AWS, Rackspace forced to reboot clouds over new Xen flaws

Several cloud providers will be forced to reboot their infrastructure to apply patches for new vulnerabilities discovered in the Xen hypervisor.

Over the weekend, Amazon Web Services said it had to reboot around 10 percent of its Elastic Compute Cloud customer instances. 

The updates would be ready by March 10 United States time (March 11 Australian time), AWS said, with the reboots taking place at different time for regions around the world.

Amazon Workspaces, Relational Database Services instances, Elasticache nodes and Redshift clusters may also need rebooting. Customers will be notified if so, AWS said.

Linode will also perform infrastructure reboots between March 3 to March 10 Australian time.

Rackspace alerted its customers that it would have to reboot "a portion of our first and next generation cloud servers fleet", but didn't provide a timeframe.

There are five pre-released security advisories listed by the Xen Project, the details of which are yet to be published.

Nor has the Xen Project said which versions of the hypervisor are affected. Its latest Xen 4.5 release from January this year underwent a large-scale rewrite that saw 141,000 lines of code removed and several security enhancements introduced.

The Xen Project has a security policy which pre-releases notice of vulnerabilities to large users of the hypervisor before the flaws are made public, to allow affected users to patch their infrastructure against the vulnerabilities.

This is the second mass-reboot of cloud infrastructure following discovery of vulnerabilities in Xen. In September-October last year, AWS and Rackspace were forced to reboot much of their clouds in order to patch against the XSA-108 data leak vulnerability.