Xen Vulnerability XSA-108


An update for Xen has been released to address a vulnerability where a buggy or malicious HVM guest can crash the host or read data relating to other guests or the hypervisor itself. Xen Versions 4.1 and above are affected.

Note : This bug is not a part of the Virtualizor VPS Panel, but rather a bug in Xen. The entire detail of the bug can be found below.

If your Virtualizor Host Node is running CentOS 6 with Xen (mostly it will be running Xen 4.2.x) or Xen 4.1 and above, you will need to yum update Xen and reboot the server. The command is as follows :

root> yum -u update
root> /usr/bin/grub-bootxen.sh

Note : You will need to reboot the server.

If you need any assistance updating Xen, please contact the Virtualizor support team.

Following is the security advisory :

Xen Security Advisory CVE-2014-7188 / XSA-108
                   version 4

              Improper MSR range used for x2APIC emulation

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

The MSR range specified for APIC use in the x2APIC access model spans
256 MSRs. Hypervisor code emulating read and write accesses to these
MSRs erroneously covered 1024 MSRs. While the write emulation path is
written such that accesses to the extra MSRs would not have any bad
effect (they end up being no-ops), the read path would (attempt to)
access memory beyond the single page set up for APIC emulation.

IMPACT
======

A buggy or malicious HVM guest can crash the host or read data
relating to other guests or the hypervisor itself.

VULNERABLE SYSTEMS
==================

Xen 4.1 and onward are vulnerable.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

CREDITS
=======

This issue was discovered Jan Beulich at SUSE.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa108.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

Sources :
http://xenbits.xen.org/xsa/
http://lists.centos.org/pipermail/centos-announce/2014-October/020662.html

Regards,
The Virtualizor Team