This article is more than 1 year old
Xen reports new guest-host escape, this time through CD-ROMs
Don't stick your head in the sand, patch QEMU
The new vuln glories in the name XSA-138, aka CVE-2015-5154 and means “An HVM guest which has access to an emulated IDE CDROM device (e.g. with a device with "devtype=cdrom", or the "cdrom" convenience alias, in the VBD configuration) can exploit this vulnerability to take over the qemu process elevating its privilege to that of the qemu process.”
“All Xen systems running x86 HVM guests without stubdomains which have been configured with an emulated CD-ROM driver model are vulnerable,” the advisory about the bug says.
The good news is that you can fix the flaw by “Avoiding the use of emulated CD-ROM devices altogether, by not specifying such devices in the domain configuration”. Or you can enable stubdomains.
This bug may not be a massive hassle for cloud operators, as such users are unlikely to have bothered with emulated CD-ROMs in the slimmed-down VMs they generally prefer. For the rest of us, it'll be worth checking if we left the deprecated drives in VMs and then applying your preferred distro's remedies. All urge doing so swiftly. ®