Over the last few days there has been some concern regarding an announced but not yet published vulnerability in Xen. Some large parties announced urgent maintenance, a security advisory was announced but placed under embargo and several technical news outlets speculated on the severity and impact of this leak.
The embargo was lifted today and the vulnerabilty was published; the good news is that the vulnerabilty was found in a component not used in the CloudVPS setup. Or put differently: This bug doesn’t affect us, we’re not vulnerable.
The reason this bug doesn’t affect us is somewhat technical and has to do with the way Xen handles virtualisation. In short there are two ways to virtualise a server: by full virtualisation and by so-called paravirtualisation. Full virtualisation means the virtual server doesn’t know it’s running in a virtual environment. To this end the entire hardware environment is emulated, including for instance the BIOS and the harddrives.
Paravirtualisation on the other hand doesn’t try to hide the fact that the server is virtualised, in fact it uses this knowledge to its advantage. By not pretending the hardware is real the virtual server can for instance skip the prcess of translating write commands to harddisk instructions and can just pass the information on to the underlying hardware server. This is both much more effective and faster. CloudVPS uses paravirtualisation to run VPSes within Xen.
The leak published today was found in the code for full virtualisation and allows attackers to read information from other environments and even crash the underlying hardware server.
But as said this doesn’t affect us.
For more information on this vulnerability please see the security advisory: