Xen Project, which features hypervisor—a popular tool for cloud computing providers that depend on virtual private server (VPS hosting)—just found itself in hot water thanks to a patch issue. It was a recently released two-key security patch along with a routine maintenance update for hypervisor. However, Xen has now called the patch problem an “oversight” on the official company blog and did its best to explain the situation. With the latest version of 4.6.1 for hypervisor, “Note that, as also mentioned on the web page above, due to two oversights the fixes for both XSA-155 and XSA-162 have only been partially applied to this release.”
Now, Xen encourages all users of 4.4.4 and 4.6 updates to now update to the Xen 4.6.1 point release. It’s extra steps for users, and doesn’t guarantee that all will get the message. An addendum added to the official statement one day later admitted that Xen had discovered missing patches prior to the release, but by then it was too late to fix. “The missing patches were discovered on Thursday, before the official release on Monday,” Xen explains. For whatever reason, instead of fixing and perhaps delaying the update, partial patches were included and Xen braced itself for the backlash.
Patching Things Up
The advisory chairperson for Xen, Lars Kurth, says the patches are already available—they just didn’t make the final release. He’s also quick to point out that it’s “just” for XSA-155 and XSA-162 that partial patches were released. “So rather than using the release version as is, users need to take the extra step and update the 4.6.1 release with the fixing patches.” Kurth explained this in an email interview, and didn’t touch on the marketing, public relations, and other key factors that might impact Xen’s relationship with customers. It’s also not certain if Xen reached out to each customer to explain the situation and the need for that “extra step,” or if Xen solely provided this information on a company blog.
Many of Xen’s cloud computing provider customers also work with Amazon Web Services, Rackspace Cloud, and IBM SoftLayer. In other words, they’re used to big players and not familiar with having to do extra work on their end for a vendor’s snafu.
It’s been almost one year in the making for the issues the patches were meant to address. Two vulnerabilities were found in 2015, including the XSA-162 issues which may welcome a buffer overflow attack for those who use AMD PCnet network devices on QEMU. “All Xen systems running x86 HVM guests without subdomains which have been configured to use the PCNET emulated driver model are vulnerable,” says the Xen security advisor. However, there’s no vulnerability with the default configuration.
As for the XSA-155 issue, it may impact the paravirtualized drivers and offer malicious guest admins the chance to execute code or crash the host.