October 2022 Security Update

Security Oct 14, 2022

New security, bugfix and enhancement updates are available for the only currently supported release of XCP-ng: 8.2 LTS.

📔

To update, follow this guide. You can also join the discussion on our community forum. Host reboots are necessary after this update.

⚠️

If you haven't installed the 8.2.1 update yet and want to update through Xen Orchestra's Rolling Pool Update, make sure your XOA version is at least 5.69.2, otherwise VMs may fail to migrate.

📋 Summary

Several vulnerabilities have been discovered and fixed in the Xen hypervisor and in the XAPI toolstack.

To address them, we release updates for these components in XCP-ng.

In addition to this, updated AMD microcode is provided.

🔒 Fixed vulnerabilities

Here is the list of all vulnerabilities that has been fixed:

XSA-410 (Xen Hypervisor)

Two privileged users in two HVM guest VMs, in collaboration, may crash the host or make it unresponsive.
Reference: https://xenbits.xen.org/xsa/advisory-410.html

XSA-411 (Xen Hypervisor)

Two cooperating guests granting each other transitive grants may mount a DoS attack against the host.
Reference: https://xenbits.xen.org/xsa/advisory-411.html

XSA-413 (XAPI toolstack)

An unauthenticated attacker on the management network may be able to stop users from accessing the XAPI HTTP interface, disrupt work in progress, and result in a XAPI toolstack Denial of Service.
Any guests who need toolstack operations would likewise be impacted by such a DoS.
Reference: https://xenbits.xen.org/xsa/advisory-413.html

🐛 Bugfixes

Xen Hypervisor

The following issues were fixed:

VMs can sometimes freeze when graphics-intensive applications run
The guest UEFI firmware may occasionnally hang

XAPI

When you had an active VIF connected on dom0, you couldn't delete that VIF or the associated network, including VLAN.
When certificates contain the \r character, the xe host-get-server-certificate command can incorrectly output it.

✨ Enhancements

AMD microcode

AMD microcode is updated to version 2022-09-30
Note: updating your hardware's firmware always remains the preferred way to update microcode, and any newer microcode found in the firmware will take precedence over the microcode we provide in XCP-ng.