Details of the mysterious Xen vulnerability, which prompted the Amazon AWS/Rackspace cloud reboots late last week, have been revealed, with patches already available.
The CVE-2014-7188 vulnerability creates a way to trick the hypervisor into reading unallocated memory.
"A buggy or malicious HVM [hardware virtual machine] guest can crash the host or read data relating to other guests or the hypervisor itself," an advisory by Xen developers explained.
Fortunately, the flaw, discovered by Jan Beulich at SUSE, already has patches available. However, if it's not possible to patch and repair, then running only PV (paravirtualisation) guests will counteract the vulnerability.
Xen 4.1 and onward are vulnerable, but only on x86 systems. ARM systems are not vulnerable.
Rackspace, the managed cloud outfit, told its customers about the "maintenance work" in an email sent out early last Saturday, subsequently seen by El Reg.
"Recently, an issue that has the potential to impact a portion of the Public Cloud environment was reported," it said in the correspondence. "Our engineers and developers continue to work closely with our vendors and partners to apply the solution to re-mediate this issue."®