XSA-468: multiple Windows PV driver vulnerabilities - update now!
-
Just an FYI,
So far the only 2022 VM I've updated has created new network adapters which defaulted to DHCP, and it has marked the system drive as removeable, which we saw with 2025 almost a year ago.
Make sure to write down your static IP addresses before beginning.
This is from installing Xenserver MA 9.4.1-160
-
@Greg_E From 6 Windows Server 2022 VM's this happened on 3 here.
-
Thanks for the feedback. Let's add a notice in the docs, @dinhngtu?
-
Here is some info on setting the disks so that they are no longer removeable, I think the last time I did this I just needed the registry edit to fix it.
I'm kind of stuck waiting to migrate my firewall before I can get back to fixing my VMs. I only have 5 and one of them is not showing the warning. All of them should have been getting updates from the management agent or from Windows Update, not sure why only 4 give the warning.
-
@dinhngtu @olivierlambert @stormi I think the Windows VM's with old tools should show up in the Dashboard Heath report under "Guest Tools status"...
-
@Andrew I've thought about it and I agree on the principle as there's already a section about guest tools there, but we have put enough pressure on the XO team to make them release the helpful features in time to help users detect vulnerable VMs, on XOA's
stableupdate channel, so it might be wiser to wait for XO6 for such alert to be in a centralized place about guest tools. -
said in XSA-468: multiple Windows PV driver vulnerabilities - update now!:
- We do plan a way to remove the warning for VMs that you would choose.
That's now done and will be included in the next update to the
latestupdate channel for XOA. VMs with theHIDE_XSA468tag will not be included in the vulnerability detection. -
Better late than never I guess
4 out of 5 of my Server 2022 VMs needed to have the networking set back to manual after the driver update. 5 out of 5 need to have the system drive marked as non-removeable, but I need to move on for a couple other things before swinging back to the system drives.
-
@Greg_E Are you moving straight from older Citrix drivers or from XCP-ng drivers? XenClean 9.0.9108 and newer should now keep static IP settings on execution.
-
I went from Citrix 9.3.3 to 9.4.1, and generally they have remained manual when I've upgraded. All these VMs started out with 9.2.x so this is probably the fourth update to them.
And all that said, I know the MAC address did not change, because I had a reservation for one of them and it was found properly before putting it back to manual. I think the XCP-ng side of things worked properly (no MAC change), but the driver side was the issue, and nothing you can fix since you don't write this driver.
I probably should have used the cleaner first, but I went straight to the Citrix installer like I've done in the past. Took about an hour to get the 5 VMs updated, now I can move on to other things that have been lacking. I've mentioned it a few times, but this construction has me way behind for the summer, and only a few weeks of work time left before students come back.
