XCP-ng 8.2 updates announcements and testing

stormi

@CJ Everything that is relevant for XCP-ng 8.3 is either already built and ready to be pushed (you can pull from xcp-ng-candidates if you want it already), or being built/tested.

bleader

New security update candidate (xen, xapi, xsconsole)

Two new XSAs were published on 16th of July.

---

• XSA-458 guests which have a multi-vector MSI capable device passed through to them can leverage the vulnerability.
• XSA-459 impacts systems running Xapi v3.249.x, which means any up to date XCP-ng 8.2. Note this requires heavy crafting and likely social engineering on the attacker side, see the XSA's "VULNERABLE SYSTEMS" section for more details.

---

SECURITY UPDATES

• xen-*:
  • Fix XSA-458 - double unlock in x86 guest IRQ handling. When passing through a multi-vector MSI capable device to a guest, an attacker could use an error handling path that could lead to the issue, no exploitations results have been ruled out: Denial of Service (DoS), crashes, information leaks, or elevation of privilege could all be possible.
• xapi, xsconsole:
  • Fix XSA-459 - Xapi: Metadata injection attack against backup/restore functionality. A malicious guest can manipulate its disk to appear to be a metadata
    backup, then having about a 50% chance of appearing ahead of a legitimate metadata backup. The more disks the guest has, the higher the chances of this happening are.

Test on XCP-ng 8.2

yum clean metadata --enablerepo=xcp-ng-testing
yum update "xen-*" "xapi-*" xsconsole --enablerepo=xcp-ng-testing
reboot

The usual update rules apply: pool coordinator first, etc.

Versions:

• xen: xen-4.13.5-9.40.2.xcpng8.2
• xapi: xapi-1.249.36-1.2.xcpng8.2
• xsconsole: xsconsole-10.1.13-1.2.xcpng8.2

What to test

Normal use and anything else you want to test.

Test window before official release of the update

~ 1 day because of security updates.

olivierlambert

I suppose I need to be a bit more patient

No packages marked for update

bleader

I indeed forgot to wait for mirrors to sync before posting, my bad, should be good soon

gskger

@bleader Updated my two node homelab and everything seems to work as expected. Let's see how things go over the next days.

Andrew

@bleader Updated an running on newer and older Intel machines. Running normally so far.

olivierlambert

Tested in my own lab, no issues so far

bleader

Update published https://xcp-ng.org/blog/2024/07/18/july-2024-security-updates/

Thank you everyone for your tests!

manilx

@bleader 2 production polls updated via RPU without issues.

bleader

New security update candidates (xen, microcode_ctl)

A new XSA was published on August 14th 2024.
Intel published an updated microcode on August 13th 2024.

---

• XSA-460 passing through some PCI devices after guest creation could lead to any kind of security issue (DoS, privilege escalation, information leak,…) the actual risk depends on the systems and the devices passed through.
• XSA-461 some pass-through use cases when on one or more device when they share resources are actually not possible to be made secure. This XSA updates the Xen documentation to reflect that.

---

SECURITY UPDATES

• xen-*:
  • Fix XSA-460 - error handling in x86 IOMMU identity mapping. The handling of errors in the case of mapping Reserved Memory Regions was flawed, potentially keeping the mapping in place, this could allow guests to access memory region they should not be allowed to access. These mapping are typically used when doing pass-through of legacy USB emulation.
  • Document XSA-461 - PCI device pass-through with shared resources Files. According to the Xen Project security team, PCI pass-through of devices that share ressources is not possible to be made safe. This updates the documentation to reflect it. Look at the "MITIGATION" section of the XSA for more information regarding the safe cases.
• microcode_ctl: Security updates from Intel:
  • INTEL-SA-01083
  • INTEL-SA-01118
  • INTEL-SA-01100
  • INTEL-SA-01038
  • INTEL-SA-01046
  • Plus fixes for a lot of functional issues, see the Release Notes for more details.

