operational response

Rolling out immediate measures

We first applied quick measures on the affected kernels. In the case of Dirty Frag, the publicly recommended measures focus in particular on the kernel components related to ESP and RxRPC.

On Clever Cloud's side, the goal was clear: reduce the identified exposed surfaces and shrink the exposure window without waiting for a standard maintenance cycle.

Redeploying the affected workloads

A kernel update only matters if the affected systems actually restart on a patched environment. We therefore launched a progressive redeployment of applications, then handled the cases that blocked this redeployment.

This phase matters. On a managed platform, the fix is not limited to producing an image or compiling a kernel. The execution chain must also actually use the expected version.

Improving the process along the way

We also took advantage of this sequence to replace a temporary mechanism with a cleaner integration into our orchestration pipeline.

Concretely, the kernel choice is now passed more explicitly through our internal pipeline, all the way to Supernova, our hypervisor agent. This evolution replaces the stiffer workaround put in place in the heat of the moment.

That is the central point of this intervention: fix fast, then make the fix more reliable for future operations.

What this changes for Clever Cloud customers

For customers, the expected effect is simple: reduce exposure without any manual action on their part whenever the platform can handle the redeployment.

Clever Cloud runs an architecture that relies in particular on isolation through virtualization. This approach is documented on our security pages and in our technical content on running containers inside virtual machines. It does not eliminate every risk, but it limits certain lateral movement scenarios compared to models where multiple workloads share the same execution environment directly.

We avoid, however, presenting this isolation as an absolute guarantee. A kernel vulnerability must always be taken seriously.

That is why we combined mitigation, redeployment, and improvement of our operations pipeline.

What we take away

This sequence confirms three principles.

First, a kernel vulnerability must be analyzed in its actual operating context. A public alert is not enough. We need to understand whether the conditions required for exploitation can exist on the platform.

Second, reaction speed matters. The Copy Fail and Dirty Frag vulnerabilities were disclosed publicly within a few days of each other, with analyses published by several players in the Linux and cloud ecosystem.

Finally, a useful security response must not only fix the problem of the moment. It must also improve the system that will handle the next incident.

That is what we did here: handled the vulnerabilities, shrank the exposure window, and strengthened our kernel management process.

Q&A

What is a local kernel vulnerability?

A local kernel vulnerability is a flaw that already requires execution capability on the affected machine. It can then allow gaining higher privileges, such as root, if the kernel is vulnerable.

Why do these flaws concern cloud platforms?

Cloud platforms run many workloads with isolation mechanisms. A kernel flaw can become critical if it allows crossing certain boundaries between processes, containers, or execution environments.

Are Dirty Frag and Copy Fail the same vulnerability?

No. Copy Fail is tracked as CVE-2026-31431. Dirty Frag covers CVE-2026-43284 and CVE-2026-43500. These vulnerabilities are close in impact, but they are distinct.

What action is required from Clever Cloud customers?

No general action is required from customers for environments handled by the platform. The automation brought by Clever Cloud allowed everything to be updated without action needed. Specific cases are tracked individually.

What is happening?

We have recently been made aware of fraudulent schemes where individuals impersonate Clever Cloud to deceive job seekers and freelancers. These scams typically involve fake job offers for tasks such as "APP data integration" or "internet rating optimization." Victims are often instructed to:

• Perform tasks that require upfront deposits or “recharge funds” via cryptocurrency;
• Send unsolicited communications through unusual channels such as WhatsApp or Telegram;
• Trust fabricated documents falsely claiming to be signed by Clever Cloud executives.

These activities are entirely fraudulent and have no connection to Clever Cloud. We do not operate or endorse any such recruitment processes or payment methods.

Key red flags

1. Fake websites and domains: in order to impersonate Clever Cloud, scammers have used URLs like the ones below (we voluntarily use brackets to not reference their website and avoid increased number of victims):

• `clever-cloudus[.]com`
• `cc1-works[.]net`
• `cc-works[.]tech`
• `ccu1-works[.]net`
• `ccs2-works[.]net`
• `vc3-works[.]net`
• and other similar patterns;

2. Cryptocurrency payments: Clever Cloud does not request payments or deposits in cryptocurrency for any services or tasks;
3. Unauthorized communication channels: Official communications from Clever Cloud are always conducted through our verified email domains (e.g., `@clever-cloud.com`). We do not use WhatsApp or Telegram for recruitment;
4. Unrealistic job offers: Claims of easy profits from simple tasks are a hallmark of these scams.
   

