Xen project Mailing List

Re: [Xen-users] Amazon PVMs magically weren't affected by XSA 182 vuln

To: Chris Laprise <tasket@xxxxxxxxxxxxxxx>

From: George Dunlap <george.dunlap@xxxxxxxxxx>

Date: Tue, 27 Sep 2016 11:20:04 +0100

Cc: Ian Murray <murrayie@xxxxxxxxxxx>, "xen-users@xxxxxxxxxxxxx" <xen-users@xxxxxxxxxxxxx>

Delivery-date: Tue, 27 Sep 2016 10:22:52 +0000

List-id: Xen user discussion <xen-users.lists.xen.org>

On Fri, Sep 23, 2016 at 3:34 PM, Chris Laprise <tasket@xxxxxxxxxxxxxxx> wrote: > On 09/23/2016 09:42 AM, Ian Murray wrote: >> >> >>> ________________________________ >>> From: Chris Laprise <tasket@xxxxxxxxxxxxxxx> >>> To: xen-users@xxxxxxxxxxxxx >>> Cc: Joanna Rutkowska <joanna@xxxxxxxxxxxxxxxxxxxxxx> >>> Sent: Friday, 23 September 2016, 14:09 >>> Subject: [Xen-users] Amazon PVMs magically weren't affected by XSA 182 >>> vuln >>> >>> >>> Hello list... >>> >>> Has anyone seen a good explanation as to why Amazon services were not >>> vulnerable to XSA182 / CVE-2016-6258 ? I understand they offer PV guests >>> on x86. >> >> Perhaps because they get to patch before most people, as they are in the >> pre-disclosure list? >> >> >> https://www.xenproject.org/security-policy.html > > > And yet, an XSA can trigger updates at AWS that require explanation of the > disruption... > > https://aws.amazon.com/blogs/aws/ec2-maintenance-update-2/ > > So I wondered if in some cases Amazon's in-house versions may not have been > vulnerable in the first place. It's worth pointing out that everything said here is conjecture, as nobody from Amazon has said anything authoritative. That said, there's some interesting tidbits here: http://www.networkworld.com/article/2892313/cloud-computing/what-happens-inside-amazon-when-there-s-a-xen-vulnerability.html Key quotes: "Most of the Xen vulnerabilities do not apply to AWS because the company has developed its own custom version of Xen. AWS has stripped out all the features of Xen that it doesn’t need, both in order to customize the performance of the open source code to the company’s unique use case, and to limit its exposure to vulnerabilities. " "Schmidt said AWS is always looking to improve its services: both technically to ensure it doesn’t have to reboot VMs, and it is working to keep customers better informed. Part of that process includes sponsoring academic research, including some leading studies into how Xen servers can be hot-patched without requiring a reboot. " So two potential explanations for why they were not vulnerable: 1. They may have disabled the feature, so that they were never vulnerable 2. They may have used an internal hot-patching mechanism to apply the patch without rebooting, so that the statement "we are not vulnerable" was accurate at the time the vulnerability was publicly announced. :-) -George _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx https://lists.xen.org/xen-users

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.