Trust Center

Start your security review
View & download sensitive information
Ask for information
Search items
ControlK

Overview

Welcome to Scaleway's Trust Center. We strive to include security in each and every aspect of our business. You will find in this Trust Center information and documentation to attest our actions towards delivering a safe and secure Cloud service.

Bienvenue sur le Trust Center de Scaleway. Nous nous efforçons d'inclure la sécurité dans tous les aspects de notre activité. Vous trouverez dans ce Trust Center des informations et de la documentation qui attestent des actions entreprises pour garantir la sécurité de nos services.

Compliance

GDPR Logo
GDPR
ISO 27001 Logo
ISO 27001
Start your security review
View & download sensitive information
Ask for information

Documents

ISO 27001
CSIRT - RFC 2350
Transparency Report for Regulation (EU) 2021/784

Product Security

Audit Logging
Multi-Factor Authentication
Role-Based Access Control

Data Privacy

Cookies
Data Protection Officer
Employee Privacy Training

Access Control

Data Access
Logging
Password Security

Infrastructure

Endpoint Security

Disk Encryption
Mobile Device Management

Corporate Security

Asset Management Practices
Email Protection
Employee Training
View more

Security Grades

Qualys SSL Labs
Scaleway Elements
A+
Scaleway Dedibox
A
Scaleway API
A+

Trust Center Updates

Backdoor inside the XZ utils package - CVE-2024-3094

VulnerabilitiesCopy link

Backdoor inside the XZ utils package - CVE-2024-3094

Scaleway internal infrastructures were not concerned by this vulnerability

On the 29th of March 2024, a backdoor was discovered in the XZ utils packages.

The package contains an obfuscated code that installs a backdoor to interfere with the SSH authentication requests that could grant access to a malicious actor.

The package versions affected are 5.6.0 and 5.6.1, mostly present in testing/unstable/experimental versions of OS.

Here is a list of concerned OS:

The only OS that might be affected on Scaleway Instance/Baremetal/Dedibox offers is ArchLinux

Follow the security announcement from your OS to know if you're concerned and how to patch it. In most of the time, it is highly recommended to update/downgrade the xz package.

Published at N/A*

VMware ESXi multiple vulnerabilities - 05th March 2024

VulnerabilitiesCopy link

The Scaleway internal infrastructure was not impacted by these vulnerabilities.

On the 05th of March 2024, VMware communicated on multiple vulnerabilities that impact their products. The VMware ESXi solution is impacted and must be patch as soon as possible if you are using it.

This is a summary of the potential risk:

CVE-2024-22252 & CVE-2024-22253 (CVSSv3 8.4) - Use-after-free vulnerability in XHCI USB controller: A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox

CVE-2024-22254 (CVSSv3 7.9) - ESXi Out-of-bounds write vulnerability: A malicious actor with privileges within the VMX process may trigger an out-of-bounds write leading to an escape of the sandbox.

CVE-2024-22255 (CVSSv3 7.1) - Information disclosure vulnerability in UHCI USB controller: A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process.

To remediate these flaws, you can apply the following patch:

ESXi 8 - Apply one of these patch:

  • ESXi80U2sb-23305545
  • ESXi80U1d-23299997

ESXi 7 - Apply the following patch:

  • ESXi70U3p-23307199

ESXi 6.7 / 6.5:

  • if you subscribed to the extended support plan, you can apply:
    • ESXi670-202403001 for the 6.7 version
    • ESXi650-202403001 for the 6.5 version
  • If you didn't, You must migrate to either 7 or 8 version to patch it.

More information at : https://www.vmware.com/security/advisories/VMSA-2024-0006.html

Published at N/A*

If you need help using this Trust Center, please contact us.

Powered bySafeBase Logo