How we are taking action

• Legal measures: We have filed complaints with relevant authorities and are working with International Cybersecurity professionals to track and shut down these operations;
• Domain monitoring: We are actively identifying and reporting fraudulent domains to hosting providers to have them deactivated;
• Victim support: If you believe you’ve been targeted, we encourage you to file a report with local law enforcement and share any relevant information with us through our support team at support@clever-cloud.com.
  

Clever Cloud WhatsApp recruitment: stay safe

We reiterate that Clever Cloud does not use WhatsApp for recruitment. If you see offers claiming otherwise, report them immediately. Scammers may exploit terms like "WhatsApp recruitment" or "APP data integration" to lure victims, so remain cautious.

How You Can Protect Yourself

1. Verify job offers: Always confirm the legitimacy of job offers by contacting the recruiting company directly through its website. For us, you should go to clever-cloud.com;
2. Avoid cryptocurrency transactions: Be cautious of any request for cryptocurrency payments—this is a common tactic used by scammers;
3. Report suspicious activity: If you encounter a scam using our name, report it immediately via platforms like the Phishing web page of the FTC, the Phishing Initiative, international Cybersecurity platform like Netcraft or your National fraud reporting service;
4. Educate yourself: Familiarize yourself with common scam tactics. Resources like the FTC’s Task Scams Alert provide valuable insights.

Our official channels

To ensure you’re interacting with the legitimate Clever Cloud, only trust information and communication from:

• Website: https://www.clever.cloud;
• Email: All official emails will come from the domain `@clever-cloud.com`;
• Support: Contact us directly at support@clever-cloud.com for any inquiries or doubts about suspicious activities.

Final thoughts

We are deeply concerned about the impact these scams may have on targeted individuals. Protecting your trust and our reputation is a top priority. If you come across any fraudulent activity involving Clever Cloud, please reach out to our team. Together, we can help put an end to these deceptive practices.

Stay vigilant, and thank you for supporting Clever Cloud as we continue to deliver secure and innovative cloud solutions.

Cédric Biron — Chief Operating Officer at Clever Cloud

Opting for a French cloud means opting for local, sovereign management of your data while benefiting from a high-performance infrastructure. But first, let's define what a French cloud is.

What is a French cloud?

A French cloud is a data hosting and management service based in France. It relies on infrastructures located in France and managed by companies governed by French law. This guarantees that the data complies with French and European legislation, particularly in terms of personal data protection (GDPR).

This model ensures the strategic independence and autonomy of data from foreign players, and responds to growing concerns about security and digital sovereignty.

Companies and organisations choosing a French sovereign cloud therefore benefit from total control over their data, as well as a service that is often local and responsive.

Clever Cloud's definition of a sovereign cloud

It is important to note that everyone creates their own definition and that the criteria can vary according to interpretation. At Clever Cloud, we define the sovereign cloud in terms of two major issues: protection against extraterritorial laws and the assurance of sustainable technological autonomy.

A sovereign cloud guarantees that data is not subject to foreign laws, such as the FISA Act, which gives the US government the right to inspect all data hosted by a US organisation. But it must also prevent any risk of technological lock-in. This means offering users freedom of choice and complete control over their tools and infrastructures, to avoid critical situations such as that posed by VMware's new pricing policy following its acquisition of Broadcom.

A French PaaS like Clever Cloud goes beyond simple hosting in France. It offers ready-to-use solutions for developing, deploying and managing applications in complete autonomy, all on a controlled technical stack.

The advantages of a French cloud for businesses

Security and data protection

Choosing a French or European cloud guarantees rigorous management of sensitive data. Data centres located in France comply with regulations such as the GDPR. With a French sovereign cloud, your information remains under local control, limiting foreign interference.

Compliance with French and European standards

The French cloud is subject to the GDPR, which imposes strict rules on the management of personal data. Failure to comply with these requirements can result in financial penalties and damage to a company's reputation. Local suppliers therefore offer total transparency on data processing. This approach inspires confidence and ensures a high level of compliance, while simplifying regulatory audits.

What's more, French cloud providers have to meet a number of requirements to host certain types of data, such as healthcare data, where they need to obtain Health Data Hosting (HDH) certification. 

