December 2022 Security Update

New security and bugfix updates are available for the only currently supported release of XCP-ng: 8.2 LTS.

📔

To update, follow this guide. You can also join the discussion on our community forum. Host reboots are necessary after this update.

📋 Summary

Several vulnerabilities have been discovered and fixed in the controller domain's Linux kernel (Dom0), more specifically in the component which handles networking with paravirtualized drivers in HVM guests.

To address them, we release updates for this very component in XCP-ng.

In addition to this, few bugs are fixed by this kernel update, an updated Intel microcode is provided (IPU 2022.3), as well as minor fixes in the Xen hypervisor.

🔒 Fixed vulnerabilities

Privileged code in a VM may be able to cause a host to crash or become unresponsive, via the paravirtualized network devices. Either willingly (malicious code), or unwillingly: the issue was reported for at least some Broadcom NetXtreme2 drivers and Cisco ENIC drivers.

References:

Xen Security Advisory CVE-2022-3643 / XSA-423: Guests can trigger NIC interface reset/abort/crash via netback
Xen Security Advisory CVE-2022-42328,CVE-2022-42329 / XSA-424: Guests can trigger deadlock in Linux netback driver

🐛 Bugfixes

Here is the list of bug fixes per component.

Linux kernel

The updated kernel package does not just fix the above vulnerabilities: there are also bug fixes.

A host could become unresponsive or even sometimes crash after a mounted SMB share would be unexpectedly disconnected (NULL pointer dereference in the Linux kernel).
There was no display at all on some hardware, such as recent Intel NUC devices, due to the Linux kernel being unable to handle "64bit linear framebuffers" correctly. This update fixes the issue for an installed system, but updated installation ISOs will be necessary to fix this during the installation process. Until new installation ISOs are provided for XCP-ng 8.2.x in the future, there are a few workarounds: automate the installation with an answerfile, use a serial console, or install the already very stable (but not for production yet) XCP-ng 8.3 alpha which already has this fix as well as updated drivers for the networking devices the kind of hardware that is affected by this issue often has.

Xen

Minor bugfixes were brought to the Xen hypervisor.

✨ Other changes

The only things left are related to a new Intel microcode.

Intel microcode

Intel microcode is updated to version IPU 2022.3
Updated firmware is provided as a convenience to help mitigates hardware vulnerabilities.
Note: updating your hardware's firmware always remains the preferred way to update microcode, and any newer microcode found in the firmware will take precedence over the microcode we provide in XCP-ng.

🤝 Cooperation between projects

Although the source code for the packages in this update ultimately came from XenServer developers, XCP-ng was involved at various levels in this update (besides applying it to our own base of code, building it and performing our own QA).

The vulnerability triggered by Cisco ENIC drivers was reported to us by one of our users who also had Citrix Hypervisor hosts. We helped them debug the issue then encouraged them to report it to both Cisco and Citrix as it was clear that their was a bug to be fixed.
The samba share issue was debugged with our users and reported to Citrix here: https://bugs.xenserver.org/projects/XSO/issues/XSO-1021
The "64bit linear framebuffers" display issue was a "popular" issue among users of Intel NUC hardware, relevant patches from the Linux kernel (kernel.org) were identified by them, tested, and we reported it to Citrix here: https://bugs.xenserver.org/browse/XSO-1022