XEN Security Update XSA-109, XSA-110

XSA-109Malicious or buggy stub domain kernels or tool stacks otherwise living outside of Domain0 can mount a denial of service attack which, if successful, can affect the whole system.
Only PV domains with privilege over other guests can exploit this vulnerability; and only when those other guests are HVM using HAP, or PVH.  The vulnerability is therefore exposed to  V domains providing hardware emulation services to HVM guests.
This issue affects CentOS 6.x (static HVs only) with Xen 4.2.x, running Windows and FreeBSD guests. 
XSA-110Malicious HVM guest (FreeBSD or Windows ) user mode code may be able to elevate its privileges to guest supervisor mode, or to crash the guest.
Both CentOS 5.x with Xen 3.4.4 (both static and CloudBoot HVs) and CentOS 6.x (Static HVs only), running Windows and FreeBSD guests are affected. 

To eliminate the security issue for CloudBoot Hypervisors you need to update to OnApp 3.3.2-3 Storage Update to fix the XSA-110. –°ustomers with CloudBoot HV running on Xen CentOS 6.x (experimental mode) must upgrade to OnApp 3.3.2-4 Storage Update to fix both XSA-109 and XSA-110 issues.


To eliminate the security issue for Static Hypervisors:

For customers willing to upgrade to the latest hypervisor tools (corresponded to used OnApp version)

  • Run the OnApp Xen Hypervisor installer

    /onapp/onapp-hv-install/onapp-hv-xen-install.sh
  • Reboot the hypervisor.

    Consider migrating (if required) of running guests into any other host before the reboot.

For customers which are using latest hypervisor tools or do not want to upgrade them:


  • CentOS 5.x

    # yum update xen xen-libs

    This should update to the the 3.4.4-2.el5.onapp.5 version.

  • CentOS 6.x

     # yum update centos-xen-repo xen xen-hypervisor

    This should update to the 4.2.5-37.onapp.1.el6.x86_64 version.

  • Reboot the hypervisor. 

    Consider migrating (if required) of running guests into any other host before the reboot.