Local servers and support for greater performance and responsiveness

Servers located in France offer lower latency and optimised response times for end users, thanks to their geographical proximity. This means a smoother user experience and reduced latency for your applications.

What's more, French suppliers almost always offer local technical support, capable of responding effectively to your needs. This proximity simplifies communication in the same language and speeds up problem resolution.

Why opt for a sovereign French cloud?

Geographical control of data

If you make this choice, the French cloud guarantees that your data will be hosted in France. With Clever Cloud, you choose the infrastructure where your data is hosted. So you really know where your data is stored and what level of certification you have.

Guaranteed confidentiality in the face of FISA and other extraterritorial laws

Unlike non-European suppliers subject to extraterritorial laws such as FISA, the Cloud Act or the Patriot Act, the sovereign cloud guarantees the strategic autonomy of your data. These laws allow the American authorities to access sensitive information, even if it is hosted outside the United States.

• The Cloud Act obliges US cloud service providers to provide data stored abroad if they receive an official request;
• The Patriot Act authorises access to data as part of investigations into criminal acts, often linked to terrorism;
• The FISA (Foreign Intelligence Surveillance Act) goes even further: it allows the US authorities to monitor and collect data without the intervention of the service provider, simply by accessing communication flows directly.

By opting for a French PaaS like Clever Cloud, there's no risk of interference: you retain the confidentiality and strategic autonomy of your data, and that's that.

Securing and developing the local economy with a sovereign cloud

Adopting a French sovereign cloud helps to strengthen the local economy, while being part of a European dynamic. The Draghi Report, commissioned by the European Union, highlights the strategic importance of investing in sovereign digital infrastructures to reduce technological dependency and guarantee sustainable competitiveness.

By favouring local players, such as the French cloud, companies are not only supporting the creation of a competitive ecosystem, but also promoting economic growth, the generation of skilled jobs and technological independence on a national and European scale.

Preserve and develop strategic skills

Supporting local cloud players not only has an impact on the economy, but also ensures that skills are maintained over the long term. By choosing a foreign cloud, investment leaves the country, weakening national or European industries: talent loses their jobs, moves to other sectors, and essential skills disappear. A phenomenon not unlike the shortage of masks in France during the COVID-19 pandemic. By relying heavily on imports, the country found itself vulnerable, unable to meet urgent and critical demand - a perfect illustration of the dangers and consequences of losing sovereignty in strategic sectors.

Conversely, investing in a French PaaS guarantees a stake in the country's economy, enabling it to retain its talents, train new ones, meet growing demand and invest in research and development. This virtuous circle secures essential strategic know-how and avoids any critical technological dependency.

H2: How do you choose your French cloud provider?

H3: Selection criteria for a sovereign cloud

First and foremost, it is crucial to ensure that the cloud provider you select genuinely meets the criteria of sovereignty. This means that it must be French and governed by French law, thereby guaranteeing total protection against foreign extraterritorial laws.

Once these criteria have been validated, you can assess your specific needs. IaaS (Infrastructure as a Service) solutions offer flexible management of physical resources, ideal for applications requiring granular control. Conversely, PaaS (Platform as a Service) solutions allow you to concentrate on application development and maintenance by delegating infrastructure management. The choice depends on your operating model and in-house technical resources. But be sure to favour modular offerings (private, hybrid or public cloud) for optimum adaptability to your changing needs.

Certifications and security standards: a priority at Clever Cloud

Certifications are an essential criterion for assessing the reliability of a French cloud provider. At Clever Cloud, security is a priority right from the design stage (security by design). We comply with the strictest standards, including HDH and  ISO 27001 certification, and are working towards SecNumCloud, which guarantees the reliability and security of our services. 

Customer data is hosted in France or, if you wish, elsewhere in the world, but always in areas protected from extraterritorial laws, in data centres that meet our requirements. Our approach is based on advanced practices such as data encryption, proactive monitoring and an immutable infrastructure, reducing the risks associated with vulnerabilities.

Choosing a provider committed to open source

Opting for a cloud provider committed to open source, like Clever Cloud, offers the advantages of technological independence and technological autonomy. The majority of our solutions are based on recognised open source tools, offering transparency, interoperability and reliability to our customers.

By actively supporting open source projects, Clever Cloud encourages ongoing collaboration and invests in the European technology ecosystem. It also guarantees in-depth mastery of the technologies used. Our contributions include major technical projects such as Sōzu, a high-performance HTTP reverse proxy in Rust, Biscuit, an authentication token for microservices; but also structuring projects such as Exherbo or Warp 10.

