Xen warns of nine embargo-worthy bugs The Xen Project has announced nine – as in 3^2 – embargo-worthy bugs. Details of the problems, with fixes for all, will be revealed on June 20. Xen's security policy sees it announce the existence of bugs two weeks before it releases patches to the world. But detailed news of the bugs is revealed to big Xen users, which makes …
Wow, Simon, did somebody in the Xen project cross you or something?
First off, the crazy 3^2 comment.
Second, the comment about how they want to reduce publicity and you linking it to your previous story. You know, the story where the Xen project team responded in the comments and explained exactly what was going on, and no, PR had nothing to do with it.
Then you mention that indeed, Xen has live patching (AWS has had it for ages), and yet put reboots in both the subhead and the body. Mass reboots sounds like a Linode problem, not a Xen problem.
Then the comment about mass migration to KVM. The comments in your previous story mention how KVM has bad security also (along with VMWare, Hyper-V, etc), they're just not as announced as such. There's a reason that the major cloud providers use Xen and not KVM. I'm sure if KVM was so much better than Xen, AWS wouldn't keep messing around with Xen!
We'll learn shortly whether AWS will survive without rebooting.
Linode are actively trying to get their customers to migrate to KVM, it's their default platform now because it performs "much better" (25% to 3-times by their benchmarks). So Linode will be using this as an excuse to move people over. Being smaller than AWS they can. AWS are still trying to move people from pv to hvm, and have been for three or four years now.
There's no real incentive for AWS to push a more efficient technology, their customers will just horizontally scale and pay more. Cloud competition is more about features than raw performance.
The comments you refer to about the Xen move didn't explicitly exclude bad PR as a reason, and even if they did I wouldn't believe them - it's only human to want to look good.
"AWS has managed to apply past XSAs without rebooting, so I'm not sure why you assume that this one will be any different?"
AWS have managed to apply *some* patches to *some* instances without rebooting.
Even if they hit the 99.9% no reboot needed that they have in the past then that's still a lot of reboots.
AWS need to randomly reboot stuff all the time, we may not notice against the background noise.
Moving from Xen to KVM because we announce security vulnerabilities is like moving from a western country with a free press to China or Iran because of all the bad things you hear about the government. KVM doesn't have a security response process; you may not *ever* find out about vulnerabilities discovered in KVM, and if you're a cloud provider you certainly won't be told about them two weeks before the public announcement. On the other hand, every Xen user can know that in two weeks there will be security updates they should consider applying.
BTW Linode's performance numbers are misleading; instead of comparing 64-bit KVM guests to 64-bit Xen HVM guests (which use hardware virtualization support), they compare 64-bit KVM guests to 64-bit Xen PV guests. 64-bit PV guests on Xen have known performance limitations because AMD removed the segmentation limits (which is what Xen used to make 32-bit guests really fast before hardware virtualization support was available).
In addition if anyone is concerned about the raw number of vulnerabilities check out:
* Linux: http://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33
* QEMU/KVM: http://www.cvedetails.com/product/12657/Qemu-Qemu.html?vendor_id=7506 & http://wiki.qemu.org/SecurityProcess - the interesting point on the process is that "at times, what appears to be a genuine security flaw, might not be considered so".
In other words, QEMU/KVM already has a similar policy, which Xen proposed publicly, and was criticised for. And as an aside, the project has not introduced the process change.
* Xen: http://www.cvedetails.com/product/23463/XEN-XEN.html?vendor_id=6276 (not yet including those 9)
I think all the figures speak for itself.
"in November 2016 it announced eight"
What the project said then can be found here: in https://blog.xenproject.org/2016/11/22/what-you-need-to-know-about-recent-xen-project-security-advisories
The relevant quote is "Today the Xen Project announced eight security advisories: XSA-191 to XSA-198. The bulk of these security advisories were discovered and fixed during the hardening phase of the Xen Project Hypervisor 4.8 release (expected to come out in early December)."
Well, Xen 4.9 has been going through it's hardening phase in the last few week and these fixes will go into the release. See https://lists.xen.org/archives/html/xen-devel/2017-06/msg00190.html
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
