XEN Security Update XSA-138/CVE-2015-5154

Issue	Summary	Affected versions
XSA-138/CVE-2015-5154	An HVM guest which has access to an emulated IDE CDROM device (e.g. with a device with "devtype=cdrom", or the "cdrom" convenience alias, in the VBD configuration) can exploit this vulnerability to take over the qemu process elevating its privilege to that of the qemu process.	Static and CloudBoot hypervisors under CentOS 5.x with Xen 3.4.4 and 6.x with Xen 4.2.5 are vulnerable. HVs with FreeBSD or VSs running on recovery mode take advantages of the vulnerability.

To eliminate the security issue for Static Hypervisors:

For customers willing to upgrade to the latest hypervisor tools (corresponding to OnApp version installed)

Run the OnApp Xen Hypervisor installer

1
/onapp/onapp-hv-install/onapp-hv-xen-install.sh

Reboot the hypervisor.
Consider migrating (if required) of running guests into any other host before the reboot.

For customers which are using latest hypervisor tools or do not want to upgrade them:

CentOS 5.x
1
# yum update xen xen-libs
This should update to the xen-3.4.4-14.el5.onapp.x86_64 version.
CentOS 6.x
1
# yum update xen xen-hypervisor
This should update to the xen-4.2.5-38.11.onapp.el6.x86_64 version.
Reboot the hypervisor.
Consider migrating (if required) of running guests into any other host before the reboot.