At Clever Cloud, open source is more than just a philosophy. It's a strategic pillar for guaranteeing that our customers are not locked into technology and that their infrastructures are resilient.

A cloud with a strong ecosystem

Choosing the right cloud also means relying on its dedicated marketplace for easy access to turnkey solutions designed to meet your specific needs. An approach designed to facilitate the adoption and integration of technologies into your projects without requiring advanced technical skills.

Clever Cloud offers a wide range of add-ons, such as our Keycloak as a Service for identity management (IAM) or Azimutt for exploring your databases. These services integrate directly into your applications and are hosted on a sovereign French cloud, guaranteeing data compliance.

French cloud: testimonials and feedback from companies

The French cloud meets the needs of many businesses looking for performance, scalability and sovereignty. Clever Cloud has been chosen by organisations such as MAIF, Airbus, Docaposte, Solocal, BetaGouv and DOTNET to meet their technical and strategic challenges.

MAIF, a major player in the insurance sector, has migrated to Clever Cloud to guarantee the sovereignty of its policyholders' data. This collaboration has enabled MAIF to increase its productivity by a factor of 8, while improving the availability and performance of its critical systems.

Docaposte, leader in trusted digital solutions, frequently integrates Clever Cloud to meet the needs of its end customers.

The BetaGouv start-ups (data.gouv.fr ; Démarches simplifiées ; pass Culture ; SignalConso ; Mon soutien psy), like those supported by the Startup d'État programme, benefit from Clever Cloud's advanced functionalities and customised support. Thanks to a stable, scalable infrastructure, these young structures can concentrate on their missions while benefiting from start-up funding and responsive support.

Finally, DOTNET, a SaaS payroll editor, guarantees the protection of sensitive data while increasing the scalability of its services. Clever Cloud provides DOTNET with a high-performance infrastructure, sovereign hosting and proactive technical support.

The French cloud, a strategic choice for the future

Adopting a sovereign French cloud is not just an isolated strategic decision. It's a commitment that's part of a collective dynamic, supported by solid collaborations with trusted partners. Clever Cloud highlights this synergy on its Built with Clever page, which lists all the projects developed using its platform.

This collaborative space brings together customers, partners and add-ons to meet the specific needs of businesses. For example, solutions such as Keycloak as a Service for identity management, or Materia, a serverless database, demonstrate the richness of the offering.

Choosing Clever Cloud means opting for a French PaaS that combines performance, scalability and sovereign hosting. This approach guarantees users full compliance with European standards and greater control over their data.

The sovereign cloud is no longer an option, but a necessity if we are to build a sustainable digital future together.

What is Hexatrust?

Hexatrust is an association of French and European leaders in cybersecurity and the trusted cloud. Its mission is to promote excellence in the digital domain by bringing together start-ups, SMEs and ETIs innovating in the cybersecurity and cloud security sectors. The association strives to defend the interests of its members in dealings with public authorities, and to promote the French and European cybersecurity ecosystem.

Hexatrust's role

Hexatrust's mission is multi-faceted:

1. Advocacy: Representing industry players to the authorities.
2. Visibility: Increase members' recognition on the national and international markets.
3. Innovation: Leading a community of entrepreneurs to promote the exchange of ideas and the development of innovative solutions.

Why is joining Hexatrust important for Clever Cloud?

Collaboration and synergy

Unity is strength. Being a member of Hexatrust enables Clever Cloud to collaborate with other French and European industry leaders. This cooperation is crucial to developing even more robust cloud security solutions that meet today's cybersecurity challenges. We also share a common vision of the European digital age, and of the importance of digital sovereignty in protecting the data of our businesses and citizens.

Technology watch and peer-to-peer exchanges

Hexatrust has set up a number of working groups and organizes events enabling its members to exchange and share feedback on tools and issues. These actions are vital for Clever Cloud and its teams, to ensure the necessary monitoring of our products' security.

In line with our strategy

Clever Cloud has designed its platform to be secured by design: immutable architecture, avoidance of trusted networks (each peer on the same network is identified, authenticated and communicates in encrypted form), development or participation in the development of open source tools (Reverse Proxy Sozu and Token Biscuit). In addition to these best practices, we are ISO 27001:2022 certified, and also HDS (Healthcare Data Hosting) certified, since 2025. SecNumCloud certification is currently being obtained.

