Xen Project has revealed a serious flaw in the Xen hypervisor; that can eventually put the security of many virtualized servers at risk. Xen is a free, open source hypervisor that is used by many of companies to deploy the virtual machines on the server. It is also being used by some private cloud companies to provide themselves with a solution to create virtual machines on the cloud.
The issue has been assigned CVE-2104-7188, and all the major cloud service providers were made aware of the issue. The Amazon Web Services (AWS) and Rackspace were able to apply the patch over this week.
Amazon spokesperson said, “I’d like to give you an update on the EC2 Maintenance announcement that I posted last week. Late yesterday (September 30th), we completed a reboot of less than 10% of the EC2 fleet to protect you from any security risks associated with the Xen Security Advisory (XSA-108). This Xen Security Advisory was embargoed until a few minutes ago; we were obligated to keep all information about the issue confidential until it was published.”
He added, “The zone by zone reboots were completed as planned and we worked very closely with our customers to ensure that the reboots went smoothly for them. We’ll continue to be vigilant and will do our best to protect all AWS customers from similar issues in the future. As an AWS user, you may also want to take this opportunity to re-examine your AWS architecture to look for possible ways to make it even more fault-tolerant. “
The flaw that has been detected by the Xen Project, allows a virtual machine created by using Xen’s Hardware Assisted virtualization (HVM) to read the data that is stored by other HVMs, which share the same physical hardware and its very common among the guest HVMs.