XEN Security Update XSA-134/135/136, CVE-2015-4163/3209/4164

Issue	Summary	Affected versions
XSA-134/CVE-2015-4163	Malicious or buggy guest domain kernels can mount a Denial of Service attack which, if successful, can affect the whole system.	Static and CloudBoot hypervisors under CentOS 6.x with Xen 4.2.5 are vulnerable.
XSA-135/CVE-2015-3209	A guest which has access to an emulated PCNET network device(e.g. with "model=pcnet" in their VIF configuration) can exploit this vulnerability to take over the qemu process elevating its privilege to that of the qemu process.	Static and CloudBoot hypervisors aren't affected as OnApp doesn't configure Xen guests with PCNET NICs
XSA-136/CVE-2015-4164	Malicious guest administrators can cause a Denial of Service affecting the whole system.	CentOS 5.x with Xen 3.4.4 (both Static and CloudBoot HVs) CentOS 6.x (both Static and CloudBoot HVs) with Xen 4.2.5 Hypervisors running 32-bit PV guests on Linux x86 VSs (both Static and CloudBoot HVs)

To eliminate the security issue for Static Hypervisors:

For customers willing to upgrade to the latest hypervisor tools (corresponding to OnApp version installed)

Run the OnApp Xen Hypervisor installer

1
/onapp/onapp-hv-install/onapp-hv-xen-install.sh

Reboot the hypervisor.
Consider migrating (if required) of running guests into any other host before the reboot.

For customers which are using latest hypervisor tools or do not want to upgrade them:

CentOS 5.x
1
# yum update xen xen-libs
This should update to the xen-3.4.4-13.el5.onapp.x86_64 version.
CentOS 6.x
1
# yum update xen xen-hypervisor
This should update to the xen-4.2.5-38.9.onapp.el6.x86_64 version.
Reboot the hypervisor.
Consider migrating (if required) of running guests into any other host before the reboot.