Today the XEN development team announced a vulnerability concerning a privilege escalation found in a specific combination of Xen versions and newer Intel chips. We are preparing to remove this vulnerability today.
In non-technical terms this means that it is theoretically possible for a VPS admin to gain access to the virtualisation layer underlying your VPSes. This means it would be possible to control a large number of virtual servers, once someone has access to the virtualisation layer.
Because we have been using AMD processors for the last couple of years only our older clusters are affected by this vulnerability. In order to counter this risk today, we will be performing emergency maintenance to our hosting infrastructure. The XEN team has kindly provided us with a software patch, which we will apply and install tonight.
We would like to stress that none of our servers have been compromised at this time. The same seems true for our competitors, many of which use Xen as well.
Software upgrade older clusters
As part of this maintenance, we will upgrade the software with a version which has been patched and is therefore not vulnerable to this attack anymore.
For this patch to be installed, we will have to shut down all physical servers running the XEN software, shut down all VPSes running on those physical servers and restart everything after having installed the update.
Effect on your VPS
In order to update the physical servers in our older clusters featuring this vulnerability, we will have to restart your VPS. This means it will be unavailable for some time, causing your websites and mail to be temporarily off-line.
The upgrade procedure will start at 22:00 tonight, 12 june 2012 and is expected to end somewhere around 04.00 in the morning. We expect the downtime per VPS to be anywhere between 30 and 60 minutes.
All VPSes in the following ranges are affected:
1.000 – 1.999
2.000 – 2.999
3.000 – 3.999
5.000 – 5.999
Apart from these VPSes, another 40 VPSes in the 6.000 – 7.999 range are affected.
All customers with a VPS in the abovementioned ranges, as well as the 40 other VPSes will be informed by mail. Regular updates will be given via Twitter, on https://twitter.com/cloudvpsnetwork, including the ranges currently undergoing updates. For a more technical description of the vulnerability, please read the advisory: http://lists.xen.org/archives/html/xen-devel/2012-06/msg00670.html
Problems and questions
If you have any questions regarding this maintenance, or if you encounter problems with your VPS after 06:00 on 13 june 2012, please contact firstname.lastname@example.org.