Yesterday, researchers disclosed a security vulnerability affecting side-channel analysis of speculative execution on modern computer processors (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754).
Heroku’s Product Security team follows emerging trends, and partners closely with the research community. We invest heavily in facilitating conversations regarding vulnerabilities and keeping our customers safe via community partnerships.
In the case of emerging and recently-announced vulnerabilities (including those embargoed or leaked to the press), we have a proven methodology for ingesting, processing, and prioritizing mitigation work. Our team utilizes these methods to address these vulnerabilities as material or actionable information is made available.
Our Security and Platform teams are working closely with AWS and Canonical (makers of the Ubuntu Linux operating system) to investigate and patch any affected systems related to the Meltdown and Spectre announcements. If customer impact or coordination is required, we will post additional information via Heroku Status, DevCenter ChangeLog, or provide instructions
context via maintenance notification emails.