July 2023 Security Update - Zenbleed

New security and bugfix updates are available for the only currently supported release of XCP-ng: 8.2 LTS.

📔
To update, follow this guide. You can also join the discussion on our community forum. Host reboots are necessary after this update.

📋 Summary

Several vulnerabilities have been discovered in AMD CPUs and are addressed by a microcode update.

In addition to this, Xen is updated for small improvements.

⚠️
Updated firmware is provided as a convenience to help mitigates hardware vulnerabilities and other bugs.
Updating your hardware's firmware remains the preferred way to update microcode, and any newer microcode found in the firmware will take precedence over the microcode we provide in XCP-ng.

🔒 Fixed vulnerabilities

A hardware flaw called Zenbleed that corrupts the vector registers was found by Google researchers.

With very low probability, corruption of the vector registers can occur.
This data corruption causes mis-calculations in subsequent logic.

This flaw allows an attacker to access data from many contexts on the same core. Examples of such data includes key material, cypher and plaintext from the AES-NI instructions, or the contents of REP-MOVS
instructions, commonly used to implement memcpy().

This bug is specific to the AMD Zen2 microarchitecture.  AMD do not
believe that other microarchitectures are affected.

AMD disclosed an information disclosure vulnerability, addressed by Xen Project's XSA-433 advisory and fixed in the updated Xen we provide.

🐛 Bugfixes

We landed one bugfix for this update, inside Xen itself.

Xen

Correct a flaw for VMx under Red Hat Enterprise 7 (and derivatives) with a large number of CPUs, that can cause migration failures when trying to migrate to AMD hosts. (Reference: XS82ECU1034)

✨ Other changes - Improvements

We took that security opportunity to bundle other minor improvements.

Xen

  • Synced with Citrix Hypervisor 8.2 CU1 XS82ECU1039:
  • Now, MPX feature is disabled by default. Cross-pool migration and upgrade will be simplified as VMs can migrate more easily from pools with Intel SkyLake, CascadeLake, or CooperLake hardware to pools with later Intel hardware (such as IceLake). A reboot is necessary after updating to benefit from this feature.
  • Improvements to latency with a limit on the scheduler loadbalancing. This improves performance on large systems with high CPU utilization.