

Five new undisclosed Xen vulnerabilities - scottjg
http://xenbits.xen.org/xsa/

======
bscanlan
AWS have posted an update about related upcoming EC2 maintenance:
[https://aws.amazon.com/premiumsupport/maintenance-2015-03/](https://aws.amazon.com/premiumsupport/maintenance-2015-03/)

"We’ve received a Xen Security Advisory that requires us to update a portion
of our Amazon EC2 fleet. Fewer than 10% of EC2 customer instances will need to
be rebooted. We’ve started notifying affected customers when their reboots
will take place. These updates must be completed by March 10, 2015 before the
underlying issues we are addressing are made public. Following security best
practices, the details behind these issues will be withheld until they are
made public on March 10."

------
j15e
Just received a message from Rackspace cloud regarding theses, it seems like
they will have to reboot all instances.

See
[https://community.rackspace.com/general/f/53/t/4978](https://community.rackspace.com/general/f/53/t/4978)

~~~
plq
Yet linode is still silent...

~~~
kbar13
realize that there's Xen HVM and Xen PV. there have been significantly more
security issues in HVM than there have been in PV.

~~~
walterbell
Do we know why HVM/hw-virt has had more security issues than PV/sw-virt?

~~~
larsk
Yes, because it uses QEMU. That means more code, and ultimately more bugs,
which means more possible exploits.

------
mrsteveman1
Xen's hypervisor would seem to be a great place to implement live patching
like KSplice/kGraft/Kpatch does for the Linux kernel. Presumably that stuff
still works on KVM host machines with live guests.

~~~
resc1440
Amazon's security advisory seems to indicate that they have this capability
for 90% of EC2 instances (leaving 10% that must be rebooted).
[https://aws.amazon.com/premiumsupport/maintenance-2015-03/](https://aws.amazon.com/premiumsupport/maintenance-2015-03/)

~~~
lscotte
Not really - to me, it implies that 90% of EC2 instances are not running on a
vulnerable version of Xen...

~~~
nmjohn
FTA:

> While all instance types need to be updated, we have developed the
> capability to live-update instances running on newer hardware. The vast
> majority of the EC2 fleet will be live-updated, but a portion of instances
> (less than 10% of customer EC2 instances) running on older hardware will
> require a reboot to complete the update process.

------
gnu8
Why do the major Xen providers get advance access to the patches while my
machines have to sit vulnerable for over a week?

~~~
tptacek
_One working week between notification arriving at security@xenproject and the
issue of our own advisory to our predisclosure list. We will use this time to
gather information and prepare our advisory, including required patches._

 _Two working weeks between issue of our advisory to our predisclosure list
and publication._

 _When a discoverer reports a problem to us and requests longer delays than we
would consider ideal, we will honour such a request if reasonable. If a
discoverer wants an accelerated disclosure compared to what we would prefer,
we naturally do not have the power to insist that a discoverer waits for us to
be ready and will honour the date specified by the discoverer._

 _Naturally, if a vulnerability is being exploited in the wild we will make
immediately public release of the advisory and patch(es) and expect others to
do likewise._

This is an extraordinarily aggressive (in a good way) and transparent process.
Big commercial vendors routinely sit on vulnerabilities for months.

------
namplaa
At the 31c3 somebody had shown or told the audience about an issue in the Xen
hypervisor that allowed someone to break into the host from the guest.

~~~
chisleu
I was told it was a series of bugs that made it possible.

------
pa7ch
This is why SEL4 is awesome.
[http://ssrg.nicta.com.au/projects/seL4/](http://ssrg.nicta.com.au/projects/seL4/)

First kernel with certain security guarantees formally proven; now open
source. It can be used as a hypervisor which seems like its most obvious first
use case. At least until there is enough middle-ware to build full systems
directly with it.

~~~
chubot
It is indeed awesome, but from a practical perspective it doesn't even compare
with Xen.

Hardware support is up to you. I think you can boot it on x86, but that's just
the microkernel -- you have to add all the hardware support. I don't think
seL4 is meant to run on servers either.

------
pjmlp
Quite a few use after free there.

------
runamok
AWS uses xen too, right?

~~~
somanim
yes part of the reason I moved away from AWS years ago. Now it doesn't even
matter since I am deploying to Docker anyways.

~~~
NeutronBoy
Good thing the host you run Docker on never needs to be patched or rebooted I
guess?

~~~
hueving
Yes, docker is immune to vulnerabilities because containers.

~~~
__bjoernd
If the kernel you are running on is vulnerable, it can be attacked and the
attacker can circumvent any container isolation.

If the hypervisor (Xen!) running underneath your container-Linux is
vulnerable, the attacker can get access to your virtualized OS and circumvent
any container isolation.

~~~
Xylakant
your sarcasm detector may need recalibration.

------
j_mcnally
#2 will blow your mind.

