May 2025 Security Update for XCP-ng 8.2 & 8.3
New security updates are available for XCP-ng 8.2 LTS and XCP-ng 8.3.
📋 Summary
Multiple vulnerabilities linked to some Intel processors were disclosed, to fix these, we publish an updated Intel microcode, and a Xen update.
On the 12th of May, Intel published an update for their microcode that fixes multiple security issues as well as some functional issues.
On the same day, the Xen Project disclosed a new vulnerability through Xen Security Advisories (XSAs), in relation with the vulnerabilities covered by Intel microcode update. This notably relates to Training Solo, reported by researchers at VU Amsterdam.
On the 13th of May, the Xen Security Team posted a Xen Security Notice to xen-devel and oss-security, with the link to a publication from the researchers at ETH Zurich: Branch Privilege Injection: Exploiting Branch Predictor Race Conditions. Fix related to this vulnerability is also included in the Intel microcode update.
We also include an update non security update to XAPI in 8.2.
🔒 Security Updates
xen-*:- Fix XSA-469 - CVE-2024-28956 - x86: Indirect Target Selection. A bug in the hardware support for prediction-domain isolation could lead to an attacker being able to infer the memory content on the host, including the memory of guests. This impacts Intel systems having eIBRS, starting with Cascade Lake, but excluding Alder Lake and Sapphire Rapids.
microcode_ctlfor 8.2 andintel-microcodefor 8.3: Security updates from Intel
Updating your hardware's firmware remains the preferred way to update microcode, and any newer microcode found in the firmware will take precedence over the microcode we provide in XCP-ng.
✨ Other changes
On XCP-ng 8.2, this update also brings one non-urgent bugfix.
XAPI
- Fix a long lasting bug that prevented Guest Agent to report the proper version of installed Windows PV drivers.
