Options to address CVE-2017-5753 on XEN platforms

Solution Verified - Updated -

Red Hat Insights can detect this issue

Proactively detect and remediate issues impacting your systems.
View matching systems and remediation


  • Red Hat Enterprise Linux 5 (Xen host and guest)
  • Red Hat Enterprise Linux 6 (Xen guest)


  • I’m concerned about recent security vulnerabilities incidents, what can be done for my Xen hosted systems?
  • Can CVE-2017-5753 be fixed for Xen machines?


Three CVEs were recently made public (CVE-2017-5754 CVE-2017-5753 CVE-2017-5715) that allowed a local attacker to access unauthorized data. CVE-2017-5753 documents the variant of this attack that allows virtualized guests to interact with the host and other guests on the same physical system.

Red Hat’s currently supported virtualization platforms, based on the KVM hypervisor, will have published errata correcting the issue. Red Hat’s older virtualization platform codebase (Xen) has technical limitations that prevent fully addressing these three vulnerabilities, particularly CVE-2017-5715. Some level of risk will exist for hypervisors and guests that use Xen paravirtualization (PV guests).

More recent versions of upstream Xen do allow for a more complete solution, but it is not feasible to apply this solution to the version of Xen shipped with Red Hat Enterprise Linux 5. Cloud providers that use the Xen hypervisor, however, have an option to secure paravirtualized guests running on their servers.

Xen also supports running guests under hardware virtualization (HVM guests). While HVM guests do not have the same limitations as PV guests, and a fix for all three vulnerabilities could be prepared for Red Hat Enterprise Linux 5, most of our customers running Xen are relying on it due to paravirtualized guest support. Therefore, Red Hat currently is not providing errata to correct the issue for HVM guests either.

Customers are advised to take a Risk-based approach in mitigating this issue. Systems running within XEN that require high-degrees of security and trust should be addressed first, and should be physically isolated from untrusted systems.

Type of system Recommended approach
Red Hat Enterprise Linux running as XEN server XEN PV is not fixable for the above CVEs, and Red Hat currently is not providing errata to correct the issue for HVM either. Red Hat recommends that subscribers migrate to more modern virtualization platforms that can be fixed

Please refer to the Converting a Xen Linux virtual machine to KVM for migration.
Red Hat Enterprise Linux running as guest of Cloud Provider Contact XEN-provider for options available

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.


Thank you for the specific article.
Could I ask please for more detail about what is seen as the cut-off for 'more upstream versions of Xen'? What is the last Xen version that Red Hat used before moving to KVM?
We are concerned that this article implies there is no value at all in patching PV guests.
Is that true, or does patching mitigate to some extent? https://www.centos.org/forums/viewtopic.php?f=13&t=65602 suggests a non-zero risk of bricking VMs by patching.
How about PV guests running on in-house - as opposed to cloud-hosts - Xen? kernel-xen.x86_64 guest on Citrix Xen 6.1, for example? Thank you!