XEN Security Update XSA-155/157/164/165/166, CVE-2015-8550/8551/8552/8553/8554/8555
Issue | Summary | Affected Versions | Fixed | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Static Compute Resources | CloudBoot Compute Resources | Static Compute Resources | CloudBoot Compute Resources | ||||||
| CentOS 5.x | CentOS 6.x | CentOS 5.x | CentOS 6.x | CentOS 5.x | CentOS 6.x | CentOS 5.x | CentOS 6.x | ||
| XSA-155/CVE-2015-8550 | Paravirtualized drivers incautious about shared memory contents. | ✓** | ✓ | ✓** | ✓ | - | ✓ | - | - |
| XSA-157/CVE-2015-8551,CVE-2015-8552,CVE-2015-8553 | Linux pciback missing sanity checks leading to crash. | ✓** | ✓** | ✓** | ✓** | - | - | - | - |
| XSA-164/CVE-2015-8554 | QEMU-DM buffer overrun in MSI-X handling. | ✓* ** | ✓* ** | ✓* ** | ✓* ** | - | - | - | - |
| XSA-165/CVE-2015-8555 | Information leak in legacy X86 FPU/XMM initialization. | ✓ | ✓ | ✓ | ✓ | - | ✓ | - | - |
| XSA-166 | IOREQ handling possibly susceptible to multiple read issue. | ✓* | ✓* | ✓* | ✓* | ✓ | ✓ | - | - |
* This issue affects only the compute resources that are running FreeBSD and/or Windows guests, or in recovery (HVM mode).
** Both Static and CloudBoot compute resources are affected but are not vulnerable as OnApp does not provide Xen HVM guests with an access to physical PCI devices (‘PCI passthrough’).
Static Compute Resources
For customers willing to upgrade to the latest compute resource tools (corresponding to OnApp version installed)
To eliminate the security issue for Static Compute Resources:
Run the OnApp Xen Compute Resource installer
1/onapp/onapp-hv-install/onapp-hv-xen-install.shReboot all compute resources.
For customers which are using latest compute resource tools or do not want to upgrade them:
CentOS 5.x
1# yum update xen xen-libsThis should update to the xen-3.4.4-20.el5.onapp.x86_64 version.
CentOS 6.x
1# yum update xen xen-hypervisorThis should update to the xen-4.2.5-38.22.onapp.el6.x86_64 version.
Reboot all compute resources.
CloudBoot Compute resources
To eliminate the security issue for Cloudboot Compute Resources, run the OnApp 4.1.2-3 Storage Update. Use CloudBoot Compute Resources and CloudBoot Backup Server upgrade procedures (only reboot option is applicable) to install the update.
This should update to the following version:
CentOS 5.x | |||
|---|---|---|---|
| Xen |
|
