XEN Security Update XSA-199/CVE-2016-9637, XSA-200/CVE-2016-9932, XSA-202/CVE-2016-10024, XSA-204/CVE-2016-10013


Issue


Summary 

Affected VersionsFixed
Static Compute ResourcesCloudBoot Compute ResourcesStatic Compute ResourcesCloudBoot Compute Resources
CentOS 5.xCentOS 6.xCentOS 5.xCentOS 6.xCentOS 5.xCentOS 6.xCentOS 5.xCentOS 6.x
XSA-199/CVE-2016-9637Qemu IO port array overflow✓*✓*✓*✓*
XSA-200/CVE-2016-9932X86 CMPXCHG8B emulation fails to ignore operand size override
XSA-202/CVE-2016-10024X86 PV guests may be able to mask interrupts✓**✓**✓**✓**
XSA-204/CVE-2016-10013X86: mishandling of SYSCALL singlestep during emulation✓***✓***✓***✓***

* Both Static and CloudBoot compute resources both under RHRL/CentOS 5.x and 6.x are affected, running guests in HVM (Windows, Recovery or Boot from ISO, Build from ISO modes) are vulnerable.

** Both Static and CloudBoot compute resources running both under CentOS 5.x and 6.x are affected and those running guests in PV mode (Linux VSs) are vulnerable.

*** Both Static and CloudBoot compute resources running both under CentOS 5.x and 6.x are affected and those running 64-bit HVM guests (FreeBSD, Windows guests or on recovery, boot from ISO and build from ISO modes) are vulnerable.


Static Compute Resources

For customers willing to upgrade to the latest compute resource tools (corresponding to OnApp version installed)

  • This step applies to CentOS 5.x Xen compute resources only. Run the following command:

    # yum update onapp-hv-install
  • Run the OnApp Xen Compute Resource installer

    # /onapp/onapp-hv-install/onapp-hv-xen-install.sh
  • Reboot all compute resources.

For customers which are using latest compute resource tools or do not want to upgrade them:

  • CentOS 5.x

    # yum update xen xen-libs

    This should update to the xen-3.4.4-30.el5.onapp.x86_64 version.

  • CentOS 6.x

     # yum update xen xen-hypervisor
    • For versions of OnApp HV tools prior to version 4.2.0 this should update to the xen-4.2.5-38.36.onapp.el6.x86_64
      version.
    • For versions of OnApp HV tools after version 4.2.0 the fix is provided by CentOS.org. The command above should update to the 4.4.4-15 version.
  • Reboot all compute resources.


CloudBoot Compute resources

To eliminate the security issue for Cloudboot Compute Resources, see CloudBoot Compute Resources and CloudBoot Backup Server upgrade procedures. 

This should update to the following version:

CentOS 5
CentOS 6
onapp-ramdisk-centos5-xen-5.3.0-7.noarch.rpmonapp-ramdisk-centos6-xen-5.3.0-7.noarch.rpm