7.0
7.0
Docs menu
MENU

XEN Security Update XSA-128, XSA-129, XSA-130, XSA-131

Both Static and CloudBoot hypervisors are not vulnerable as OnApp does not provide Xen HVM guests with an access to physical PCI devices (‘PCI passthrough’).

XSA-128Certain untrusted guest administrators may be able to confuse host side interrupt handling, leading to a Denial of Service.
XSA-129Interrupts may be observed by Xen at unexpected times, which may lead to a host crash and, therefore, a Denial of Service.
XSA-130Device model code dealing with guest PCI MSI-X interrupt management activities logs messages on certain (supposedly) invalid guest operations. A buggy or malicious guest repeatedly invoking such operations may result in filling up the host disk, possibly leading to a Denial of Service.
XSA-131Qemu allows guests to not only read, but also write all parts of the PCI config space (but not extended config space) of passed through PCI devices not explicitly dealt with for (partial) emulation purposes.Since the effect depends on the specific purpose of the the config space field, it's not possible to give a general statement about the exact impact on the host or other guests. Privilege escalation, host crash (Denial of Service), and leaked information cannot be excluded.

The upgrade is not required. However you may follow the suggested procedure to upgrade the packages if you wish:

For customers willing to upgrade to the latest hypervisor tools (corresponding to used OnApp version)

  • Run the OnApp Xen Hypervisor installer

    1

    /onapp/onapp-hv-install/onapp-hv-xen-install.sh

  • Reboot the hypervisor.

    Consider migrating (if required) of running guests into any other host before the reboot.

For customers which are using latest hypervisor tools or do not want to upgrade them:

  • CentOS 5.x

    1

    # yum update xen xen-libs

    This should update to the xen-3.4.4-11.el5.onapp.x86_64 version.

  • CentOS 6.x

    1

    # yum update xen xen-hypervisor

    This should update to the xen-4.2.5-38.6.onapp.el6.x86_64 version.

  • Reboot the hypervisor.

    Consider migrating (if required) of running guests into any other host before the reboot.