October 2023 Security Update

Security Oct 12, 2023

New security and maintenance updates are available for the only currently supported release of XCP-ng: 8.2 LTS.

📔

To update, follow this guide. You can also join the discussion on our community forum. Host reboots are necessary after this update.

📋 Summary

Xen and the linux kernel in the controller domain are updated to fix several vulnerabilities.

We also publish with them maintenance updates which were ready and waiting for the next push.

🔒 Fixed vulnerabilities

🔸XSA-440: CVE-2023-34323 - "xenstored: A transaction conflict can crash C Xenstored". Impact: denial of service. XCP-ng uses the ocaml version of xenstored by default, so the issue would only concern users who deliberately switched to C Xenstored.

🔸XSA-441: CVE-2023-34324 - "Possible deadlock in Linux kernel event handling". According to the description, this denial of service vulnerability is not exploitable in XCP-ng's default configuration, but we provide the patched dom0 kernel as defence in depth.

🔸XSA-442: CVE-2023-34326 - "x86/AMD: missing IOMMU TLB flushing". One some AMD systems, an attacker might leverage a vulnerability in the handling of PCI passthrough to escalate its privileges, cause a denial of service, or access to leaked information.

🔸XSA-443: CVE-2023-34325 - "Multiple vulnerabilities in libfsimage disk handling". Privilege escalation from PV guests through flaws in libfsimage, notably its handling of XFS. We would like to remind you that PV guests are deprecated and not security-supported on XCP-ng 8.2. Despite this, a fix is provided for users who still have PV guests. We still urge them to convert their VMs to HVM. As the Xen Security Team is "no longer confident in the suitability of libfsimage when run against guest controlled input with super user privileges", we will issue another update later this month to remove all uses of this library wherever possible, and move the remaining uses to a restricted environment.

🔸XSA-444: CVE-2023-34327 and CVE-2023-34328 - "x86/AMD: Debug Mask handling". On AMD CPUs, in the Steamroller microarchitecture and later, guests may be able to cause another guest to crash. Also, "a buggy or malicious PV guest kernel can lock up the host".

✨ Other changes - Improvements

We took that security update opportunity to bundle other improvements which were ready to release.

`sm` (Storage Manager): better handling of custom multipath configuration.

There are guides on the internet, user or vendor habits, and even until not so long ago until we pointed it out, in Citrix Hypervisor's official documentation, which tell you to modify /etc/multipath.conf to adapt to your setup. This was wrong, and led to issues when this file would be updated to add support for new hardware.

The correct way to add your own multipath configuration is by creating a file in /etc/multipath/conf.d/, but this was not documented, and the directory wasn't even created by default.

Given these issues, we contributed changes to Citrix Hypervisor/XenServer developers, which were accepted, and we decided to backport them to XCP-ng 8.2.

What changes:

A warning is added on top of /etc/multipath.conf, to let you know it should not be edited, and tell you about /etc/multipath/conf.d/.
The /etc/multipath/conf.d/ directory is now created by default.
A ready to modify /etc/multipath/conf.d/custom.conf file is added. As documented inside the file, it will even be saved when you upgrade to a later version of XCP-ng.
As there was a lack of guidance, we know there are users who modified the wrong file. To avoid breaking existing setups where one would have modified /etc/multipath.conf, we won't override it in XCP-ng 8.2, neither in the present update, nor in future ones (but we will with XCP-ng 8.3). It means that any change to the file causes it to not get configuration updates from us during XCP-ng 8.2's lifetime, but it's probably better than getting one's configuration overriden and storage temporarily broken.

Guest templates

We synced with Citrix Hypervisor's recent hotfixes. Most templates they added we already had in XCP-ng: Debian 11, Debian 12, Rocky Linux 9 and CentOS Stream 9. So the only new template is for Ubuntu 2204.

`irqbalance`

We included a backport of Citrix Hypervisor's hotfix XS82ECU1048 whose description is: "Enable interrupt balancing for Fibre Channel (FC) PCI devices. This improves performance on fast FC HBA SRs, especially if multipathing is used."