Security update for Xen
SUSE Security Update: Security update for Xen
Three security issues were found in XEN.
Two security issues are fixed by this update:
*
CVE-2012-0217: Due to incorrect fault handling in the
XEN hypervisor it was possible for a XEN guest domain
administrator to execute code in the XEN host environment.
*
CVE-2012-0218: Also a guest user could crash the
guest XEN kernel due to a protection fault bounce.
The third fix is changing the Xen behaviour on certain
hardware:
*
CVE-2012-2934: The issue is a denial of service issue
on older pre-SVM AMD CPUs (AMD Erratum 121).
AMD Erratum #121 is described in "Revision Guide for
AMD Athlon 64 and AMD Opteron Processors":
http://support.amd.com/us/Processor_TechDocs/25759.pdf
The following 130nm and 90nm (DDR1-only) AMD
processors are subject to this erratum:
o
First-generation AMD-Opteron(tm) single and
dual core processors in either 939 or 940 packages:
+ AMD Opteron(tm) 100-Series Processors
+ AMD Opteron(tm) 200-Series Processors
+ AMD Opteron(tm) 800-Series Processors
+ AMD Athlon(tm) processors in either 754,
939 or 940 packages
+ AMD Sempron(tm) processor in either 754
or 939 packages
+ AMD Turion(tm) Mobile Technology in 754
package
This issue does not effect Intel processors.
The impact of this flaw is that a malicious PV guest
user can halt the host system.
As this is a hardware flaw, it is not fixable except
by upgrading your hardware to a newer revision, or not
allowing untrusted 64bit guestsystems.
The patch changes the behaviour of the host system
booting, which makes it unable to create guest machines
until a specific boot option is set.
There is a new XEN boot option "allow_unsafe" for
GRUB which allows the host to start guests again.
This is added to /boot/grub/menu.lst in the line
looking like this:
kernel /boot/xen.gz .... allow_unsafe
Note: .... in this example represents the existing
boot options for the host.
Security Issue references:
* CVE-2012-0217
>
* CVE-2012-0218
>
* CVE-2012-2934
>
http://support.novell.com/security/cve/CVE-2012-0217.html
http://support.novell.com/security/cve/CVE-2012-0218.html
http://support.novell.com/security/cve/CVE-2012-2934.html
https://bugzilla.novell.com/757537
https://bugzilla.novell.com/757970
https://bugzilla.novell.com/764077
http://download.suse.com/patch/finder/?keywords=1428153e4b377d6519b568fc4a847a50
http://download.suse.com/patch/finder/?keywords=1fd339d2b48672edeccbed4bd3b9dd9d
http://download.suse.com/patch/finder/?keywords=bbca71d17e042f39532a8e3060358202
http://download.suse.com/patch/finder/?keywords=c25fa3090bc865a8836ebaff073cd9b6
Announcement ID: | SUSE-SU-2012:0730-1 |
Rating: | critical |
References: | #757537 #757970 #764077 |
Affected Products: |
An update that fixes three vulnerabilities is now available.
Description:
Three security issues were found in XEN.
Two security issues are fixed by this update:
*
CVE-2012-0217: Due to incorrect fault handling in the
XEN hypervisor it was possible for a XEN guest domain
administrator to execute code in the XEN host environment.
*
CVE-2012-0218: Also a guest user could crash the
guest XEN kernel due to a protection fault bounce.
The third fix is changing the Xen behaviour on certain
hardware:
*
CVE-2012-2934: The issue is a denial of service issue
on older pre-SVM AMD CPUs (AMD Erratum 121).
AMD Erratum #121 is described in "Revision Guide for
AMD Athlon 64 and AMD Opteron Processors":
http://support.amd.com/us/Processor_TechDocs/25759.pdf
The following 130nm and 90nm (DDR1-only) AMD
processors are subject to this erratum:
o
First-generation AMD-Opteron(tm) single and
dual core processors in either 939 or 940 packages:
+ AMD Opteron(tm) 100-Series Processors
+ AMD Opteron(tm) 200-Series Processors
+ AMD Opteron(tm) 800-Series Processors
+ AMD Athlon(tm) processors in either 754,
939 or 940 packages
+ AMD Sempron(tm) processor in either 754
or 939 packages
+ AMD Turion(tm) Mobile Technology in 754
package
This issue does not effect Intel processors.
The impact of this flaw is that a malicious PV guest
user can halt the host system.
As this is a hardware flaw, it is not fixable except
by upgrading your hardware to a newer revision, or not
allowing untrusted 64bit guestsystems.
The patch changes the behaviour of the host system
booting, which makes it unable to create guest machines
until a specific boot option is set.
