XCP-ng Security Bulletin

Security Aug 15, 2018

Latest news regarding security on XCP-ng! For this first bulletin, it's all about Foreshadow vulnerability, but also a specific XAPI problem. Take time to read it or at least stay up-to-date!


Also known as "L1 Terminal Fault speculative side channel" or even shorter: Foreshadow.

The most interesting details are available here.

In short, with Intel CPUs and if you don't have a control on each of your VM (ie: you are selling VPS services), this can cause a major confidentiality risk. Indeed, people in those VMs will be able to read data in RAM, outside their own VM.


This is a XAPI HTTP security issue, leading to potential acccess of the whole root access for the dom0 (and all its VMs).

Note: fresh XCP-ng installs aren't impacted because it's caused by a dedicated folder used with Citrix hotfixes.

All the vulnerability details are available here.

Solution: just update

Please keep your XCP-ng hosts up-to-date. RPMs are already available!

Remember you can update from the command line with yum update, but also use Xen Orchestra to do it on your whole pool just by clicking on "Install pool patches"! If you want to remember this, don't forget about our official Wiki.

You can see the list of updates in the host view:


Olivier Lambert

Vates CEO & co-founder, Xen Orchestra and XCP-ng project creator. Enthusiast entrepreneur and Open Source advocate. A very happy Finnish Lapphund owner.