Articles about xen

An eraser

KVM? Us? Amazon erases new hypervisor from AWS EC2 FAQ

Amazon Web Services has quietly edited its FAQ in which it revealed it has created a new KVM-based hypervisor and will use it instead of Xen for future instances. The webpage now contains no mention of the hypervisor. But Google's cached record of the page does. And in case AWS manages to get that scrubbed, we grabbed this …
Shutterstock: insects in museum display

Be my guest, be my guest, at a hypervisor hacking fest

The Xen Project has posted advisories and patches for seven bugs, most of which let guests run denial-of-service (DoS) attacks on hosts. CVE-2017-15592 means “A malicious or buggy HVM guest may cause a hypervisor crash, resulting in a DoS affecting the entire host, or cause hypervisor memory corruption.” Privilege escalation …
Xen logos

Xen fixes guest privilege escape and plenty more

Xen admins, get busy: the open source hypervisor's issued fixes for bugs that range from data corruption and leakage up to privilege escalation. Let's start with CVE-2017-12137, which could let a paravirtualized (PV) guest escalate to host privilege. It's down to a mistake in memory allocation when a PV guest is launched. …
Xen logos

Xen warns of nine embargo-worthy bugs

The Xen Project has announced nine – as in 3^2 – embargo-worthy bugs. Details of the problems, with fixes for all, will be revealed on June 20. Xen's security policy sees it announce the existence of bugs two weeks before it releases patches to the world. But detailed news of the bugs is revealed to big Xen users, which makes …
Xen logos

Qubes kicks Xen while it's down after finding 'fatal, reliably exploitable' bug

Qubes is once again regretting how long it's taken to abandon Xen's PV hypervisor, disclosing another three bugs including host escape vulnerabilities. The most serious bugs are in PV (paravirtualization) memory handling, XSA-213 and XSA-214. “An attacker who exploits either of these bugs can break Qubes-provided isolation. …
Shutterstock - Giant bug destroys ciy

Patch Qubes to prevent pwnage via Xen bug

Xen has a critical bug that means Qubes 3.1 and 3.2 need an immediate patch, for Xen packages between 4.6.4 and 4.6.26. A recent patch introduced the bug, which according to the advisory is an insufficient check on the XENMEM_exchange input, “allowing the caller to drive hypervisor memory accesses outside of the guest provided …
Man jumps out of window of burning building. Pic by Shutterstock

Xen bends own embargo rules to unbork risky Cirrus video emulation

The Xen Project has bent its own rules of vulnerability disclosure for a buggy and possibly exploitable video component that needs urgent attention. It's not a hypervisor escape yet, but as the Xen advisory notes, it could be a pathway to one. The crashable component is a VGA driver, of all things – the default Cirrus video …
Swiss army knife in cloud

Virtualisation got boring in 2016, but the fun's about to start anew

END-OF-YEAR ROUND UP 2016 was a year in which virtualisation became so mainstream, so expected, so accepted that it started to look like a moribund market. But virtualisation's really only just getting started because storage virtualisation, network virtualisation and network function virtualisation are just getting started, while other uses for …
Simon Sharwood, 22 Dec 2016
Xen project logo

Qualcomm joins Xen Project Advisory Board

Qualcomm has joined the Xen Project's Advisory Board, the group of companies “committed to the market and technical success of the Xen Project” and who “provide financial support, technical contributions, and set high-level policy decisions.” And it's done so “to accelerate ARM-server and hyperscale cloud development, …
Simon Sharwood, 20 Dec 2016
Xen project logo

Xen 4.8 debuts, gives ARM servers vendors a reason to hope

A new version of the Xen Project's hypervisor has emerged blinking into the light. The Project reckons the best bit of version 4.8 is support for live patching of ARMv8-A CPUs, noting that such silicon is likely to appear in servers. And server users, of course, love anything that avoids operational disruptions. So Xen has …
Xen project hypervisor logo

Get patching: Xen bug blows hypervisor security to bits – literally

The Xen Project has issued eight security advisories for its open source hypervisor. XSA-195 is considered the most serious of the eight, as it could allow memory modification, resulting in arbitrary code execution, a crash of the host, or information exposure. According to the Xen Project, XSA-195 (CVE-2016-9383) is …
Thomas Claburn, 24 Nov 2016

Hypervisor security ero-Xen: How guest VMs can hijack host servers

Analysis The Xen project has today patched four security bugs in its open-source hypervisor – three potentially allowing guest virtual machines to take over their host servers. The other programming cockup allows a guest to crash the underlying machine. This is not great news for cloud providers or anyone else running untrusted VMs on …

Explo-Xen! Bunker buster bug breaks out guests from hypervisor

Code dive A super-bug in the Xen hypervisor may allow privileged code running in guests to escape to the underlying host. This means, on vulnerable systems, malicious administrators within virtual machines can potentially break out of their confines and start interfering with the host server and other guests. This could be really bad …
Chris Williams, 27 Jul 2016
Xen logos

Xen says new patch is 'simple and crude' and warns against using it

The Xen project has revealed a new bug, XSA-180, but warns its patch for the problem is itself problematic. The bug means that “When the libxl toolstack launches qemu for HVM guests, it pipes the output of stderr to a file in /var/log/xen.” “This output is not rate-limited in any way. The guest can easily cause qemu to print …
Simon Sharwood, 24 May 2016
Xen project logo

Xen hypervisor to gain non-disruptive patching in June

The Xen Project will bring non-disruptive patching to its hypervisor, version 4.7 of which is set to debut onJune 3rd, 2016. That date may wobble a little, because the feature freeze scheduled for April 1st was put back a week in order to let contributors sort themselves out over Easter. But it's known that a sub-project …
Simon Sharwood, 28 Apr 2016
Xen project logo

New Xen maintenance release ends active version 4.4 development

Can it really be time to update Xen again? Yes it can, because the Xen Project has announced a new maintenance release, version 4.4.4, that ticks off a list of 70 fixes and improvements, plus another five qemu quirks. Xen's had a rough time of it lately, with several severe bugs demanding attention. A few security-related …
Simon Sharwood, 29 Jan 2016
Young Panda in Chengdu Panda Base by https://www.flickr.com/photos/sujuhyte/  https://creativecommons.org/licenses/by-nd/2.0/ cc 2.0 Attribution-NoDerivs 2.0 Generic

While you pretended to work, Cloud operators fixed two Xen bugs

While lots of the world was easing in to a new year of work in the week of January 4th, big cloud concerns running customer-facing Xen rigs were probably patching two new bugs in the hypervisor. The Xen Project's policy is to let big cloud operators and others on a pre-disclosure list know about bugs two weeks before the rest …
Simon Sharwood, 21 Jan 2016
Xen logos

Xen Project blunder blows own embargo with premature bug report

The Xen Project has reported a new bug, XSA-169, that means “A malicious guest could cause repeated logging to the hypervisor console, leading to a Denial of Service attack.” The fix is simple – running only paravirtualised guests – but the bug is a big blunder for another reason. Xen is very widely used by big cloud …
Simon Sharwood, 23 Dec 2015

Create a news alert about xen, or find more stories about xen.

Biting the hand that feeds IT © 1998–2018