Xen bug latest: Cloudpocalypse averted, says Amazon

No mass reboot needed after all, despite latest Xen vulns


Amazon Web Services now says that despite the recent security vulnerabilities discovered in the Xen hypervisor, the vast majority of its Elastic Compute Cloud (EC2) customers won't need to reboot their virtual machine instances after all.

Last week, AWS and Rackspace both said that customers should prepare for a mass reboot of their instances to address as-yet-unrevealed vulnerabilities in the Xen software that underlies both companies' clouds.

But on Monday, AWS said that its engineers have been working "around-the-clock" to find ways to avoid restarting customers' VMs, and that as a result of recent fixes, a reboot won't actually be necessary in most cases.

"We're happy to share that we'll now be able to live-update ‎the vast majority of our older hardware for this Xen Security Advisory," the AWS team said in an update to its original security advisory. "This means that over 99.9 per cent of our total EC2 instances will receive the live-update and avoid a reboot."

For those 0.1 per cent of instances that still need to be rebooted, AWS says it can also guarantee that they will be restarted on updated machines – meaning customers can go ahead and restart them as soon as they're ready, rather than waiting for the scheduled reboot. Previously, the company had said that early reboots wouldn't fix the problem.

Even prior to the latest patches, AWS said that fewer than 10 per cent of customer EC2 instances were affected by the Xen vulnerabilities.

All remaining affected instances will be rebooted by March 10, which is when the Xen Project will disclose the nature of the bugs in question. We won't know exactly what's going on until then, but previous Xen bugs have made it possible for attackers to launch denial-of-service attacks against affected machines and allow guest instances to read data belonging to other guests. ®


Other stories you might like

Biting the hand that feeds IT © 1998–2021