Conclusion

Joining Hexatrust represents a springboard for Clever Cloud on its journey towards excellence in cloud data security. By joining this community of experts, we are reasserting our commitment while contributing to the evolution of the European digital landscape.

When you access a website or an online application, you most often do so in a "secure" way. This is for example the well-known green padlock that symbolizes HTTPS connections in your browser, which has become a standard these years thanks to initiatives like Let's Encrypt. 

This means that the data transferred to the server is encrypted, and that even if they are intercepted, they cannot be read by a third party. This protection has been provided by the TLS (Transport Layer Security) protocol for almost 20 years, whether it’s a personal site, an online shop or an access to your bank's services.

Over time, this critical technical brick on the Internet has evolved to strengthen the level of security it offers. In August 2018, its version 1.3 (the latest) was released. Meanwhile, versions 1.0 and 1.1 were considered to no longer offer a sufficient level of protection. They have been deprecated by the IETF (Internet Engineering Task Force) since March 2021 and have therefore been gradually removed from recent browsers such as Firefox, Chrome and its derivatives or Safari.

At Clever Cloud, we have seen our customers adopt TLS 1.2 and 1.3 gradually. On our load balancers, based on our in-house and open source reverse proxy Sōzu, the latest version accounts for over 90% of the requests processed each day. TLS 1.2 for just under 9%. TLS 1.0 and 1.1 for only a few tens of thousands of requests per day, less than 0.1% of our traffic.

While we have maintained these versions for compatibility reasons, this will no longer be the case as of June 30. We will of course inform the customers affected by this choice, and encourage them to switch to more recent versions, which will have advantages for them in terms of security, performance and SEO.

Several reminders will be sent between now and the final shutdown of TLS 1.0 and 1.1. If you have any questions on this subject, please contact our support team through the Console.

Few days ago, Marak Squires, the developer behind the open-source npm libraries colors and faker, decided to corrupt the libraries, to denounce issues in open-source projects' funding system.

The infinite loop introduced by the developer broke several apps using these libraries by printing the text 'LIBERTY LIBERTY LIBERTY' and non-ASCII characters in the apps' logs.

It causes a lot of trouble as the colors library receives over 20 million weekly downloads on npm alone and has almost 19,000 projects relying on it. Whereas, faker receives over 2.8 million weekly downloads on npm, and has over 2,500 dependents.

How to check if your Node.js app is impacted?

The first thing to do is to check if your app is using the npm libraries 'colors' or 'faker'. To do so, run either:

npm ls colors

Or

npm ls faker

You will get an output like this:

my-project@1.2.3 /home/me/my-project
├─┬ @storybook/addon-docs@5.3.18
│ └─┬ vue-docgen-loader@1.5.0
│   └─┬ jscodeshift@0.7.0
│     └── colors@1.4.0  deduped
├─┬ @storybook/vue@5.3.18
│ └─┬ @storybook/core@5.3.18
│   └─┬ cli-table3@0.5.1
│     └── colors@1.4.0  deduped
└── colors@1.4.0

With this output, we can identify that this project uses 'colors' directly with version 1.4.0 and through transitive dependencies, also in version 1.4.0.

Your app uses 'colors' or 'faker', what can you do?

If your app uses one of these npm libraries, we invite you to check three thing:

Check the version

First of all, you need to check if you're using one of the compromised versions of these libraries:

• colors: 1.4.1, 1.4.2, and 1.4.44-liberty-2
• faker: 6.6.6

Check the package-lock.json

Do you have a package-lock.json? If you don't we invite you to read the documentation and add one to your project.

If you do, you need to force a version which is not compromised (1.4.0 for colors and 5.5.3 for 'faker'). You're using npm? You can try with the module npm-force-resolutions. You're using Yarn? You can use the process described in this documentation.

Update your tools to their latest version

We also invite you to check if the dependencies you use released an update. As an exemple, if you use Storybook, the v6.4.10 released earlier yesterday fixes the issue.

A note for Clever Tools users

By the way, if you use our CLI, the clever-tools, and if you installed it via npm, please upgrade to v2.8.1.

What is Log4Shell?

You probably heard about Log4Shell (or CVE-2021-44228), the vulnerability which impacted log4j, a famous log library written in Java.

This critical vulnerability allows to remotely execute code on the servers of a company or to display the environment variables of an application.

