EGI CSIRT:Alerts/Xen-2015-04-15
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
EGI-CSIRT web site | EGI-CSIRT Public wiki | EGI-CSIRT Contacts | EGI-CSIRT Activities | EGI-CSIRT Private wiki |
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI CSIRT ADVISORY [EGI-ADV-20150415] Title: EGI Alert 'High' risk - Xen Vulnerability Hypervisor memory corruption due to x86 emulator flaw CVE-2015-2151 [EGI-ADV-20150415] Date: 2015-04-15 Updated: URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/Xen-2015-04-15 Introduction ============ Currently there is increasing use of the Xen hypervisor in the EGI infrastructure. Vulnerabilities for the Xen hypervisor are listed in [R 1] One of these vulnerabilities CVE-2015-2151 (123 on the list, announced on 10th March 2015) we consider needs to be treated as 'High' risk. Details ======= See [R 1] and [R 2] Risk category ============= This issue has been assessed as 'High' EGI SVG Risk Assessment Team Recommendations =============== If sites are using the Xen hypervisor, and have not updated in the last month, they should update as soon as possible. References ========== [R 1] Xen vulnerability list http://xenbits.xen.org/xsa/ [R 2] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2151 Timeline ======== Yyyy-mm-dd 2015-03-05 SVG alerted to Xen vulnerabilities list 2015-03-10 SVG alerted to further Xen vulnerabilities, including the one referred to in this advisory 2015-03-11 Initial assessment made, few commented due to small number of people in EGI SVG with expertise on Xen. 2015-04-14 Decision to send alert, as most experienced person considered it to be 'high' risk 2015-04-15 Alert sent to sites.