# Xen Security Advisories



## Geek (Mar 5, 2015)

http://xenbits.xen.org/xsa/advisory-122.html

ISSUE DESCRIPTION
=================

The code handling certain sub-operations of the HYPERVISOR_xen_version
hypercall fails to fully initialize all fields of structures
subsequently copied back to guest memory. Due to this hypervisor stack
contents are copied into the destination of the operation, thus
becoming visible to the guest.

IMPACT
======

A malicious guest might be able to read sensitive data relating to
other guests.

VULNERABLE SYSTEMS
==================

Xen 3.2.x and later are vulnerable.
Xen 3.1.x and earlier have not been inspected.

MITIGATION
==========

There is no mitigation available for this issue.

CREDITS
=======

This issue was discovered by Aaron Adams of NCC Group.

RESOLUTION
==========

Applying the attached patch resolves this issue.
 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

http://xenbits.xen.org/xsa/advisory-121.html

ISSUE DESCRIPTION
=================

Emulation routines in the hypervisor dealing with certain system
devices check whether the access size by the guest is a supported one.
When the access size is unsupported these routines failed to set the
data to be returned to the guest for read accesses, so that hypervisor
stack contents are copied into the destination of the operation, thus
becoming visible to the guest.

IMPACT
======

A malicious HVM guest might be able to read sensitive data relating
to other guests.

VULNERABLE SYSTEMS
==================

Xen 3.2.x and later are vulnerable.
Xen 3.1.x and earlier have not been inspected.

Only HVM guests can take advantage of this vulnerability.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE


----------



## HalfEatenPie (Mar 5, 2015)

Wowza.

Definitely not something you want.  Thanks for posting this man!


----------



## Geek (Mar 7, 2015)

More of what someone at XenServer is calling "several really bad vulnerabilities" are on their way, it seems. Rackspace doing another rolling reboot this week-

Advisory Public release Updated Version CVE(s) Title 
 

XSA-123 2015-03-10 12:00 none (yet) assigned (Prereleased, but embargoed) 
XSA-122 2015-03-05 12:00 assigned, but embargoed (Prereleased, but embargoed) 
XSA-121 2015-03-05 12:00 assigned, but embargoed (Prereleased, but embargoed) 
XSA-120 2015-03-10 12:00 none (yet) assigned (Prereleased, but embargoed) 
XSA-119 2015-03-12 12:00 none (yet) assigned (Prereleased, but embargoed)


----------

