As you may have read, last week, a new type of security vulnerability was disclosed which takes advantage of speculative execution, a feature of all modern microprocessors. These vulnerabilities have become known as Meltdown and Spectre.
Over the past week, we have worked with our hardware vendors, as well as our internal security and systems teams to accomplish the following:
a) Identify the risks these issues pose in our environment.
b) Obtain software updates which mitigate those risks.
c) Test the updates to ensure acceptable performance and functionality,
d) Deploy the patches across our fleet of servers, prioritizing higher-risk environments first.
Since WordPress.com does not utilize public cloud services like Amazon, Google, or Microsoft Azure, but instead operates our own servers in our own data centers, we have full control over the patching process and can ensure our customers are not negatively impacted by the original vulnerability, the patches, or the patching process.
How does this affect VIP?
As part of our risk identification processes, we classified WordPress.com VIP as very low risk. WordPress.com does not rely on the protections bypassed by either the Meltdown or the Spectre vulnerabilities. In addition, all code deployed to the WordPress.com VIP platform is reviewed though automated and manual methods, making the execution of malicious code on the platform difficult.
The VIP Go platform, however, does use Linux containers, specifically Docker, to isolate clients from each other. This security model could be bypassed if someone were to successfully the exploit issue now known as “Meltdown”. Granted, there is no known exploit in the wild for Meltdown today, and it would be relatively difficult to execute undetected on VIP Go. Out of an abundance of caution, all VIP Go servers that execute PHP have been patched against the Meltdown vulnerability.
In addition, no performance penalty has been observed on either WordPress.com VIP or VIP Go as a result of the Meltdown security patches.
We continue to work with our internal teams and external vendors on Spectre mitigations. We will apply a similar process there that we did for Meltdown. No interruption of service or significant performance impact is expected.
WordPress VIP Lobby 