Sign in / up

back to article Get patching: Xen bug blows hypervisor security to bits – literally

The Xen Project has issued eight security advisories for its open source hypervisor. XSA-195 is considered the most serious of the eight, as it could allow memory modification, resulting in arbitrary code execution, a crash of the host, or information exposure. According to the Xen Project, XSA-195 (CVE-2016-9383) is …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Korev Silver badge

    Mass Xen for Amazon?

    Does this mean that there'll be a mass reboot of AWS VMs again?

    0 0 Reply

    1. This post has been deleted by its author

    2. Adam 52 Silver badge
      Reply Icon

      Re: Mass Xen for Amazon?

      AWS gets advance notice of patches. The reboots, where needed, happened last week.

      2 0 Reply
      1. Korev Silver badge
        Reply Icon
        Pint

        Re: Mass Xen for Amazon?

        Thanks for the answer.

        0 0 Reply
  2. jms222

    One of these days somebody will discover something that _can't_ be fixed on the nasty hacky x86 that was never designed for this sort of thing.

    Don't the VMs themselves get teleported out whilst the host is fixed therefore not get rebooted ?

    0 0 Reply
    1. BinkyTheMagicPaperclip Silver badge
      Reply Icon

      Yes. The VMs can be migrated to another host, provided no hardware is passed through to the VM, and the processor features on the target Xen box are equivalent or better than those on the source box.

      0 0 Reply
      1. larsk
        Reply Icon

        Or LivePatching could be used, which means these patches can be also applied without rebooting. But a fix, that has not yet been upstreamed to the LivePatch build tools is needed: see https://lists.xenproject.org/archives/html/xen-devel/2016-11/threads.html#02058

        0 0 Reply
  3. Anonymous Coward
    Anonymous Coward

    A little alarmist

    God, I hate articles like this, which sound very alarmist when you first read them, but once you investigate even a tiny bit (and to do this you will have to follow all the links) turn out to be a storm in a teacup. So get patching, but don't panic. Happy Thanksgiving!

    The Advisory of XSA-195 does state in the credits that the bug was discovered by running American Fuzzy Lop v2.35b. I also found it interesting that the Qubes team (nearly) praise the Xen team in their security bulletin: that's kind of new and unusual. It is also reassuring that the Xen team now does some targeted security testing and harding towards the end of making a release.

    0 0 Reply
    1. JudeKay (Written by Reg staff)
      Reply Icon

      Re: A little alarmist

      Happy thanksgiving, Anonymous.

      1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like