EGI SVG Advisories

** WHITE information - Unlimited distribution allowed      **
** see https://go.egi.eu/tlp for distribution restrictions **



EGI CSIRT ADVISORY [EGI-ADV-20150415]

Title:       EGI Alert 'High' risk - Xen Vulnerability Hypervisor memory

corruption due to x86 emulator flaw CVE-2015-2151  [EGI-ADV-20150415]

Date:        2015-04-15
Updated:

URL:         https://advisories.egi.eu/CSIRT_Alerts/Xen-2015-04-15



Introduction
============

Currently there is increasing use of the Xen hypervisor in the EGI infrastructure.

Vulnerabilities for the Xen hypervisor are listed in [R 1]

One of these vulnerabilities CVE-2015-2151 (123 on the list, announced on 10th

March 2015) we consider needs to be treated as 'High' risk.


Details
=======

See [R 1] and [R 2]


Risk category
=============

This issue has been assessed as 'High' EGI SVG Risk Assessment Team


Recommendations
===============

If sites are using the Xen hypervisor, and have not updated in the last month,

they should update as soon as possible.



References
==========

[R 1] Xen vulnerability list http://xenbits.xen.org/xsa/

[R 2] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2151


Timeline
========
Yyyy-mm-dd

2015-03-05 SVG alerted to Xen vulnerabilities list
2015-03-10 SVG alerted to further Xen vulnerabilities, including the one referred

          to in this advisory
2015-03-11 Initial assessment made, few commented due to small number of people
           in EGI SVG with expertise on Xen.
2015-04-14 Decision to send alert, as most experienced person considered it to be
          'high' risk
2015-04-15 Alert sent to sites.