February 2022 Security Update
A security update is available for the only currently supported release of XCP-ng: 8.2 LTS.
Several vulnerabilities have been discovered and fixed in Xen.
To address this, we released updates for this component in XCP-ng.
Hardware vulnerabilities in Intel CPUs were also disclosed by Intel. This update includes the new microcode they released to address this.
Due to the vulnerabilities in Xen:
- privileged code in a PV VM may cause the host to crash ;
- privileged code in a VM using PCI passthrough may cause the host to crash.
Regarding Intel's microcode update, the main fix that might matter in the context of XCP-ng is related to the information disclosure made possible by the vulnerabilities in the affected CPUs. Other flaws fixed by the update are described in Red Hat's report referenced below.
- Citrix Hypervisor Security Bulletin
- Xen Security Advisories: XSA-394 and XSA-395
- A good recap of the microcode update, made by Red Hat.