[CentOS-virt] Xen 4.4 Immediate EOL

Fri Jan 19 17:58:01 UTC 2018
Kevin Stange <kevin at steadfast.net>

On 01/19/2018 06:17 AM, Pasi Kärkkäinen wrote:
> On Thu, Jan 18, 2018 at 11:48:35AM -0600, Kevin Stange wrote:
>> Hi,
> Hi,
>> I am very sorry to do this on short notice, but obviously Meltdown and
>> Spectre are a lot more than anyone was really expecting to come down the
>> pipeline.  Xen 4.4 has been EOL upstream for about a year now and I have
>> personally been reviewing and backporting patches based on the 4.5
>> versions made available upstream.
>> Given that 4.5 is now also reaching EOL, backporting to 4.4 will become
>> harder and I've already taken steps to vacate 4.4 in my own environment
>> ASAP.  Spectre and Meltdown patches most likely will only officially
>> reach 4.6 and are very complicated.  Ultimately, I don't think this is a
>> constructive use of my time.  Therefore, I will NOT be continuing to
>> provide updated Xen 4.4 builds any longer through CentOS Virt SIG.  If
>> someone else would like to take on the job, you're welcome to try.  Pop
>> by #centos-virt on Freenode to talk to us there if you're interested.
>> For short term mitigation of the Meltdown issue on 4.4 with PV domains,
>> your best bet is probably to use the "Vixen" shim solution, which George
>> has put into the xen-44 package repository per his email from two days
>> ago. Vixen allows you to run PV domains inside HVM guest containers.  It
>> does not protect the guest from itself, but protects the domains from
>> each other.  Long term, your best bet is to try to get up to a new
>> version of Xen that is under upstream security support, probably 4.8.
> Oracle VM 3.4 product is based on Xen 4.4, and they seem to have backported the fixes already.. 
> It looks like those src.rpms have {CVE-2017-5753} {CVE-2017-5715} {CVE-2017-5754} fixes included.
> https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/thread.html
> https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/000816.html
> https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/000817.html
> http://oss.oracle.com/oraclevm/server/3.4/SRPMS-updates/xen-4.4.4-155.0.12.el6.src.rpm
> http://oss.oracle.com/oraclevm/server/3.4/SRPMS-updates/xen-4.4.4-105.0.30.el6.src.rpm

That's impressive but dubious as Xen has not released any fixes for
CVE-2017-5753 or CVE-2017-5715 even for 4.10 yet.

Kevin Stange
Chief Technology Officer
Steadfast | Managed Infrastructure, Datacenter and Cloud Services
800 S Wells, Suite 190 | Chicago, IL 60607
312.602.2689 X203 | Fax: 312.602.2688
kevin at steadfast.net | www.steadfast.net