Xen Security Advisory

Xen has released an important security patch for Xen 4.1 and above. We highly advise you update you’re Xen nodes as soon as possible.

 

Affected SolusVM Systems

  • Host nodes that run Xen 4.1 and above

 

Details

http://xenbits.xen.org/xsa/advisory-108.html

Xen Security Advisory XSA-108

Improper MSR range used for x2APIC emulation

ISSUE DESCRIPTION
=================

The MSR range specified for APIC use in the x2APIC access model spans
256 MSRs. Hypervisor code emulating read and write accesses to these
MSRs erroneously covered 1024 MSRs. While the write emulation path is
written such that accesses to the extra MSRs would not have any bad
effect (they end up being no-ops), the read path would (attempt to)
access memory beyond the single page set up for APIC emulation.

IMPACT
======

A buggy or malicious HVM guest can crash the host or read data
relating to other guests or the hypervisor itself.

VULNERABLE SYSTEMS
==================

Xen 4.1 and onward are vulnerable.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

CREDITS
=======

This issue was discovered Jan Beulich at SUSE.

 

Mitigation

RHEL 6 Based Host Nodes

SolusVM uses the CentOS 6 version of Xen here http://wiki.centos.org/HowTos/Xen/Xen4QuickStart which is maintained by the CentOS team. A simple update via yum will get you the latest RPM that contains the current patches. If no update is available it means CentOS have not yet released an update.

yum update xen

A reboot of the host node is required after the update is complete.

Always check /boot/grub/grub.conf before a reboot

If you use a custom version of Xen then you will need to either contact the provider or re-compile Xen from source with the required patches.

RHEL 5 Based Host Nodes

SolusVM has two versions of Xen for RHEL 5. A 3.x repo and a 4.x repo. The only affected version is 4.x.

A simple yum update via yum will update a host node if you use our 4.x repo.

yum update xen

A reboot of the host node is required after the update is complete.

Always check /boot/grub/grub.conf before a reboot

If you use a custom version of Xen then you will need to either contact the provider or re-compile Xen from source with the required patches.

 

FAQ

How do i find out my Xen version?

– The following will give you the version number:

xm info

or

xl info

For example, check the 3 lines of output:

xen_major              : 4
xen_minor              : 1
xen_extra              : .6.1

That would be version 4.1.6.1

Have you read enough?