XEN Security Update XSA-155/CVE-2015-8550, XSA-157/CVE-2015-8551,CVE-2015-8552,CVE-2015-8553, XSA-164/CVE-2015-8554, XSA-165/CVE-2015-8555, XSA-166



Affected VersionsFixed
Static Compute ResourcesCloudBoot Compute ResourcesStatic Compute ResourcesCloudBoot Compute Resources
CentOS 5.xCentOS 6.xCentOS 5.xCentOS 6.xCentOS 5.xCentOS 6.xCentOS 5.xCentOS 6.x
XSA-155/CVE-2015-8550 Paravirtualized drivers incautious about shared memory contents. ✓****---
XSA-157/CVE-2015-8551,CVE-2015-8552,CVE-2015-8553Linux pciback missing sanity checks leading to crash.********----
XSA-164/CVE-2015-8554QEMU-DM buffer overrun in MSI-X handling.✓* **✓* **✓* **✓* **----
XSA-165/CVE-2015-8555Information leak in legacy X86 FPU/XMM initialization.---
XSA-166IOREQ handling possibly susceptible to multiple read issue.✓*✓*✓*✓*--

* This issue affects only the compute resources that are running FreeBSD and/or Windows guests, or in recovery (HVM mode).

** Both Static and CloudBoot compute resources are affected but are not vulnerable as OnApp does not provide Xen HVM guests with an access to physical PCI devices ('PCI passthrough').

For customers willing to upgrade to the latest compute resource tools (corresponding to OnApp version installed)

 Static Compute Resources

To eliminate the security issue for Static Compute Resources:

  • Run the OnApp Xen Compute Resource installer

  • Reboot all compute resources.

For customers which are using latest compute resource tools or do not want to upgrade them:

  • CentOS 5.x

    # yum update xen xen-libs

    This should update to the xen-3.4.4-20.el5.onapp.x86_64 version.

  • CentOS 6.x

     # yum update xen xen-hypervisor

    This should update to the xen-4.2.5-38.22.onapp.el6.x86_64 version.

  • Reboot all compute resources.

CloudBoot Compute resources

To eliminate the security issue for Cloudboot Compute Resources, run the OnApp 4.1.2-3 Storage Update. Use CloudBoot Compute Resources and CloudBoot Backup Server upgrade procedures (only reboot option is applicable) to install the update.

This should update to the following version:

CentOS 5.x