Based on publicly available information and our current understanding of the Meltdown and Spectre vulnerabilities, both vulnerabilities require an adversary to have arbitrary code execution capabilities on the host. Given that SecureDrop’s Application and Monitor servers do not allow arbitrary code execution, these vulnerabilities appear not to be directly exploitable on running SecureDrop instances.
We are monitoring the situation as it develops, and are currently testing kernel updates to provide defense-in-depth. However, systems other than the Application and Monitor servers may impact the overall SecureDrop environment. Admin, Journalist and Source workstations running Tails 3.3 and below are vulnerable. Users should should upgrade to Tails 3.4 immediately. Furthermore, landing pages may be at risk if hosted in a virtualized or multi-tenant environment. View individual vendor responses for next steps.
Once again, we continue to monitor the situation, and will update this blog post as more details become available.