OracleVM 3.0 : xen (OVMSA-2012-0020)
High Nessus Plugin ID 79476
SynopsisThe remote OracleVM host is missing one or more security updates.
DescriptionThe remote OracleVM system is missing necessary patches to address critical security updates :
- x86-64: detect processors subject to AMD erratum #121 and refuse to boot(CVE-2006-0744)
- guest denial of service on syscall/sysenter exception generation (CVE-2012-0217)
- Remove unnecessary balloon retries on vm create. This is a backport from fix for bug 14143327.
- This backport from 3.1.1: Author: amisherf Put back the patch that prevent older guest that uses kudzu from hanging on a reboot. Fixed the patch to prevent excessive watcher writes which causes xend, xenstored to run at a 100% cpu usage. Now the watch is written only if console in Initialising, InitWait, Initialised states which happen once at boot time. [bug 13523487]
- Backport from upstream changeset 20968 xend: notify xenpv device model that console info is ready Sometimes PV domain with vfb doesn't boot up. /sbin/kudzu is stuck. After investigation, I've found that the evtchn for console is not bound at all. Normal sequence of evtchn initialization in qemu-dm for xenpv is: 1) watch xenstore backpath (/local/domain/0/backend/console/<domid>/0) 2) read console info (/local/domain/<domid>/console/[type, ring-ref, port..= ]) 3) bind the evtchn to the port. But in some case, xend writes to the backpath before the console info is prepared, and never write to the backpath again. So the qemu-dm fails at 2) and never reach to 3). When this happens, manually xenstore-write command on Domain-0 resumes the guest.
- Set max cstate to 1. This is a backport requirement for bug 13703504. We have several bugs that cstate made system unstable, both for ovm2 and ovm3: For OVM3.x: Bug 13703504 - unexplained network disconnect causes ocfs to fence the server For OVM2.x
SolutionUpdate the affected xen / xen-devel / xen-tools packages.