EGI CSIRT:Alerts/Xen-2015-04-15
Jump to navigation
Jump to search
EGI-CSIRT web site | EGI-CSIRT Public wiki | EGI-CSIRT Contacts | EGI-CSIRT Activities | EGI-CSIRT Private wiki |
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI CSIRT ADVISORY [EGI-ADV-20150415] Title: EGI Alert 'High' risk - Xen Vulnerability Hypervisor memory corruption due to x86 emulator flaw CVE-2015-2151 [EGI-ADV-20150415] Date: 2015-04-15 Updated: URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/Xen-2015-04-15 Introduction ============ Currently there is increasing use of the Xen hypervisor in the EGI infrastructure. Vulnerabilities for the Xen hypervisor are listed in [R 1] One of these vulnerabilities CVE-2015-2151 (123 on the list, announced on 10th March 2015) we consider needs to be treated as 'High' risk. Details ======= See [R 1] and [R 2] Risk category ============= This issue has been assessed as 'High' EGI SVG Risk Assessment Team Recommendations =============== If sites are using the Xen hypervisor, and have not updated in the last month, they should update as soon as possible. References ========== [R 1] Xen vulnerability list http://xenbits.xen.org/xsa/ [R 2] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2151 Timeline ======== Yyyy-mm-dd 2015-03-05 SVG alerted to Xen vulnerabilities list 2015-03-10 SVG alerted to further Xen vulnerabilities, including the one referred to in this advisory 2015-03-11 Initial assessment made, few commented due to small number of people in EGI SVG with expertise on Xen. 2015-04-14 Decision to send alert, as most experienced person considered it to be 'high' risk 2015-04-15 Alert sent to sites.