Title: EGI SVG Advisory [TLP:WHITE] up to 'HIGH' risk Qemu and Xen guest
escape issues CVE-2016-9603 and others [EGI-SVG-CVE-2016-9603]
Date: 2017-06-01
Updated:
Affected software and risk
==========================
Up to 'HIGH' risk vulnerabilities concerning Qemu and Xen.
Package : Qemu
CVE ID : CVE-2016-9603
Package : Xen
CVE ID : CVE-2017-7228, CVE-2017-8903, CVE-2017-8904, CVE-2017-8905
Various vulnerabilities have been found which may lead to guest escape.
The Risk depends on configuration, in some known configurations in EGI the Qemu
one we consider to be 'High' risk.
Actions required/recommended
============================
Sites running Qemu or Xen are recommended to update relevant components as soon
as possible if they have not done already.
Affected software details
=========================
See [R 1] to [R 6]
More information
================
We consider this to be 'High' for FedCloud sites running OpenStack.
Depending on the configuration, according to the Xen advisories for
CVE-2017-7228, CVE-2017-8903 "A malicious or buggy 64-bit PV guest may be able
to access all of system memory".
This could have serious consequences if exploited. It is not clear whether they
are exploitable in the EGI infrastructure.
It is also not clear how widespread Xen usage is in EGI.
Component installation information
==================================
See vendor's information.
For sites running OpenStack it is recommended they have a procedure to
hard-reboot all VMs if an exploit starts spreading.
TLP and URL
===========
** WHITE information - Unlimited distribution - see
https://go.egi.eu/tlp for distribution restrictions **
URL: https://advisories.egi.eu/Advisory-SVG-CVE-2016-9603
Minor updates may be made without re-distribution to the sites
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 7]
References
==========
RedHat:--
[R 1] https://access.redhat.com/security/cve/cve-2016-9603
Xenbits:--
[R 2] https://xenbits.xen.org/xsa/advisory-211.html
[R 3] https://xenbits.xen.org/xsa/advisory-212.html
[R 4] https://xenbits.xen.org/xsa/advisory-213.html
[R 5] https://xenbits.xen.org/xsa/advisory-214.html
[R 6] https://xenbits.xen.org/xsa/advisory-215.html
SVG procedure:--
[R 7] https://documents.egi.eu/public/ShowDocument?docid=2538
Credit
======
SVG was alerted to these vulnerabilities by Mischa Salle.
Timeline
========
Yyyy-mm-dd [EGI-SVG-2016-12805]
2017-04-24 SVG alerted to CVE-2017-7228 by Mischa salle.
2017-05-17 SVG alerted to all other issues by Mischa Salle.
2017-05-25 Investigation of vulnerability and relevance to EGI carried out
2017-05-26 EGI SVG Risk Assessment completed, advisory drafted.
2017-04-18 to 2017-05-12 Updated packages available for various CVEs and
distributions.
2017-06-01 Advisory/Alert sent to sites
Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 7] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.
Others may re-use this information provided they:-
1) Respect the provided TLP classification
2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group
On behalf of the EGI SVG,