March 2022 Security Update
A security update is available for the only currently supported release of XCP-ng: 8.2 LTS.
📔
To update, follow this guide. You can also join the discussion on our community forum. Hosts reboot necessary after this update.
⚠️
If you haven't installed the 8.2.1 update yet and want to update through Xen Orchestra's Rolling Pool Update, make sure your version is at least 5.69.2, otherwise VMs may fail to migrate.
Summary
Several new vulnerabilities related to speculative execution in CPUs have been recently disclosed.
On an up to date XCP-ng, only AMD CPU models are believed to be affected. In today's updates, Xen has been patched to mitigate this hardware issue.
The update also includes updated microcode for some AMD CPU models.
Impact
On affected hardware, code running in a guest VM may be able to infer the value of data from memory regions reserved to the host or to other guests.
References
- Citrix Hypervisor Security Bulletin
- Xen Security Advisory: XSA-398