Skip to main content

Xen Security Advisories and How We Handled Them


The Xen security team recently made public three security advisories regarding the Xen Hypervisor. Linode customers are not affected by the issues outlined in the advisories due to proactive maintenance performed by Linode over the past few weeks.

  • XSA-7 – 64-bit PV guest privilege escalation vulnerability
  • XSA-8 – guest denial of service on syscall/sysenter exception generation
  • XSA-9 – PV guest host Denial of Service (AMD erratum #121)

The Xen blog has a really nice writeup on the issue.

Having to deal with advisories like these is just part of our industry. One of our challenges in just about everything is our scale. Suddenly a required update means wrangling thousands of machines and causing a huge disruption for our customers.

These specific advisories had the potential to affect our entire fleet, however we were able to devise a clever plan which put the number of affected Linodes into the minority. The plan combined: 1) A rush to deploy additional capacity reserves across all facilities 2) a reboot/upgrade of only the hosts that would recover the most capacity, and 3) an automated migration queue of only the remaining affected Linodes onto the good capacity. As a result, the majority of customers were unaffected by this maintenance.

Almost everyone in the entire company had a hand in this effort – kudos to the entire team for making this as seamless and streamlined as possible.


Comments (11)

  1. Keith

    Awesome work, Linode!

  2. Mathieu Bourgie

    This is exactly why I’m with Linode. You guys take care of things seamlessly and I don’t have to worry about my server 🙂

    Keep up the excellent work Linode!

  3. Anurag

    A pat on the back for the team!

  4. Jordan

    Nice – I never even noticed.

  5. Jeremy

    Thank you Linode, you handled this very nicely.

  6. Michael

    It had a very modest impact on us, but we did wonder why only a small percentage of our linodes were affected by what we deduced was a security patch. Thanks for the explanation.

  7. Matt

    Well done Linode, awesome!

  8. WindPower

    Well done, and happy almost-birthday Linode!

  9. Nick Kampe

    Nice, I think you handled this well, however, my systems administrator does not.

  10. kuteninja

    Awesome work, couldn’t love you guys more

  11. Matt Rosin

    Undiluted, pure awesomeness.
    Consistent excellence!
    I read about the vulnerability on Slashdot, clicked over to Linode and “yup it’s already fixed”. There is a huge amount of dedication and effort over time that enables you to say that.
    I thank my lucky stars the day I joined Linode.

Leave a Reply

Your email address will not be published. Required fields are marked *