New Xen vuln triggers Amazon, Rackspace reboot panic redux

Second hypervisor-related cloud meltdown in six months


Newly discovered vulnerabilities in the open source Xen virtualization hypervisor have once again sent major public cloud companies scurrying to patch and reboot their systems before attackers can pull off a massive exploit.

Amazon and Rackspace have both announced that they will need to reboot some of their servers to address the issue before March 10, when the Xen Project plans to disclose the latest bugs. Details of the vulns are being withheld for now, to give the cloud vendors time to patch.

In a FAQ about the upcoming maintenance, Amazon Web Services said that only some of its earliest Elastic Compute Cloud (EC2) customers should be affected.

"We have built the capability to live-update the vast majority of our fleet; however, we have not yet enabled this capability on some of our older hardware," the online retail giant said. "This older hardware is what’s being rebooted."

Rackspace also said that only a portion of its machines will be affected, but it cautioned customers to be prepared for potential outages.

"We understand that any downtime impacts your business and we do not make this decision lightly," Rackspace said. "In preparation for a potential reboot, we recommend that you take proactive steps to ensure your environment is configured to return to proper operations."

Like Amazon, Rackspace says it plans to have all of its affected First Generation and Next Generation cloud servers patched and rebooted by Monday, March 9, and that the first reboots will on Monday, March 2.

This isn't the first time cloud vendors have been bitten by bugs in Xen. In fact, the last time was less than six months ago, when a vuln that allowed unauthorized memory access forced a similar mass reboot.

Other cloud vendors are likely to be affected, but not all of them. Microsoft, for example, uses a homegrown hypervisor for its Azure cloud. But IBM's SoftLayer cloud reportedly also had to reboot systems to address last year's Xen bugs, so it likely will this time, too (although we haven't heard anything yet).

Admins who run Xen on their own machines should likewise be on the lookout for patches from their OS vendors in the next couple of weeks. ®


Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022