Test on XCP-ng 8.2

yum clean metadata --enablerepo=xcp-ng-candidates
yum update "xen-*" microcode_ctl --enablerepo=xcp-ng-candidates
reboot

The usual update rules apply: pool coordinator first, etc.

Versions:

• xen: 4.13.5-9.40.3.xcpng8.2
• microcode_ctl: 2.1-26.xs29.3.xcpng8.2

What to test

Normal use and anything else you want to test. Feedback about PCI pass-through is also welcome.

Test window before official release of the update

~ 2 day because of security updates.

Andrew

@bleader Installed and running on pools of 8.2.1 systems.

JeffBerntsen

@bleader They're installed and running well on my test lab systems.

gskger

@bleader Installed on my playlab. Everything looks normal, let's see how it goes.

stormi

I just pushed an update for microcode_ctl, in xcp-ng-candidates again.

It only changes one microcode file, 06-a5-03 (CML-S62, Core Gen 10), which Intel had forgotten to update in their initial release.

(We found out and reported it to them)

bleader

Update published https://xcp-ng.org/blog/2024/08/16/august-security-update/

Thank you all for testing

manilx

@bleader All pools updated via RPU without issues.

bleader

New security update candidates (xen, microcode_ctl)

A new XSA was published on September 24th 2024.
Intel published a microcode update on the September 10th 2024.
We also included an updated xcp-ng-release for testing, althrough not related to security.

---

• XSA-462 a malicious HVM or PVH guest can trigger a DoS of the host.

---

SECURITY UPDATES

• xen-*:
      * Fix XSA-462 - x86: Deadlock in vlapic_error(). The handling of x86's APIC (Advanced Programmable Interrupt Controller) allows a guest to configure an illegal vector to handle error interrupts. This causes the vlapic_error() to recurse, this is protected, but the lock used for this protection will try to be taken recursiveley, leading to a deadlock.
• microcode_ctl:
      * Latest Intel microcode update, still named IPU 2024.3, including security updates for:
          * INTEL-SA-01103
          * INTEL-SA-01097

Other updates

• xcp-ng-release:
      * Update the "XOA Quick deploy" feature in the host's web page.
      *  Point at repo.vates.tech for CentOS since mirrorlist.centos.org was cut
      * Add "(EOL)" to repo descriptions for EOL repos
      * Drop unused repos

Test on XCP-ng 8.2

yum clean metadata --enablerepo=xcp-ng-candidates
yum update "xen-*" microcode_ctl xcp-ng-release --enablerepo=xcp-ng-candidates
reboot

The usual update rules apply: pool coordinator first, etc.

Versions:

• xen: 4.13.5-9.44.1.xcpng8.2
• microcode_ctl: microcode_ctl-2.1-26.xs29.5.xcpng8.2
• xcp-ng-release: xcp-ng-release-8.2.1-13

What to test

Normal use and anything else you want to test.

Test window before official release of the update

~ 1 day because of security updates.

gskger

@bleader Update worked well on my two node homelab and everything looks and works normal after reboot. I did some basic stuff like VM and Storage migration, but nothing in depth. Let's see how things work out.

Andrew

@bleader I installed it on many 8.2 machines. On one I did get a warning:

  Cleanup    : xen-libs-4.13.5-9.40.3.xcpng8.2.x86_64                     14/14
warning: %posttrans(microcode_ctl-2:2.1-26.xs29.5.xcpng8.2.x86_64) scriptlet failed, exit status 1
Non-fatal POSTTRANS scriptlet failure in rpm package 2:microcode_ctl-2.1-26.xs29.5.xcpng8.2.x86_64
  Verifying  : xcp-ng-release-8.2.1-13.x86_64                              1/14

But it did not seem to have any effect. Nothing extra in the yum.log

bleader

@Andrew If I understand correctly that is ran after regenerating the initrd, but to be sure, can you check the date of your /boot/initrd-4.19.0+1.img on this host?