March 2023 Security Update

Security Mar 23, 2023

New security and bugfix updates are available for the only currently supported release of XCP-ng: 8.2 LTS.

📔

To update, follow this guide. You can also join the discussion on our community forum. Host reboots are necessary after this update.

📋 Summary

Some vulnerabilities have been discovered in the Xen hypervisor, so we published updates to address them. You can read more on these in the descriptions below.

🔒 Fixed vulnerabilities

🔸XSA-427: "Guests running in shadow mode and being subject to migration or snapshotting may be able to cause Denial of Service and other problems, including escalation of privilege". This vulnerability concerns old platforms (Nehalem/Bulldozer families and older) which do not have Hardware Assisted Paging facilities (EPT/NPT), or modern platforms where this extension is disabled by the firmware or the system software. This also concerns PV guests, which are not supported anymore, since XCP-ng 8.1.

🔸XSA-428: "Entities controlling HVM guests can run the host out of resources or stall execution of a physical CPU for effectively unbounded periods of time, resulting in a Denial of Service (DoS) affecting the entire host. Crashes, information leaks, or elevation of privilege cannot be ruled out".
On the platforms managed by XCP-ng software, with regard of this fix, we would rather talk of "defense in depth", as the only entity controlling HVM guests is a trusted piece of software (QEMU) running in a trusted domain (dom0).

🔸XSA-429: The patch completes the original Spectre/Meltdown mitigation work (XSA-254). A malicious PV guest might be able to infer the contents of arbitrary host memory, including memory assigned to other guests. Only AMD and Hygon CPUs which offer SMEP/SMAP facilities are affected. XCP-ng is not affected in a supported configuration, as PV guests are not officially supported. We still fixed the vulnerability in a "best effort" approach, but we remind you that anyone still running PV guests should convert them to HVM.