From Thursday March 30th through Monday April 3rd we performed unavoidable system maintenance to patch CVE-2017-7228 / XSA-212. XSA-212 fixes an insufficient check on XENMEM_exchange input which permitted PV guest kernels to write to hypervisor memory outside of the provided input/output arrays.

This bug was discovered by Jann Horn, and is explained in detail at Project Zero: Pandavirtualization: Exploiting the Xen hypervisor.

Given that XSA 212 meant unavoidable downtime, we used the opportunity to perform some cleanup work resulting from our February 07th PDU failure. As we stated in that retrospective, we purchased and brought on-site spare and replacement power equipment. On the Saturday of our maintenance window we replaced our half-broken PDU with a fully working spare. We also pulled the remaining dead power equipment.

Xen has also recently seen a number of security issues related to emulated vga devices (XSA-211, XSA-209, XSA-208, and XSA-179). As a precaution, we’ve disabled VGA entirely for HVM VPSes.

Additionally, we consolidated two servers with HDDs to a new one with SSDs. This new server has enough additional capacity to consolidate two other servers, which we’ll perform in a future maintenance window.