How Cloudflare is staying ahead of the AMD Zen vulnerability known as “Zenbleed”

A new vulnerability called 'Zenbleed' has been discovered in AMD's Zen 2 processors, affecting their entire product stack including EPYC data center processors and Ryzen 3000 CPUs. The flaw allows sensitive information stored within the CPU to be stolen remotely through JavaScript on a website without requiring physical access. Cloudflare is patching its fleet of potentially impacted servers with AMD's microcode as a mitigation measure while monitoring for any attempts at exploitation. Zenbleed takes advantage of speculative execution capabilities, targeting Advanced Vector Extensions (AVX) registers, which are susceptible to storing private information like cryptographic keys and passwords. The vulnerability is classified with a CVSS score of 6.5 (Medium). AMD's mitigation involves turning off a floating point optimization through the MSR register via microcode update.