XEN Security Update XSA-206/207/208/209/212, CVE-2017-2615/2620/7228
Issue | Summary | Affected Versions | Fixed | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Static Compute Resources | CloudBoot Compute Resources | Static Compute Resources | CloudBoot Compute Resources | ||||||
| CentOS 5.x | CentOS 6.x | CentOS 5.x | CentOS 6.x | CentOS 5.x | CentOS 6.x | CentOS 5.x | CentOS 6.x | ||
| XSA-206 | XENstore denial of service via repeated update | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | - | - |
| XSA-207 | Memory leak when destroying guest without pt device | ✓* | ✓* | ✓* | ✓* | ✓ | ✓ | ✓ | - |
| XSA-208/CVE-2017-2615 | OOB access in cirrus BitBlt copy | ✓** | ✓** | ✓** | ✓** | - | ✓**** | ✓ | ✓ |
| XSA-209/CVE-2017-2620 | Cirrus_bitblt_cputovideo does not check if memory region is safe | ✓** | ✓** | ✓** | ✓** | - | ✓**** | ✓ | ✓ |
| XSA-212/CVE-2017-7228 | X86: broken check in memory_exchange () permits PV guest breakout | ✓*** | ✓*** | ✓*** | ✓*** | ✓ | ✓**** | - | - |
* Both Static and CloudBoot compute resources both under RHRL/CentOS 5.x and 6.x under AMD systems are affected and vulnerable.
** Both Static and CloudBoot compute resources running both under CentOS 5.x and 6.x are affected and those running HVM guests (FreeBSD, Windows guests or on recovery, boot from ISO and build from ISO modes) are vulnerable.
*** Both Static and CloudBoot compute resources running both under CentOS 5.x and 6.x are affected. Those running Linux x86_64 guests are vulnerable.
**** The issue has been fixed for OnApp versions 4.2.0 and up for CentOS 6.x with Xen 4.4.4.
Static Compute Resources
For customers willing to upgrade to the latest compute resource tools (corresponding to OnApp version installed)
This step applies to CentOS 5.x Xen compute resources only. Run the following command:
1# yum update onapp-hv-installBe aware that centos.org has stopped the support of CentOS 5.x.Run the OnApp Xen Compute Resource installer
1# /onapp/onapp-hv-install/onapp-hv-xen-install.shReboot all compute resources.
For customers which are using latest compute resource tools or do not want to upgrade them:
CentOS 5.x
1# yum update xen xen-libsThis should update to the 3.4.4-34.el5.onapp version.
Be aware that centos.org has stopped the support of CentOS 5.x.CentOS 6.x
1# yum update xen xen-hypervisor
For versions of OnApp HV tools after version 4.2.0 the fix is provided by CentOS.org. The command above should update to the 4.4.4-22 version.
- Reboot all compute resources.
CloudBoot Compute resources
To eliminate the security issue for Cloudboot Compute Resources, see CloudBoot Compute Resources and CloudBoot Backup Server upgrade procedures.
This should update to the following version:
CentOS 5 | CentOS 6 |
|---|---|
onapp-store-install-5.0.0-30.noarch.rpm | onapp-store-install-5.0.0-30.noarch.rpm |
