Resultados 1 a 6 de 6
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    14,981

    [EN] AWS to Reboot Entire EC2 Cloud

    Amazon Web Services rolled out an urgent security patch to hosts causing a widespread maintenance reboot of EC2 compute instances over the next several days, ending September 30. The company had a similar event in December 2011, but a more substantial number of instances will be rebooted this time around.

    AWS has notified customers by email, but the company has so far been tight-lipped about the reasons for the reboot. The reboot is occurring across all availability zones.

    There is speculation that the company is patching for vulnerability, specifically a fix for open source hypervisor Xen. The reason will be revealed on October 1 after all hosts have been patched. If customers relaunch an instance before the maintenance, they will not be guaranteed a patched host.

    Instance reboots to upgrade and apply patches are not uncommon, however the scale and short notice behind this case is causing some concern. The short notice is most likely because of security reasons, which would make the move imperative.

    Popular cloud management platform RightScale’s CTO Thorsten Von Eicken wrote that whenever the company’s operations team receives a maintenance notice, they relaunch as soon as possible to complete the transition within the maintenance window. “This time, due to the scale of the patching, there is not enough patched capacity available to guarantee this,” Von Eicken wrote.
    http://www.datacenterknowledge.com/a...curity-reboot/

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    14,981

    Amazon: Reboot Will Affect Less Than 10 Percent of Cloud Instances

    AWS said that the following instance types will not be affected: T1, T2, M2, R3 and HS1. To find out if you’re being impacted, visit Amazon’s “Events” page on the EC2 console. It will list pending instance reboots.



    Amazon Web Services has released more details about this week’s massive instance update on its EC2 cloud.

    The update is being applied to patch a known issue that effects all Xen environments and is not AWS-specific, the company said. Amazon said that it will affect a small percentage (less than 10 percent) of the global EC2 fleet.

    It is a mandatory update and must be completed by October 1. Amazon said the update is not in any way associated with what is being called “The Bash Bug” in the news today.

    Not all instances will be rebooted. RightScale is reporting that it is impacting around 25 percent of the types of instances. RightScale has made a FAQ available.

    AWS said that the following instance types will not be affected: T1, T2, M2, R3 and HS1. To find out if you’re being impacted, visit Amazon’s “Events” page on the EC2 console. It will list pending instance reboots.

    The instances that do need the update require a system restart of the underlying hardware and will be unavailable for a few minutes while the patches are being applied and the host is being rebooted.

    Those instances requiring a reboot will be staggered so that no two regions or availability zones are impacted at the same time and they will restart with all saved data and all automated configuration intact.

    The company issued a statement: “We understand that for a small subset of customers the reboot will be more inconvenient; we wouldn’t inconvenience our customers if it wasn’t important and time-critical to apply this update.”

    The instances that need the update require a system restart of the underlying hardware and will be unavailable for a few minutes while the patches are being applied and the host is being rebooted. While most software updates are applied without a reboot, certain limited types of updates require a restart.
    http://www.datacenterknowledge.com/a...oud-instances/

  3. #3
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    14,981
    Fim do mistério: a Amazon obteve informação detalhada sobre grave brecha de segurança no XEN, falha cuja divulgação ao distinto público zéruela somente será liberada no dia 1o. de outubro. Se essa data foi acertada com a Amazon para acomodar upgrade do AWS é outra estória.

    Advisory Public release Updated Version CVE(s)

    XSA-108 2014-10-01 12:00 assigned, but embargoed (Prereleased, but embargoed)
    http://xenbits.xen.org/xsa/


    AWS customers know that security and operational excellence are our top two priorities. These updates must be completed by October 1st before the issue is made public as part of an upcoming Xen Security Announcement (XSA). Following security best practices, the details of this update are embargoed until then. The issue in that notice affects many Xen environments, and is not specific to AWS.
    https://aws.amazon.com/blogs/aws/ec2...enance-update/


    Aos netcitizens de segunda classe, resta aguardar patches e ataques, não necessariamente nessa ordem se o palhaço da Cloudflare novamente divulgar a falha antes do patch para ganhar publicidade.

  4. #4
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    14,981

    Thumbs up

    Reclamação que faz sentido:

    It makes sense to try to limit the damage by giving big companies a chance to fix it before the vulnerability becomes common knowledge, but on the other hand I don't like the further tilting of an already tilted playing field towards large corporations.


