XEN Security Update XSA-156/CVE-2015-5307, XSA-158/CVE-2015-8338, XSA-159/CVE-2015-8339,CVE-2015-8340, XSA-160/CVE-2015-8341, XSA-161, XSA-162/CVE-2015-7504, XSA-163

CentOS5 compute resources running Xen

08/01/16 - The new updated package released on January, 8th addresses the issue with Windows 2008 based VSs failng to boot up on CentOS5 XEN compute resources.

06/01/16 - We have had reports of some stability issues with Windows Virtual Servers after running this update on Static/Cloudboot compute resources running CentOS5. We are investigating further and will update this document once we have further details. At this stage we would recommend not to run this update if your cloud is running Windows Virtual Servers and CentOS5 compute resources.


Issue


Summary 

Affected VersionsFixed
Static Compute ResourcesCloudBoot Compute ResourcesStatic Compute ResourcesCloudBoot Compute Resources
CentOS 5.xCentOS 6.xCentOS 5.xCentOS 6.xCentOS 5.xCentOS 6.xCentOS 5.xCentOS 6.x
XSA-156/CVE-2015-5307CPU lockup during fault delivery.✓*✓*✓*✓*---
XSA-158/CVE-2015-8338Long running memory operations on ARM.--------
XSA-159/CVE-2015-8339, ,CVE-2015-8340Xenmem_exchange error handling issues.-
XSA-160/CVE-2015-8341LIbXL leak of PV kernel and initrd on error.---
XSA-161Missing xsetbv intercept privilege check on AMD SVM.-------
XSA-162/CVE-2015-7504Heap buffer overflow vulnerability in PCNet emulator.-------
XSA-163VMPU' setting on compute resource.---

* This issue affects only the compute resources that are running FreeBSD and/or Windows guests, or in recovery (HVM mode).

For customers willing to upgrade to the latest compute resource tools (corresponding to OnApp version installed)

 Static Compute Resources

To eliminate the security issue for Static Compute Resources:

  • Run the OnApp Xen Compute Resource installer

    /onapp/onapp-hv-install/onapp-hv-xen-install.sh
  • Reboot all VSs, which are created at the compute resource.

For customers which are using latest compute resource tools or do not want to upgrade them:

  • CentOS 5.x

    # yum update xen xen-libs

    This should update to the xen-3.4.4-19.el5.onapp.x86_64 version.

  • CentOS 6.x

     # yum update xen xen-hypervisor

    This should update to the xen-4.2.5-38.19.onapp.el6.x86_64 version.

  • Reboot all VSs, which are created at the compute resource.

CloudBoot Compute resources

To eliminate the security issue for Cloudboot Compute Resources, run the OnApp 4.1.0-14 Storage Update. Use CloudBoot Compute Resources and CloudBoot Backup Server upgrade procedures (only reboot option is applicable) to install the update.

This should update to the following version:

 
CentOS 5.x
Xen
onapp-store-install-4.1.0-14.noarch