Date: Tue, 24 Nov 2015 17:13:34 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 163 - virtual PMU is unsupported -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-163 virtual PMU is unsupported ISSUE DESCRIPTION ================= The Virtual Performance Measurement Unit feature has been documented as unsupported, so far only on Intel CPUs. Further issues have been found or are suspected which would also (or exclusively) affect AMD CPUs. We believe that the functionality is mostly intended for non-production use anyway. Therefore this functionality is hereby documented as generally unsupported security-wise. IMPACT ====== Use of the feature may have unknown effects, ranging from information leaks through Denial of Service to privilege escalation. VULNERABLE SYSTEMS ================== Only systems which enable the VPMU feature are affected. That is, only systems with a `vpmu' setting on the hypervisor command line. Xen versions from 3.3 onwards are affected. Only x86 systems are affected. ARM systems do not currently implement vPMU and are therefore currently unaffected; should this functionality be added to ARM in the future it would be covered by this exclusion. In Xen versions prior to 4.6 only HVM guests can take advantage of this unsupported functionality. In Xen versions from 4.6 onwards all guest kinds can use this unsupported functionality. MITIGATION ========== Not enabling vPMU support (by omitting the "vpmu" hypervisor command line option) will avoid using and exposing the unsupported functionality. RESOLUTION ========== Applying the attached patch documents the situation. The patch does not fix any security issues. xsa163.patch xen-unstable $ sha256sum xsa163* b9185a45a41f31e7c2f85b79a669b8b1dbf00c6b40a79b00c779b344ccab45b7 xsa163.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWVJqRAAoJEIP+FMlX6CvZba8H/23BreIs2Gxkh+9Jty8EEMdp nk3hSpEgxIb101XsbZ4JNwMO8QqBoTi1Bt0+k4bnjdRsU1G/vImacaN9LlefmLJc jn3n4Ce9ODGQvCEp1LPwWQusduFhMUIaUK6cwB2LclYxUnxCgUpLBFReOp9QIbgZ Bv+rrw9gcNb8zUKT53FZ7bOApRoU28rSFX1XE72ELPDdGbpTVXxlvQZtKsQY7N7O Se1COml0MDhufWRf3SNxO2MmqZsg43fsjvJaJgGoXE+4gslcLBMjiwgoUDX2k9CG Pi4M5uLNLxXJZkgbo1qi8ueQB9yck6tMg+o6f3wDFz28SFfu8/D2szXGOblpE5w= =2Wqz -----END PGP SIGNATURE----- Download attachment "xsa163.patch" of type "application/octet-stream" (772 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