From Thursday April 27th through Monday May 1st we performed unavoidable system maintenance to patch XSA-213, XSA-214, and XSA-215.

XSA-213 fixes a 64-bit PV guest breakout via pagetable use-after-mode-change. XSA-214 fixes a page transfer that allows a PV guest to elevate privileges. XSA-215 fixes a privilege escalation via failsafe callback. The Xen Project Blog describes this set of security patches, and references a Live Patching feature in Xen 4.7. Given the increased frequency of security vulnerabilities in Xen, we’ll be evaluating live patching. Like the prior security patches we applied, these bugs were discovered by Jann Horn from Google Project Zero.

Our average downtime this maintenance cycle was 35 minutes. The longest host server took 67 minutes, while the shortest took 15 minutes. This was less total downtime than previous maintenance windows, representing incremental improvements in our patching process. We also used this maintenance window to decommission two servers with HDDs to a new one with SSDs. This is the same server we consolidated on to in our last maintenance window.