December 2023 Security Update

Security Dec 8, 2023

New security and maintenance updates are available for the only currently supported release of XCP-ng: 8.2 LTS.

📙

To update, follow this guide. You can also join the discussion on our community forum. Host reboots are necessary after this update.

📋 Summary

Xen and linux-firmware in the controller domain are updated to fix several vulnerabilities.

We also publish with them maintenance updates which we got ready and tested during the public testing window of the security updates.

🔒 Fixed vulnerabilities

XSA-445: CVE-2023-46835 - "x86/AMD: mismatch in IOMMU quarantine page table levels". On x86 AMD systems with IOMMU hardware, a device in quarantine mode, using dom_io, could access leaked data from previously quarantined pages. This is not enabled by default in XCP-ng, but can still be enabled at Xen boot time.

XSA-446: CVE-2023-46836 - "x86: BTC/SRSO fixes not fully effective". A PV guest could infer memory content from other guests. We do not recommend using PV guests and have been suggesting switching to HVM for a while, so if that's not your case yet, we strongly encourage you to consider doing the switch.

✨ Other changes - Improvements

We also published non security updates at the same time, to pave the way for the upcoming refreshed installation ISOs.

linux-firmware

CVE-2023-20592 - Update AMD microcode to 2023-10-19 drop, updating the family 19h, so Zen 3, Zen3+. AMD Advisory here. XCP-ng does not support SEV yet and is not directly impacted by it.

⚠️

Updated firmware is provided as a convenience to help mitigates hardware vulnerabilities and other bugs.
Updating your hardware's firmware remains the preferred way to update microcode, and any newer microcode found in the firmware will take precedence over the microcode we provide in XCP-ng.

💡

AMD SEV support is in the works with the "Hyper SEV" project. You can read more about it on the official repository.