July 2024 Security Updates
New security updates are available for the only currently supported release of XCP-ng: 8.2 LTS.
📔
To update, follow this guide. You can also join the discussion on our community forum. Host reboots are necessary after this update.
📋 Summary
On the 16th of July, Xen Project published two new XSAs with patches to mitigate these security issues. This update includes our backport of the mitigation into XCP-ng.
🔒 Security Updates
xen: XSA-458 - CVE-2024-31143 - double unlock in x86 guest IRQ handling. This specifically impacts the passthrough of a multi-vector MSI capable device. The handling of the error path could lead to a wrongfully released lock, which could trigger the issue. Possible outcomes could be anything at this point as nothing was excluded by the Xen security team: Denial of Service (DoS) affecting the entire host, crashes, information leaks, or elevation of privilege…xapiandxsconsole: XSA-459 - CVE-2024-31144 - Xapi: Metadata injection attack against backup/restore functionality. A malicious guest could write metadata to its disk in a way that it appears as a backup. The guest would then need to have an administrator perform a data-recovery action. With a single disk the chances of this appearing before a legitimate backup of metadata are estimated at around 50%, with 2 disks, this goes up to 75%; and so on in the same manner with more disks.
💡
Regarding XSA-459: This issue affects how XAPI identifies a metadata disk stored on a Storage Repository (SR). However, for Pool Metadata backups in Xen Orchestra, these are stored on a dedicated Backup Repository (BR) instead of an SR. Therefore, if you use Metadata backup via Xen Orchestra, this security issue does not impact you. Nonetheless, as with any security update, we still recommend staying fully up-to-date as soon as possible.
