XEN Security Update XSA-185/CVE-2016-7092, XSA-186/CVE-2016-7093, XSA-187/CVE-2016-7094, XSA-188/CVE-2016-7154


Issue


Summary 

Affected VersionsFixed
Static Compute ResourcesCloudBoot Compute ResourcesStatic Compute ResourcesCloudBoot Compute Resources
CentOS 5.xCentOS 6.xCentOS 5.xCentOS 6.xCentOS 5.xCentOS 6.xCentOS 5.xCentOS 6.x

XSA-185/CVE-2016-7092

Disallow L3 recurcive pagetable for 32-bit PV guests✓*✓*✓*✓*

XSA-186/CVE-2016-7093

Mishandling of instruction pointer truncation during emulation - - - - - - - -
XSA-187/CVE-2016-7094Overflow of SH_CTXT->SEG_REG[]  - - - - - - - -
XSA-188/CVE-2016-7154Use after free in FIFO event channel code - ✓** - ✓** - ✓** - ✓**

* Static and Cloudboot compute resources are affected and the compute resources running 32-bit guests are vulnerable.

** The issue affects only Static and CloudBoot compute resources running under CentOS 6.x with Xen 4.4.4 and OnApp version 4.2 and higher.

For customers willing to upgrade to the latest compute resource tools (corresponding to OnApp version installed)

 Static Compute Resources

To eliminate the security issue for Static Compute Resources:

  • Run the OnApp Xen Compute Resource installer

    /onapp/onapp-hv-install/onapp-hv-xen-install.sh
  • Reboot all compute resources.

For customers which are using latest compute resource tools or do not want to upgrade them:

  • CentOS 5.x

    # yum update xen xen-libs

    This should update to the xen-3.4.4-24.el5.onapp.x86_64 version.

  • CentOS 6.x

     # yum update xen xen-hypervisor
    • For versions of OnApp HV tools prior to version 4.2.0 this should update to the xen-4.2.5-38.30.onapp.el6.x86_64
      version.
    • For versions of OnApp HV tools after version 4.2.0 the fix is provided by CentOS.org. The command above should update to the 4.4.4.-12 version.

  • Reboot all compute resources.


CloudBoot Compute resources

To eliminate the security issue for Cloudboot Compute Resources, see CloudBoot Compute Resources and CloudBoot Backup Server upgrade procedures. For more information on the update, refer to OnApp 5.0 Release Notes

This should update to the following version:

 
CentOS 5.x
Xen
onapp-store-install-5.0.0-21.noarch.rpm