** WHITE information - Unlimited distribution allowed **
** see https://go.egi.eu/tlp for distribution restrictions **
EGI CSIRT ADVISORY [EGI-ADV-20150415]
Title: EGI Alert 'High' risk - Xen Vulnerability Hypervisor memory
corruption due to x86 emulator flaw CVE-2015-2151 [EGI-ADV-20150415]
Date: 2015-04-15
Updated:
URL: https://advisories.egi.eu/CSIRT_Alerts/Xen-2015-04-15
Introduction
============
Currently there is increasing use of the Xen hypervisor in the EGI infrastructure.
Vulnerabilities for the Xen hypervisor are listed in [R 1]
One of these vulnerabilities CVE-2015-2151 (123 on the list, announced on 10th
March 2015) we consider needs to be treated as 'High' risk.
Details
=======
See [R 1] and [R 2]
Risk category
=============
This issue has been assessed as 'High' EGI SVG Risk Assessment Team
Recommendations
===============
If sites are using the Xen hypervisor, and have not updated in the last month,
they should update as soon as possible.
References
==========
[R 1] Xen vulnerability list http://xenbits.xen.org/xsa/
[R 2] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2151
Timeline
========
Yyyy-mm-dd
2015-03-05 SVG alerted to Xen vulnerabilities list
2015-03-10 SVG alerted to further Xen vulnerabilities, including the one referred
to in this advisory
2015-03-11 Initial assessment made, few commented due to small number of people
in EGI SVG with expertise on Xen.
2015-04-14 Decision to send alert, as most experienced person considered it to be
'high' risk
2015-04-15 Alert sent to sites.