    Large companies are better able to survive the damage (both in terms of loss of trust and potential financial liability) than small businesses when there is a breach/hacking. If big companies are given a chance to fix vulnerabilities before everyone else and small businesses are kept in the dark until the vulnerability becomes common knowledge, it will mean small businesses are primarily the ones to get hit when there is an exploit and it will make it that much harder to convince the average person to trust or use a small business rather than the well known household names who didn't get hit because they were forewarned.
    https://vpsboard.com/topic/5364-xen-...al/#entry75687

  5. #5
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    14,981

    Rackspace Reboots Cloud Servers to Apply Xen Security Patch

    Rackspace had a Xen hypervisor-based cloud reboot over the weekend. Last week, Amazon Web Services told customers it was rebooting a small portion of its EC2 fleet for the same reason.

    The reboot is in order to patch a known issue that affects all Xen environments. All cloud providers who use Xen as foundation will undergo some patching over the next few days.

    Given the security-sensitive nature of the problem, Rackspace is withholding some details, citing concerns about customer safety, which was Amazon’s approach as well.

    “Our engineers and developers continue to work closely with our vendors and partners to apply the solution to remediate this issue,” wrote the company. “While we believe in transparent communication, there are times when we must withhold certain details in order to protect you, our customers.”

    The reboot will be necessary for all Standard, Performance 1 and Performance 2 cloud servers within Rackspace’s Infrastructure-as-a-Service offering.

    The reboot started on Sunday and will go on until Wednesday, much like AWS, as the company rolls through different regions one at a time. Maintenance for the next region doesn’t begin until the previous one is complete.

    The company is urging customers to take proactive steps to ensure proper operations after the reboot. Customers should:

    • Verify all necessary services (Apache, IIS, MySQL, etc.) are configured to start on server boot
    • Ensure server images are up-to-date and file-level backups are enabled. Confirm that you have backups of all critical data
    • Confirm that any unsaved changes, such as firewall rules and application configurations, are saved



    Rackspace will communicate with customers via email and a status page.
    http://www.datacenterknowledge.com/a...oot-for-cloud/

  6. #6
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    14,981
    Information


    Advisory XSA-108

    Public release 2014-10-01 12:00

    Updated 2014-10-01 12:02

    Version 4

    CVE(s) CVE-2014-7188

    Title Improper MSR range used for x2APIC emulation


    Files

    advisory-108.txt (signed advisory file)
    xsa108.patch

    Advisory



    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Xen Security Advisory CVE-2014-7188 / XSA-108
    version 4

    Improper MSR range used for x2APIC emulation

    UPDATES IN VERSION 4
    ====================

    Public release.

    ISSUE DESCRIPTION
    =================

    The MSR range specified for APIC use in the x2APIC access model spans
    256 MSRs. Hypervisor code emulating read and write accesses to these
    MSRs erroneously covered 1024 MSRs. While the write emulation path is
    written such that accesses to the extra MSRs would not have any bad
    effect (they end up being no-ops), the read path would (attempt to)
    access memory beyond the single page set up for APIC emulation.

    IMPACT
    ======

    A buggy or malicious HVM guest can crash the host or read data
    relating to other guests or the hypervisor itself
    .

    VULNERABLE SYSTEMS
    ==================

    Xen 4.1 and onward are vulnerable.

    Only x86 systems are vulnerable. ARM systems are not vulnerable.

    MITIGATION
    ==========

    Running only PV guests will avoid this vulnerability.

    CREDITS
    =======

    This issue was discovered Jan Beulich at SUSE.

    RESOLUTION
    ==========

    Applying the attached patch resolves this issue.

    xsa108.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

    $ sha256sum xsa108*.patch
    cf7ecf4b4680c09e8b1f03980d8350a0e1e7eb03060031788f 972e0d4d47203e xsa108.patch
    $
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.12 (GNU/Linux)

    iQEcBAEBAgAGBQJUK+1fAAoJEIP+FMlX6CvZ6cwH+wdcnTCTdy AMc8bmQv+IxrMN
    ue5rBYdX0b7CnnC2uCrwPssygna2cxTcVhJsU0eZk5OVrIU5rQ 3PKtmFtxMwa3WS
    my/vtyftTmoxAzftUKgpDFeicmZXlot3aowfRIiIc+GFZ59zAjDL2 yQ0xMR1mJio
    7SXl+dkcUPj5nXaeK1gFozJ8XNF+wArNQUPv0xUBIg4NSjQyqa 7CMCZ5Q3IuJ53S
    hKY37/MSoOViDORDPkeVr3BoSb7atYZSPwibqEUjeL5f+eXyVkbD0MkL Qgu1ERtZ
    p+dc+DTaRYm77LrDM+npZ+j1uSoVqdVzXtNYe6GZmbNRVXjbhJ +gJyJBcpy/a5Q=
    =m0tK
    -----END PGP SIGNATURE-----

    Xenproject.org Security Team
    Última edição por 5ms; 01-10-2014 às 17:46.

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens
  •