XEN Security Update XSA-213/CVE-2017-8903, XSA-214/CVE-2017-8904, XSA-215/CVE-2017-8905


Issue


Summary 

Affected VersionsFixed
Static Compute ResourcesCloudBoot Compute ResourcesStatic Compute ResourcesCloudBoot Compute Resources
CentOS 5.xCentOS 6.xCentOS 5.xCentOS 6.xCentOS 5.xCentOS 6.xCentOS 5.xCentOS 6.x
XSA-213/CVE-2017-8903X86: 64bit PV guest breakout via pagetable use-after-mode-change✓*✓*✓*✓*-✓**-
XSA-214/CVE-2017-8904Grant transfer allows PV guest to elevate priviliges✓**
XSA-215/CVE-2017-8905Possible memory corruption via failsafe callback✓*✓*✓*✓*✓**

* Both Static and CloudBoot compute resources running both under CentOS 5.x and 6.x are affected. Those running Linux x86_64 guests are vulnerable.

** The issue has been fixed for OnApp versions 4.2.0 and up for CentOS 6.x with Xen 4.4.4.

Static Compute Resources

For customers willing to upgrade to the latest compute resource tools (corresponding to OnApp version installed)

  • This step applies to CentOS 5.x Xen compute resources only. Run the following command:

    # yum update onapp-hv-install

    Be aware that centos.org has stopped the support of CentOS 5.x.. For more information refer to the EOL CentOS 5.x.

  • Run the OnApp Xen Compute Resource installer

    # /onapp/onapp-hv-install/onapp-hv-xen-install.sh
  • Reboot all compute resources.

For customers which are using latest compute resource tools or do not want to upgrade them:

  • CentOS 5.x

    # yum update xen xen-libs

    This should update to the 3.4.4-35.el5.onapp version.

    Be aware that centos.org has stopped the support of CentOS 5.x.. For more information refer to the EOL CentOS 5.x.

  • CentOS 6.x

     # yum update xen xen-hypervisor

    For versions of OnApp HV tools after version 4.2.0 the fix is provided by CentOS.org. The command above should update to the 4.4.4-23 version.

  • Reboot all compute resources.

CloudBoot Compute resources

To eliminate the security issue for Cloudboot Compute Resources, see CloudBoot Compute Resources and CloudBoot Backup Server upgrade procedures. 

This should update to the following version:

CentOS 5

CentOS 6
onapp-ramdisk-centos5-xen-5.4.0-21.noarch.rpmonapp-ramdisk-centos6-xen-5.4.0-21.noarch.rpm