There is a new XEN boot option "allow_unsafe" for
GRUB which allows the host to start guests again.
This is added to /boot/grub/menu.lst in the line
looking like this:
kernel /boot/xen.gz .... allow_unsafe
Note: .... in this example represents the existing
boot options for the host.
Security Issue references:
* CVE-2012-0217
* CVE-2012-0218
* CVE-2012-2934
Special Instructions and Notes:
Please reboot the system after installing this update.
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 11 SP1:
zypper in -t patch sdksp1-xen-201206-6399
- SUSE Linux Enterprise Server 11 SP1 for VMware:
zypper in -t patch slessp1-xen-201206-6399
- SUSE Linux Enterprise Server 11 SP1:
zypper in -t patch slessp1-xen-201206-6399
- SUSE Linux Enterprise Desktop 11 SP1:
zypper in -t patch sledsp1-xen-201206-6399
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 x86_64):
- xen-devel-4.0.3_21548_04-0.9.1
- SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64):
- xen-kmp-trace-4.0.3_21548_04_2.6.32.59_0.5-0.9.1
- SUSE Linux Enterprise Server 11 SP1 (i586 x86_64):
- xen-4.0.3_21548_04-0.9.1
- xen-doc-html-4.0.3_21548_04-0.9.1
- xen-doc-pdf-4.0.3_21548_04-0.9.1
- xen-kmp-default-4.0.3_21548_04_2.6.32.59_0.5-0.9.1
- xen-kmp-trace-4.0.3_21548_04_2.6.32.59_0.5-0.9.1
- xen-libs-4.0.3_21548_04-0.9.1
- xen-tools-4.0.3_21548_04-0.9.1
- xen-tools-domU-4.0.3_21548_04-0.9.1
- SUSE Linux Enterprise Server 11 SP1 (i586):
- xen-kmp-pae-4.0.3_21548_04_2.6.32.59_0.5-0.9.1
- SUSE Linux Enterprise Server 10 SP4 (i586 x86_64):
- xen-3.2.3_17040_38-0.11.1
- xen-devel-3.2.3_17040_38-0.11.1
- xen-doc-html-3.2.3_17040_38-0.11.1
- xen-doc-pdf-3.2.3_17040_38-0.11.1
- xen-doc-ps-3.2.3_17040_38-0.11.1
- xen-kmp-debug-3.2.3_17040_38_2.6.16.60_0.97.1-0.11.1
- xen-kmp-default-3.2.3_17040_38_2.6.16.60_0.97.1-0.11.1
- xen-kmp-kdump-3.2.3_17040_38_2.6.16.60_0.97.1-0.11.1
- xen-kmp-smp-3.2.3_17040_38_2.6.16.60_0.97.1-0.11.1
- xen-libs-3.2.3_17040_38-0.11.1
- xen-tools-3.2.3_17040_38-0.11.1
- xen-tools-domU-3.2.3_17040_38-0.11.1
- xen-tools-ioemu-3.2.3_17040_38-0.11.1
- SUSE Linux Enterprise Server 10 SP4 (x86_64):
- xen-libs-32bit-3.2.3_17040_38-0.11.1
- SUSE Linux Enterprise Server 10 SP4 (i586):
- xen-kmp-bigsmp-3.2.3_17040_38_2.6.16.60_0.97.1-0.11.1
- xen-kmp-kdumppae-3.2.3_17040_38_2.6.16.60_0.97.1-0.11.1
- xen-kmp-vmi-3.2.3_17040_38_2.6.16.60_0.97.1-0.11.1
- xen-kmp-vmipae-3.2.3_17040_38_2.6.16.60_0.97.1-0.11.1
- SUSE Linux Enterprise Server 10 SP3 LTSS (i586 x86_64):
- xen-3.2.3_17040_28-0.6.11.1
- xen-devel-3.2.3_17040_28-0.6.11.1
- xen-doc-html-3.2.3_17040_28-0.6.11.1
- xen-doc-pdf-3.2.3_17040_28-0.6.11.1
- xen-doc-ps-3.2.3_17040_28-0.6.11.1
- xen-kmp-debug-3.2.3_17040_28_2.6.16.60_0.83.131-0.6.11.1
- xen-kmp-default-3.2.3_17040_28_2.6.16.60_0.83.131-0.6.11.1
