XEN Security Update XSA-148/CVE-2015-7835, XSA-149/CVE-2015-7969, XSA-150/CVE-2015-7970, XSA-151/CVE-2015-7969, XSA-152/CVE-2015-7971, XSA-153/CVE-2015-7972


Issue


Summary 

Affected VersionsFixed
Static Compute ResourcesCloudBoot Compute ResourcesStatic Compute ResourcesCloudBoot Compute Resources
CentOS 5.xCentOS 6.xCentOS 5.xCentOS 6.xCentOS 5.xCentOS 6.xCentOS 5.xCentOS 6.x
XSA-148/CVE-2015-7835Uncontrolled creation of large page mappings by PV guests.-**
XSA-149/CVE-2015-7969Leak of main per-domain vCPU pointer array.-----**
XSA-150/CVE-2015-7970Long latency populate-on-demand operation is not preemptible.✓*✓*✓*✓*---**
XSA-151/CVE-2015-7969Leak of per-domain profiling-related vCPU pointer array.-----**
XSA-152/CVE-2015-7971Some pmu and profiling hypercalls log without rate limiting.-**
XSA-153/CVE-2015-7972Populate-on-demend balloon size inaccuracy can crash guests.✓*✓*✓*✓*---**

* This issue affects compute resources running Windows 2008, 2012 and FreeBSD guests with memory hot-resizing enabled.

** These issues will be fixed in a future CloudBoot update.

For customers willing to upgrade to the latest compute resource tools (corresponding to OnApp version installed)

 Static Compute Resources

To eliminate the security issue for Static Compute Resources:

  • Run the OnApp Xen Compute Resource installer

    /onapp/onapp-hv-install/onapp-hv-xen-install.sh
  • Reboot all VSs, which are created at the compute resource.

For customers which are using latest compute resource tools or do not want to upgrade them:

  • CentOS 5.x

    # yum update xen xen-libs

    This should update to the xen-3.4.4-17.el5.onapp.x86_64 version.

  • CentOS 6.x

     # yum update xen xen-hypervisor

    This should update to the xen-4.2.5-38.16.onapp.el6.x86_64 version.

  • Reboot all VSs, which are created at the compute resource.

CloudBoot Compute resources

To eliminate the security issue for Cloudboot Compute Resources, run the OnApp 4.1.0-9 Storage Update. This should update to the following version:

 
CentOS 5.x
Xen
onapp-store-install-4.1.0-9.noarch