XCP-ng Security Bulletin: kernel update (SACK vulnerability)
A vulnerability in the Linux kernel may allow an attacker to cause the host to crash or trigger an excessive consumption of resources, by sending specially crafted traffic to the host.
There are two CVEs:
- CVE-2019-11477: SACK Panic (the main issue)
- CVE-2019-11478: Excess resource usage (secondary related issue)
If your XCP-ng host is not reachable from such attackers, then you are probably already safe. In any case, it is advised to install the kernel update whenever your schedule allows.
Installing software security updates for the hypervisor
We provide updates for XCP-ng 7.6 and XCP-ng 8.0 RC. An update is also available for XCP-ng 7.5 and will be released officially if we get enough feedback from community members still using this version. Otherwise the above link will stay as a reference for those who need it.
The only package updated is the kernel
package. A reboot of the host is required to apply the fix.
As usual, refer to our Updates Howto for update instructions. In short, you have two options:
- using
yum update
directly on each host - using Xen Orchestra to install them pool wide with one click in the "Patch" tab of the pool view, clicking on the "Install pool patches" button:
Note: updating won't interrupt anything, you can update confidently in production. It will take effect only after a host reboot.
It's up to you to decide when to reboot your hosts. As usual, always reboot your pool master first. Just be aware that until you decide to reboot, your hosts aren't protected against these attacks.
References:
- CVE-2019-11477: https://nvd.nist.gov/vuln/detail/CVE-2019-11477
- CVE-2019-11478: https://nvd.nist.gov/vuln/detail/CVE-2019-11478
- Citrix Hypervisor security bulletin: https://support.citrix.com/article/CTX256725