Xen Security Vulnerability and Amazon is Special

[DomainBop]

Major security vulnerability in Xen to be announced October 1st if you're a mere mortal.  Amazon is already privy to the details and the fix and is applying the fix and rebooting the 10% of its cloudcrap thingees that are vulnerable.

http://xenbits.xen.org/xsa/

http://www.theregister.co.uk/2014/09/25/amazon_readies_global_glory_reboot/

Advisory

Public release

Updated

Version

CVE(s)

Title

XSA-108

2014-10-01 12:00

 

 

assigned, but embargoed

(Prereleased, but embargoed)

 
Do I have a problem with the details being kept under wraps from everyone else until Amazon is able to apply a fix to their EC2 Xen instances? Yes, I do have a problem with it.

AWS customers know that security and operational excellence are our top two priorities. These updates must be completed by October 1st before the issue is made public as part of an upcoming Xen Security Announcement (XSA). Following security best practices, the details of this update are embargoed until then. The issue in that notice affects many Xen environments, and is not specific to AWS.

https://aws.amazon.com/blogs/aws/ec2-maintenance-update/

 

[AnthonySmith]

I understand Amazon and other big players getting first dibbs, they have a MUCH bigger job to do than everyone else and if struck on a large scale by such an issue the public confidence in Xen would take a huge hit.

I dont think just letting everyone else deal with the fallout later while it is in the wild is great though, a solid propagation process needs to be in place, level 1 notice being amazon and other +25% market share people, level 2 notice 24 hours later to registered groups such as OnApp etc, level 3 being <50 employee people and at this stage it is fair to expect some sort of leak however it gives you some chance.

 

[24/7/365]

It makes complete sense but you still can't help feel like a second class citizen.

 

[AnthonySmith]

Just got confirmation that solusvm/onapp have been given no information on this.

 

[AnthonySmith]

Just got confirmation that solusvm/onapp have been given no information on this.

 

[DomainBop]

It makes complete sense but you still can't help feel like a second class citizen.

It makes sense to try to limit the damage by giving big companies a chance to fix it before the vulnerability becomes common knowledge, but on the other hand I don't like the further tilting of an already tilted playing field towards large corporations.

Large companies are better able to survive the damage (both in terms of loss of trust and potential financial liability) than small businesses when there is a breach/hacking.  If big companies are given a chance to fix vulnerabilities before everyone else and small businesses are kept in the dark until the vulnerability becomes common knowledge,  it will mean small businesses are primarily the  ones to get hit when there is an exploit and it will make it that much harder to convince the average person to trust or use a small business rather than the well known household names who didn't get hit because they were forewarned.

 

[AnthonySmith]

Not sure if my post was edited or if I messed up but it meant to say, edit: They (solus/onapp) do have all the info they wont be releasing any patches until it is under public release though.

 

[k0nsl]

Rackspace is special, too. 
https://status.rackspace.com/
 

 

[drmike]

Oh, well, if said vulnerability is being used as classism, perhaps the actual deficiency should be leaked to the world and force a more rapid response and more uniform treatment.

 

[Francisco]

Oh, well, if said vulnerability is being used as classism, perhaps the actual deficiency should be leaked to the world and force a more rapid response and more uniform treatment.

It's going to be patched & documented publicly but it's likely bad enough that it'd cause major security issues.

All I can figure is it's based on a pretty specific version of XEN (possibly in 4.x+) and that's why Linode isn't affected by it.

This could be really iffy, especially if it affects only older (3.x) builds of XEN and RHEL/etc aren't providing patches. While I know you can get newer XEN's on RHEL5 and such, unless SolusVM is doing it for them I don't see a lot of LE hosts doing it.

Francisco

 

[perennate]

It's not just for big cloud companies, also need time for package maintainers to update, then all you need to do when vulnerability is released (at same time as packages) is upgrade. Seems like they have an exact time for people to check back too. Besides, probably Amazon and others support Xen developers financially.

 

[eva2000]

FYI, I emailed Linode and they are aware of this and apparently working on it