None of our production systems are vulnerable to any of the Xen security advisories announced today. The majority of our host servers were live patched to either fix or work around all the problems found which affected the VPSs running on them.

However, during testing in advance of the maintenance windows we found that disabling linear (nested) page tables, which was a workaround for XSA-240, caused NetBSD VPSs to crash despite them explicitly being called out as not affected in the original advisory announcement. Unfortunately a live patch can only be applied for disabling linear page tables, not for fixing the vulnerability. Therefore host servers running NetBSD VPSs could not be safely live patched.

We believed we were able to identify all NetBSD VPSs in advance of the maintenance windows because in the Xen key-store database called xenstore, those VPSs set a key called ‘vifname’. It turned out that NetBSD 5, which has been out of support as of 2014, did not set this key and two VPSs had to be moved to a different host server after they crashed. We took the unusual step of parsing console output and identified one additional NetBSD 5 VPS in advance of the remaining maintenance windows. We strongly encourage all customers running NetBSD 5 to upgrade.