Xen Project dropped the ball on two important security patches when it released a maintenance update for its popular hypervisor software on Tuesday. On its company blog today, Xen acknowledged what it called an “oversight” and attempted to explain what went wrong.
Effected is maintenance release version 4.6.1 of its hypervisor. Tuesday’s blog explains:
“Note that, as also mentioned on the web page above, due to two oversights the fixes for both XSA-155 and XSA-162 have only been partially applied to this release.” Xen is recommending that its users of its 4.4.4 and 4.6 release update to the Xen 4.6.1 point release.
Wednesday’s addendum said Xen detected the missing patches before the release, but it was too late to correct the error. “The missing patches were discovered on Thursday, before the official release on Monday,” according to the blog. It appears that Xen opted to deliver the maintenance release along with partial patches rather than no update at all.
Lars Kurth, Xen Project’s advisory chairperson, said the patches already exist for the two vulnerabilities (XSA-155 and XSA-162). It’s only the release that is partially patched, he said. “So rather than using the release version as is, users need to take the extra step and update the 4.6.1 release with the missing patches XSA-155 and XSA-162,” Kurth said in an email interview.
Xen’s hypervisor is widely used by cloud computing providers who use virtual private server hosting companies such as Amazon Web Services, IBM’s SoftLayer and Rackspace Cloud.
The two vulnerabilities that are not fixed with the maintenance release version 4.6.1 were discovered late last year. One vulnerability, XSA-162, leaves the door open for a buffer overflow attack for users of virtualized AMD PCnet network devices running on QEMU. According to Xen’s security advisory, “All Xen systems running x86 HVM guests without subdomains which have been configured to use the PCNET emulated driver model are vulnerable.” The default configuration is not vulnerable, Xen said.
The XSA-155 vulnerability in Xen’s paravirtualized drivers and could give a malicious guest administrators the ability to crash the host or to arbitrary execute code, according to the Xen advisory.