XEN Security Update XSA-156/158/159/160/161/162/163, CVE-2015-5307/8338/8339/8340/8341/7504
08/01/16 - The new XEN Update released on January, 8th addresses the issue with Windows 2008 based VSs failing to boot up on CentOS5 XEN compute resources.06/01/16 - We have had reports of some stability issues with Windows Virtual Servers after running this update on Static/Cloudboot compute resources running CentOS5. We are investigating further and will update this document once we have further details. At this stage we would recommend not to run this update if your cloud is running Windows Virtual Servers and CentOS5 compute resources.
Issue | Summary | Affected Versions | Fixed | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Static Compute Resources | CloudBoot Compute Resources | Static Compute Resources | CloudBoot Compute Resources | ||||||
| CentOS 5.x | CentOS 6.x | CentOS 5.x | CentOS 6.x | CentOS 5.x | CentOS 6.x | CentOS 5.x | CentOS 6.x | ||
| XSA-156/CVE-2015-5307 | CPU lockup during fault delivery. | ✓* | ✓* | ✓* | ✓* | - | ✓ | - | - |
| XSA-158/CVE-2015-8338 | Long running memory operations on ARM. | - | - | - | - | - | - | - | - |
| XSA-159/CVE-2015-8339, ,CVE-2015-8340 | Xenmem_exchange error handling issues. | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | - |
| XSA-160/CVE-2015-8341 | LIbXL leak of PV kernel and initrd on error. | ✓ | ✓ | ✓ | ✓ | - | ✓ | - | - |
| XSA-161 | Missing xsetbv intercept privilege check on AMD SVM. | - | - | - | - | - | ✓ | - | - |
| XSA-162/CVE-2015-7504 | Heap buffer overflow vulnerability in PCNet emulator. | - | - | - | - | - | ✓ | - | - |
| XSA-163 | VMPU' setting on compute resource. | ✓ | ✓ | ✓ | ✓ | - | ✓ | - | - |
* This issue affects only the compute resources that are running FreeBSD and/or Windows guests, or in recovery (HVM mode).
Static Compute Resources
For customers willing to upgrade to the latest compute resource tools (corresponding to OnApp version installed)
To eliminate the security issue for Static Compute Resources:
Run the OnApp Xen Compute Resource installer
1/onapp/onapp-hv-install/onapp-hv-xen-install.shReboot all VSs, which are created at the compute resource.
For customers which are using latest compute resource tools or do not want to upgrade them:
CentOS 5.x
1# yum update xen xen-libsThis should update to the xen-3.4.4-19.el5.onapp.x86_64 version.
CentOS 6.x
1# yum update xen xen-hypervisorThis should update to the xen-4.2.5-38.19.onapp.el6.x86_64 version.
Reboot all VSs, which are created at the compute resource.
CloudBoot Compute resources
To eliminate the security issue for Cloudboot Compute Resources, run the OnApp 4.1.0-14 Storage Update. Use CloudBoot Compute Resources and CloudBoot Backup Server upgrade procedures (only reboot option is applicable) to install the update.
This should update to the following version:
CentOS 5.x | |||
|---|---|---|---|
| Xen |
|
