August 2024 Security Updates

New security updates are available for the only currently supported release of XCP-ng: 8.2 LTS.

📔
To update, follow this guide. You can also join the discussion on our community forum. Host reboots are necessary after this update.

📋 Summary

On the 13th of August, Intel published an update for their microcode that fixes multiple security issues as well as some functional issues. They then pushed a new update on the 15th of August, after we reported a missing file update in their release.

On the 14th of August, Xen Project published two new XSAs related to PCI pass-through.

🔒 Security Updates

  • xen:
    • XSA-460 - CVE-2024-31145 - error handling in x86 IOMMU identity mapping. A wrong handling of errors in case of PCI pass-through devices can lead guests to still have access to memory mappings after the error occured, even though they should not. This could lead to any possible security issues depending on the devices and systems. This is most likely to happen when passing through USB legacy devices.
    • XSA-461 - CVE-2024-31146 - PCI device pass-through with shared resources. Doing passthrough of devices that have shared ressources cannot be security supported according to the Xen Security Team. The patch for this XSA simply updates the doc to state this fact. The safe use cases are explained in the "MITIGATION" section of the XSA.
  • microcode_ctl: Updated to Intel's latest IPU 2024.3, containing mitigations for multiple Intel Security Advisories: