1. 11

  2. 1

    I had to patch my infrastructure for XSA-213 as well: XSA 213-215 security patches applied. The commentary from Qubes opens with:

    XSA-213 is a fatal, reliably exploitable bug in Xen. In the nearly eight-year history of the Qubes OS project, we have become aware of four bugs of this calibre: XSA-148, XSA-182, XSA-212, and now XSA-213. Coincidentally, all of these fatal bugs have been in Xen mechanisms for handling memory virtualization for paravirtualized (PV) VMs.

    The two most recently, XSA-212 and XSA-213 were both discovered by Jann Horn from Google Project Zero, I believe while doing fuzz testing.

    We’ve certainly noticed the increased frequency of Xen security issues, I note in my post:

    Our average downtime this maintenance cycle was 35 minutes. The longest host server took 67 minutes, while the shortest took 15 minutes. This was less total downtime than previous maintenance windows, representing incremental improvements in our patching process.

    Between XSA-212, happening only a ~month ago, and XSA-213 we managed to squeeze in some procedural simplification in our playbook that hasn’t until now been worth spending time on.

    1. 2

      Is Xen more vulnerable than others options like KVM? It feels like it anecdotally. As a service provider have you considered switching?

      1. 4

        Xen has seen an unfortunate number of issues recently. So has Qemu though; those would apply to us whether we’re on Xen or KVM. KVM’s architecture is better suited for the present day realities of virtualization, but Xen still solves a real problem–we do host PVM guests that aren’t ready to move to HVM.

        We do discuss moving to KVM: I recall a lunch conversation recently where we discussed what we’d do with a greenfield VPS project, and ‘starting with KVM’ held down one side of the table. I’d rather focus on live migration, as it reduces the impact of security disclosures and also gives me more operational flexibility. With less churn in my stack.

        1. 3

          True, and probably the fact that KVM is younger is helping. But also KVM has had its own share of issues recently as well, e.g. using rowhammer to escape VM memory using Linux memory deduplication functionalities.

        2. 2

          Xen is among the only PV virtualizers, so it’s hard to compare.