Issue: Security Bulletin: Meltdown and Spectre vulnerabilities
Okta is aware of two recently-discovered vulnerabilities known as Meltdown and Spectre. These vulnerabilities can allow a rogue process to access other processes and memory running on the same device. This issue is detailed in the following Common Vulnerabilities and Exposures (CVE) bulletins:
The Spectre vulnerability impacts our Infrastructure vendor, AWS, and may pose a risk to Okta customers. Okta has worked with our Vendor (AWS) to deploy fixes for Spectre. At this time AWS has confirmed they have completed their patching at the infrastructure level to address this vulnerability. We have not received any indication from our AWS that these vulnerabilities have been used to attack Okta or any other AWS customer.
Okta has determined that the Meltdown vulnerability does not pose significant risk to Customer Data and is following our standard security patch process to provide defense in depth. Okta is actively investigating what, if any, other additional mitigation steps need to be taken and will provide updates here as we continue our investigation.
Okta recommends customers to reach out to their OS and Browser vendors to ensure they have applied all the necessary security updates appropriate to address this security vulnerability.
For additional details and updates, please refer to Amazon's Processor Speculative Execution Research Disclosure