What has been implemented at Clever Cloud?

At Clever Cloud, we worked all weekend to resolve this issue.

All our Elasticsearch add-ons were secured quickly, and many of our customers are secured by the most recent versions of JDK. Edit (13/12 16:41 UTC+1) : Even the most recent versions of Java are now vulnerable to RCE (Remote Code Execution) due to a bypass. The only viable solution is to patch and update log4j directly.

Please also note :

• Java 8 (or later) users should upgrade to release 2.17.0.
• Users requiring Java 7 should upgrade to release 2.12.2.
• Otherwise, remove the JndiLookup class from the classpath in a post build hook (you have to execute the hook in the file where the log4j jar is):

CC_POST_BUILD_HOOK=zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class "

For the others, we have initiated a thorough monitoring and analysis policy.

We are also in the process of updating the Java image with the following Log4j configuration property: Edit (14/12 14:04 UTC+1) : The Java image has successfully be updated and all Java applications have been redeployed with the following Log4j configuration property:

log4j2.formatMsgNoLookups=true

Please note that this flag only work on versions superior or equal to Log4j v2.10.0.

We upgraded the New Relic Java Agent to the 7.4.1 version and the apps on which the agent was deployed have been redeployed.

We also patched the Pulsar cluster.

How to mitigate the risks?

We urge you to update your dependency to Log4j v2.17.0.

Then, depending on the environments and add-ons you work with, here's what you can do as well:

For Docker

If you are using Docker, you can do either :

• Update to Log4j v2.17.0 (recommended)
• Or setup the following Log4j (v2.10.0 minimum only) configuration property: log4j2.formatMsgNoLookups=true

For Jenkins

The Jenkins security team has confirmed that Log4j is not used in Jenkins core. However, it can be used in some Jenkins plugins. You can identify if Log4j is included in a plugin by using the following command in the Script Console:

org.apache.logging.log4j.core.lookup.JndiLookup.class.protectionDomain.codeSource

Support team

Of course, our support team remains available if you have any question regarding the current situation. You can reach them via the chat or send an e-mail at support@clever-cloud.com.

Yesterday two issues affecting CPUs have been released to the public.

TL;DR: the attacks are named Meltdown and Spectre. They allow reading the memory of the OS or of other processes, to steal secrets or get information for other exploits. A part of the solution can greatly affect performance of running code. In particular, this attack allows to easily cross container boundaries, and in some cases (not our case) even VM boundaries.

In addition to servers, consumer machines are affected, especially through browsers, so you should definitely update your operating system as well as your browsers.

What it means for Clever Cloud users

Your applications will be (or already have been) automatically restarted (just like any other maintenance deployments). The addons will be patched and restarted in place in the following hours. This will generate limited downtime on addons (usually around a minute, depending on the addon start up time).

In addition to restarting virtual machines, we will also need to restart physical machines, as the attacks theoretically allows VM boundaries crossing. This attack is not usable (yet?) on Clever Cloud due to our virtualization choices and our OS hardening, but we will deploy patches preemptively. Physical machines updates will take place in the following days and will not impact applications. We are currently working on finding the best solution for addons, but it will definitely incur additional downtime for addons.

The patches, while mitigating the issues, also come with performance regressions. It heavily depends on the workload as well as the exact CPU model. The CPUs we use are among the less affected by the performance issues, but a slowdown of at least 5% is to be expected.

Technical details

The Meltdown attack and the Spectre categories of attack are related to a performance feature of modern processors: branch prediction and speculative execution. Meltdown shows that when an instruction can cause a trap, like the privilege check for user → kernel access), the processor will perform speculative execution: it starts executing the code in case there’s no trap, but rollbacks if there was a trap. This attack happens at the boundary between user code and kernel. Before the processor has completely checked that we have the authorization to run privileged code, it starts executing it. When it turns out we were not authorized, it rolls back the results of that code, but not completely, it can leave some data in the cache. Combined with a technique called “cache timing attack”, it is then possible to guess the content of the data that was loaded in cache, bit by bit. Branch prediction has a related behaviour: when encountering a branch (example: an if/else expression), the processor will start executing one of the branches before it calculates the condition, to avoid waiting too much. It guesses which side of the condition is most likely thanks to its branch predictor. Spectre uses branch prediction to cause speculative execution to read out of a buffer’s bounds (among other consequences) in the kernel or another process, then guess the results from the cache.

