That Xen hypervisor vulnerability is sparking another reboot — this time of IBM Softlayer’s cloud. Users got a notice from SoftLayer early Wednesday morning, 12 hours in advance of a restart to come at 10 AM CT. The message header was “VSI Hypervisor Upgrade and Reboot – All Locations.”
What’s particularly troublesome for [company]SoftLayer[/company] partners and customers — one of whom contacted me — is that SoftLayer is on the same Xen predisclosure list as Amazon Web Services and Rackspace, which both launched reboots late last week and over the weekend. [company]Amazon[/company] alerted its customers last Wednesday and [company]Rackspace[/company] two days later.
In its email to customers, Softlayer said the issue lies in “some of our hypervisor nodes which are used to provide Virtual Server Instances (VSIs) and [we] have determined that some of them will require reboots and upgrades to remediate against the potential security vulnerability.”
At least one customer feels that 12 hours’ notice for something that was known to the vendor much earlier is insufficient. While AWS and Rackspace public clouds rely on Xen, customized for their purposes, SoftLayer uses a variety of hypervisors, including Xen. IBM posted this update Wednesday afternoon. IBM was added to the Xen.org predisclosure list September 29, while AWS and Rackpace were already on it.
RBC analysts characterized the impact of AWS and Rackspace’s reboots as minimal but you don’t have to go far to find at least one really irritated Rackspace user who forcefully argued otherwise.
Security vulnerabilities pose a quandary for IT vendors. These suppliers need to be as transparent as possible with customers about patches and upgrades, without revealing too much about the underlying security issue, something Rackspace CEO Taylor Rhodes noted that in an apology posted Wednesday. But smart cloud users should probably double check that predisclosure list for their vendor’s name and if that vendor has not already issued an alert/reboot, get on the phone to see what’s up.
Note: This story was updated at 11:55 a.m. PST to add a link to IBM’s post about the reboots and again at 6:08 a.m. October 3 to show IBM was added to the Xen.org predisclosure list on September 29.