Vulnerability in Citrix XenServer Could Result in Information Disclosure

Vulnerability in Citrix XenServer Could Result in Information Disclosure

http://support.citrix.com/article/CTX201717

落ち着かないHVMの話。

パッチも出てたので更新しておきました。

XenServer6.2 SP1 のパッチリスト (2015/8/20 時点)

http://mada0833.blogspot.jp/2014/04/XenServer62SP1PatchList.html

pygrub と eliloader

なんだろね。これ。

XenServer5.6SP2 のPVをXVAにExportして、
XenServer6.5SP1 にIMPORTしたら、
「Error 13: Invalid or unsupported executable format」
とエラーになり起動しない。

xe vm-param-list uuid=***************

で確認したら、

PV-bootloader ( RW): eliloader

え？pygrubがeliloaderになってる。
XenServer6.2SP1 にも同じXVAをIMPORTしたら同じ現象だった。
XenServer5.6SP2 からのEXPORTに問題があったっぽいけど・・・なんだろうね。

xe vm-param-set uuid=*************** PV-bootloader=pygrub

で無事に起動。

QEMUの不具合2件

どっちもPVは影響受けません。

[Xen-users] Xen Security Advisory 139 (CVE-2015-5166) - Use after free in QEMU/Xen block unplug protocol

http://lists.xen.org/archives/html/xen-users/2015-08/msg00008.html

ISSUE DESCRIPTION
=================
When unplugging an emulated block device the device was not fully
unplugged, meaning a second unplug attempt would attempt to unplug the
device a second time using a previously freed pointer.
IMPACT
======
An HVM guest which has access to an emulated IDE disk device may be
able to exploit this vulnerability in order to take over the qemu
process elevating its privilege to that of the qemu process.

[Xen-users] Xen Security Advisory 140 (CVE-2015-5165) - QEMU leak of uninitialized heap memory in rtl8139 device model
http://lists.xen.org/archives/html/xen-users/2015-08/msg00009.html

ISSUE DESCRIPTION
=================
The QEMU model of the RTL8139 network card did not sufficiently
validate inputs in the C+ mode offload emulation. This results in
uninitialised memory from the QEMU process's heap being leaked to the
domain as well as to the network.
IMPACT
======
A guest may be able to read sensitive host-level data relating to
itself which resides in the QEMU process.
Such information may include things such as information relating to
real devices backing emulated devices or passwords which the host
administrator does not intend to share with the guest admin.

Citrix XenServer Security Update for CVE-2015-5154

Citrix XenServer Security Update for CVE-2015-5154

http://support.citrix.com/article/CTX201593

• CVE-2015-5154: QEMU heap overflow flaw while processing certain ATAPI commands

Customers that only have PV guests deployed are not at risk.

PV Guestには影響は無いようです。

Patchはでてます。

Hotfix XS65ESP1008 - For XenServer 6.5.0 Service Pack 1

https://support.citrix.com/article/CTX201637

Hotfix XS62ESP1030 - For XenServer 6.2.0 Service Pack 1

https://support.citrix.com/article/CTX201635

This reduces the VM downtime

CP-11841: 
vm-migrate downtime: plug the VIFs of the new domain before suspending the old domain
https://github.com/xapi-project/xenopsd/pull/205

This reduces the VM downtime (when both old and new domains are paused) in 0.3s
for each VIF connected to the VM.

ダウンタイムの削減。

Xen Security Advisory 137 (CVE-2015-3259) - xl command line config handling stack overflow

[Xen-announce] Xen Security Advisory 137 (CVE-2015-3259) - xl command line config handling stack overflow
http://lists.xen.org/archives/html/xen-announce/2015-07/msg00000.html

xlコマンドのoverflow不具合。
実行できる人が限定的なので、影響は少ないね。

Hotfix XS65ESP1005 - For XenServer 6.5.0 Service Pack 1

Hotfix XS65ESP1005 - For XenServer 6.5.0 Service Pack 1
http://support.citrix.com/article/CTX201514
HostをCrashさせる不具合を修正
・VBD をplug/unplug
・Netback
・Serial Console
・受信したNetworkTraffice


これまでのPatchは下記を参照

XenServer6.5 SP1 のパッチリスト

http://mada0833.blogspot.jp/2015/05/xenserver65-sp1-2015520.html