April 2024 Security Update

New security updates are available for the only currently supported release of XCP-ng: 8.2 LTS.
📔
To update, follow this guide. You can also join the discussion on our community forum. Host reboots are necessary after this update.

📋 Summary

On the 9th of April, the Xen Project published 3 security advisories for which fixes were integrated in this update.

⚠️
Given the wide range of impacted systems for these 3 flaws, it is strongly advised for all users to update their hosts.

🔒 Implemented Mitigations

  • XSA-454 - CVE-2023-46842 - x86 HVM hypercalls may trigger Xen bug check. Due to their ability to switch between 32 and 64 bits modes, HVM and PVH guests are able to trigger a host DoS through an hypercall when the high halves or registers used for the parameters are not cleared. The sanity check will see that as a consistency error and end up crashing the host. All host running HVM on PVH guests are impacted by this advisory.
  • XSA-455 - CVE-2024-31142 - x86: Incorrect logic for BTC/SRSO mitigations. There was a logic error in the fix for XSA-407, that is also used by the mitigation for XSA-434. Therefore, the mitigations for both these XSAs were not working as intended. This could lead an attacker to access memory of the host or others guests. The included patches correct that. All AMD Zen generations processors are impacted.
  • XSA-456- CVE-2024-2201 - x86: Native Branch History Injection. This flaw is an evolution of the Spectre-BHB that was discussed in XSA-398 allowing an attacker to access memory from host or other guests. At the time of XSA-398 publication, it was thought not to impact Xen, but adjustement in the attack process was made to make it fully possible from userland. Only Intel CPUs are known to be impacted at this time, and older processors should be protected by the mitigations in place for Spectre-v2 (XSA-254). To check if your processor is impacted, you can run xen-cpuid -v and look for eibrs in the "Dynamic sets:" section only, as other sections are reporting compile time support only. See below example:
  # xen-cpuid -v
  ...
  Dynamic sets:
  Raw                             ...
    ...
    [16] MSR_ARCH_CAPS.lo         ... eibrs ...
    ...
  ...