Jump to content

Cuidado, nova vulnerabilidade, Xen security advisory XSA-108


Marco Antonio

Recommended Posts

Acabei de receber isto da solus:

 

Xen issue XSA-108
 
Hi Marco Antonio,
This is a short note to make you aware of the Xen security advisory XSA-108, which may have an impact on Xen hypervisors in SolusVM. It is not a SolusVM issue - it is an issue that affects many Xen environments.  
What is the nature of the advisory?
________________________________________
Unfortunately we are under embargo. We cannot reveal specific details of the issue or patches at this time.
The embargo will be lifted at 1pm UK time on Wednesday 1st October. 
If you are in a position to patch your Xen hypervisors now, we recommend you do so. Otherwise, we recommend that you prepare to patch your hypervisors as soon as possible after the embargo has lifted.
More information, coming soon
________________________________________
Keep watch on the Xen advisory site, where patches will be made available at 1pm on 1st October: http://xenbits.xen.org/xsa/. When the embargo has lifted we will publish a Knowledge Base article with details.
With thanks,

 

The SolusVM team
 
 
___________________________________________________________________________________________________
 
Tradução livre googleana
 
Oi Marco Antonio, 
 
 
Esta é uma nota curta para alertá-lo sobre o aviso de segurança Xen XSA-108, o que pode ter um impacto sobre hypervisors Xen em SolusVM. Não é uma questão SolusVM - é um problema que afeta muitos ambientes Xen. 
 
Qual é a natureza do comunicado? 
________________________________________ 
 
Infelizmente estamos sob embargo. Não podemos revelar detalhes específicos sobre a questão ou correções neste momento. 
 
O embargo será levantado em 01:00 hora do Reino Unido em Quarta-feira 1 de Outubro. 
 
Se você estiver em uma posição para corrigir seus hypervisors Xen agora, recomendamos que você fazê-lo. Caso contrário, recomendamos que você prepare-se para corrigir os seus hypervisors o mais rápido possível após o embargo foi levantado. 
 
Mais informações, em breve 
________________________________________ 
 
Vigiai no site do Xen consultivo, onde patches serão disponibilizados em 1:00 em 01 de outubro: http://xenbits.xen.org/xsa/. Quando o embargo foi levantado vamos publicar um artigo da Base de Conhecimento com mais detalhes. 
 
Com agradecimentos, 
A equipe SolusVM

 

Link to comment
Share on other sites

http://xenbits.xen.org/xsa/advisory-108.html

 

Xen Security Advisory CVE-2014-7188 / XSA-108
version 4

Improper MSR range used for x2APIC emulation

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

The MSR range specified for APIC use in the x2APIC access model spans
256 MSRs. Hypervisor code emulating read and write accesses to these
MSRs erroneously covered 1024 MSRs. While the write emulation path is
written such that accesses to the extra MSRs would not have any bad
effect (they end up being no-ops), the read path would (attempt to)
access memory beyond the single page set up for APIC emulation.

IMPACT
======

A buggy or malicious HVM guest can crash the host or read data
relating to other guests or the hypervisor itself.

VULNERABLE SYSTEMS
==================

Xen 4.1 and onward are vulnerable.

Only x86 systems are vulnerable. ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

CREDITS
=======

This issue was discovered Jan Beulich at SUSE.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

Do you agree with our terms?