The Meltdown attack is specific to Intel processors, it allows reading from the OS’s memory. There are patches available (the kPTI feature, also named KAISER https://lkml.org/lkml/2017/12/4/709). Those patches have a great impact on syscall performance (https://www.phoronix.com/scan.php?page=article&item=linux-415-x86pti&num=1), with programs running 5% to 30% slower depending on the workload. The Intel Haswell processors with the PCID (Process Context Identifiers) feature get the lowest performance hit (5%). We use those processors on Clever Cloud.

Spectre affects processors from Intel, AMD and ARM, it allows reading from the memory of other processes. It looks more like a new attack category, for which we will have to fix the issue individually in each affected software. The only global solution for Spectre is a radical change in processor architecture, and this is unlikely to happen soon. We will follow closely any new related vulnerability and promptly patch our infrastructure.

For further information

• Papers and explanations about Meltdown and Spectre: https://spectreattack.com/
• Proofs of concept from Google’s Project Zero team: https://googleprojectzero.blogspot.fr/2018/01/reading-privileged-memory-with-side.html
• French twitter thread explaining the attacks: https://twitter.com/fenarinarsa/status/948697105996156928
• English twitter thread explaining the attacks: https://twitter.com/nicoleperlroth/status/948684376249962496

This post has been written by @gcouprie and @clementd.
Spectre and meltdown logos of are designed by Natascha Eibl.

As you know, security is a big deal for us. You might have heard that a single password may not be enough those days. Well, here it is! Two factor authentication is now available for everyone.

What is two factor? And how does it work?

When you login with a simple password, you access you account with something you know.

If someone else ever gets your password, your account is compromised. To prevent this situation, the login process should invole something you know, and something you have. This is the second factor.

2FA is pretty simple, once activated you login in with:

• your credentials
• and a third-party app on your phone providing a temporary code

Now having your password known/guessed by a third-party is not enough for them to get into your account.

How to setup?

Login to the Clever Console and head over to your profile. Under "Authentication", you'll see a new button: Activate 2FA.

A QR-Code will show up. Scan it with a 2FA app on your phone (Google Authenticator, Authenticator by Microsoft…)

For future logins, your password and the code from the app will be necessary.

IMPORTANT:

Don't forget to save your recovery codes! Each one can replace a generated 6-digits code (but only once).

• unclear risk and impact on the business
• time spent tracking new vulnerabilities for various applications
• unclear result of updating code (will it stop working? Will it break other applications on the same machine?)

Defining your risk budget

• targets: user data, intellectual property, machines
• entry points: web server, internal WiFi
• weaknesses: unpatched application, SQL injection, key employees victims of phishing

Staying up to date with security news

• avoid news websites. They write long articles, they want you to panic and they rarely provide usable solutions
• Follow security mailing lists. There are generalist ones, like oss-security@lists.openwall.com and cve-assign@mitre.org. There are more specific ones, like debian-security@lists.debian.org (translate to your specific distribution), or rubyonrails-security@googlegroups.com and ruby-security-ann@googlegroups.com. There is also fulldisclosure@seclists.org, where 0-day vulnerabilities are sometimes published
• Twitter is still a good source of information on vulnerabilities, since people easily share. If you see security people suddenly buzzing in your timeline, you should pay attention. There are good lists of people to follow to get you started here and there. They each have their own focus, though, so you may not be interested in everything
• keep up with new versions of your software and their dependencies. Use your package manager, project specific mailing lists, subscribe to their github feed

• check the mailing lists, see if you use any of the applications mentioned
• check your dependencies: anything new? Any security issues mentioned?
• check Twitter: is the world on fire?

Reducing the risk of code updates

• staging environments to test updates
• replacing huge, risky updates with small increments
• applications can be completely independent. Updating the company's WordPress blog will not affect the SaaS application

• get notified of a vulnerability
• see if it applies
• see if there's a patch (or if you can develop one quickly)
• apply the patch
• redeploy the applications
• go make yourself a nice tea

• The recent CVE-2016-0728 is a privilege escalation in Linux, something we need to take seriously. We took a look at the advisory, wrote a patch, tested it and deployed it in a few hours. Most Linux distributions took days to publish updated packages.
• In the same way, the infamous Heartbleed bug was fixed quickly. One of our clients came to us hours later asking if we knew about it: "oh, that's the reason my applications were redeployed in the middle of the night"