February 2022 Security Update

A security update is available for the only currently supported release of XCP-ng: 8.2 LTS.

📔

To update, follow this guide. You can also join the discussion on our community forum. Hosts reboot necessary after this update.

Summary

Several vulnerabilities have been discovered and fixed in Xen.

To address this, we released updates for this component in XCP-ng.

Hardware vulnerabilities in Intel CPUs were also disclosed by Intel. This update includes the new microcode they released to address this.

Impact

Due to the vulnerabilities in Xen:

privileged code in a PV VM may cause the host to crash ;
privileged code in a VM using PCI passthrough may cause the host to crash.

Regarding Intel's microcode update, the main fix that might matter in the context of XCP-ng is related to the information disclosure made possible by the vulnerabilities in the affected CPUs. Other flaws fixed by the update are described in Red Hat's report referenced below.

References

Citrix Hypervisor Security Bulletin
Xen Security Advisories: XSA-394 and XSA-395
A good recap of the microcode update, made by Red Hat.