- xen-kmp-kdump-3.2.3_17040_28_2.6.16.60_0.83.131-0.6.11.1
- xen-kmp-smp-3.2.3_17040_28_2.6.16.60_0.83.131-0.6.11.1
- xen-libs-3.2.3_17040_28-0.6.11.1
- xen-tools-3.2.3_17040_28-0.6.11.1
- xen-tools-domU-3.2.3_17040_28-0.6.11.1
- xen-tools-ioemu-3.2.3_17040_28-0.6.11.1
- SUSE Linux Enterprise Server 10 SP3 LTSS (x86_64):
- xen-libs-32bit-3.2.3_17040_28-0.6.11.1
- SUSE Linux Enterprise Server 10 SP3 LTSS (i586):
- xen-kmp-bigsmp-3.2.3_17040_28_2.6.16.60_0.83.131-0.6.11.1
- xen-kmp-kdumppae-3.2.3_17040_28_2.6.16.60_0.83.131-0.6.11.1
- xen-kmp-vmi-3.2.3_17040_28_2.6.16.60_0.83.131-0.6.11.1
- xen-kmp-vmipae-3.2.3_17040_28_2.6.16.60_0.83.131-0.6.11.1
- SUSE Linux Enterprise Server 10 SP2 (i586 x86_64):
- xen-3.2.0_16718_26-0.8.1
- xen-devel-3.2.0_16718_26-0.8.1
- xen-doc-html-3.2.0_16718_26-0.8.1
- xen-doc-pdf-3.2.0_16718_26-0.8.1
- xen-doc-ps-3.2.0_16718_26-0.8.1
- xen-kmp-debug-3.2.0_16718_26_2.6.16.60_0.42.54.11-0.8.1
- xen-kmp-default-3.2.0_16718_26_2.6.16.60_0.42.54.11-0.8.1
- xen-kmp-kdump-3.2.0_16718_26_2.6.16.60_0.42.54.11-0.8.1
- xen-kmp-smp-3.2.0_16718_26_2.6.16.60_0.42.54.11-0.8.1
- xen-libs-3.2.0_16718_26-0.8.1
- xen-tools-3.2.0_16718_26-0.8.1
- xen-tools-domU-3.2.0_16718_26-0.8.1
- xen-tools-ioemu-3.2.0_16718_26-0.8.1
- SUSE Linux Enterprise Server 10 SP2 (x86_64):
- xen-libs-32bit-3.2.0_16718_26-0.8.1
- SUSE Linux Enterprise Server 10 SP2 (i586):
- xen-kmp-bigsmp-3.2.0_16718_26_2.6.16.60_0.42.54.11-0.8.1
- SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64):
- xen-4.0.3_21548_04-0.9.1
- xen-kmp-default-4.0.3_21548_04_2.6.32.59_0.5-0.9.1
- xen-libs-4.0.3_21548_04-0.9.1
- xen-tools-4.0.3_21548_04-0.9.1
- xen-tools-domU-4.0.3_21548_04-0.9.1
- SUSE Linux Enterprise Desktop 11 SP1 (i586):
- xen-kmp-pae-4.0.3_21548_04_2.6.32.59_0.5-0.9.1
- SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64):
- xen-3.2.3_17040_38-0.11.1
- xen-devel-3.2.3_17040_38-0.11.1
- xen-doc-html-3.2.3_17040_38-0.11.1
- xen-doc-pdf-3.2.3_17040_38-0.11.1
- xen-doc-ps-3.2.3_17040_38-0.11.1
- xen-kmp-default-3.2.3_17040_38_2.6.16.60_0.97.1-0.11.1
- xen-kmp-smp-3.2.3_17040_38_2.6.16.60_0.97.1-0.11.1
- xen-libs-3.2.3_17040_38-0.11.1
- xen-tools-3.2.3_17040_38-0.11.1
- xen-tools-domU-3.2.3_17040_38-0.11.1
- xen-tools-ioemu-3.2.3_17040_38-0.11.1
- SUSE Linux Enterprise Desktop 10 SP4 (x86_64):
- xen-libs-32bit-3.2.3_17040_38-0.11.1
- SUSE Linux Enterprise Desktop 10 SP4 (i586):
- xen-kmp-bigsmp-3.2.3_17040_38_2.6.16.60_0.97.1-0.11.1
- SLE SDK 10 SP4 (i586 x86_64):
- xen-3.2.3_17040_38-0.11.1
- xen-devel-3.2.3_17040_38-0.11.1
- xen-kmp-debug-3.2.3_17040_38_2.6.16.60_0.97.1-0.11.1
- xen-kmp-kdump-3.2.3_17040_38_2.6.16.60_0.97.1-0.11.1
- xen-libs-3.2.3_17040_38-0.11.1
- xen-tools-3.2.3_17040_38-0.11.1
- xen-tools-ioemu-3.2.3_17040_38-0.11.1
- SLE SDK 10 SP4 (x86_64):
- xen-libs-32bit-3.2.3_17040_38-0.11.1