VIP has completed work to mitigate two unrelated, recently disclosed security vulnerabilities.
VIP constantly maintains the security of our infrastructure. We don’t announce that every mitigation has been completed, but these issues were widespread, significant, and well known, so we wanted to be clear that you are protected on VIP.
HTTP/2 Protocol
On October 10, 2023 Cloudflare, Google, Amazon, and others posted about a newly discovered and actively exploited vulnerability in the HTTP/2 protocol that lets attackers launch very large scale attacks with very few resources. Nearly every web server in the world, including those at VIP, use this protocol and were susceptible.
Soon after the disclosure, a patch was created that will be included in the next version of the affected software. We have deployed this patch to all of our web servers ahead of the general release. This deployment was complete within hours of the vulnerability being announced.
Please note that this vulnerability could only be used to trigger a denial of service issue – it cannot be used to steal or modify user data, access your systems, etc. VIP has no evidence that sites were affected via this method.
curl
On October 3, 2023, the founder and lead developer of curl and libcurl, a low-level library used in many applications, announced a significant vulnerability and that a fix would be available in a new version to be released on October 11, 2023.
We were prepared for rapid deployment of that new version across our infrastructure and completed that within hours as well. Your site is now protected against this issue.
Summary
The VIP team mitigated both of these highly impactful security incidents as part of our ongoing promise to assure your sites are secure, reliable, and lightning fast. We have not seen any malicious activity related to these issues at this time.
Your site is protected from both of these incidents, and no further action is necessary on your part.
WordPress VIP Lobby 