[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] PV privilege escalation - advisory



On Thu, Jun 14, 2012 at 7:19 PM, John Creol <iamcreo@xxxxxxxxx> wrote:
> From what I understand, http://www.gitco.de/repo/  Gitco only provides the 
> hypervisor and userspace tools, ie from the page:
> - These XEN-RPMS are for CentOS-5/RHEL-5 (x86_64)
> - They have been built from the sources of http://www.xen.org
> - It's only the hypervisor, no changes on the kernel !!!
> Even with a Gitco provided hypervisor rpm, your dom0 is running with the 
> CentOS provided kernel-xen, which can be updated with the fix.
>
> From a brief look this vulnerability does not impact the hypervisor.. right ?

The bug is on the hypervisor as well:
https://bugzilla.redhat.com/show_bug.cgi?id=813428

What I haven't been able to be sure from that bugzilla is whether
you'll be "safe" from that bug even if your hypervisor is vulnerable,
IF.:
- your domUs ONLY run "safe" (e.g. RH's) kernels, or
- your domUs only run newer kernels (and if that's the case, what
version is "new" enough)

Also, even if that were the case, there's the issue of "how do you
make sure your domUs ONLY use the safe kernel if the domU is not
within your control and it boots with pygrub/pvgrub" (which roughly
means your users can change the running kernel with their own,
possibly "unsafe" kernel.

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.