New Xen XSA's
-
A bunch of Xen security issues are now public after the usual embargo.
Note: website to check all XSA's is https://xenbits.xen.org/xsa/
XSA 294: insufficient TLB flushing
The major/most visible flaw (XSA 294)was related to a host crash triggered by a PV guest. Some users (@borzel for example), reported it here: https://xcp-ng.org/forum/topic/1025/host-crash-guest_4-o-sh_page_fault__guest 64 bits PV guests are affected.
Note: boot your host with the "pcid=0" parameter. This will likely have an impact on performance but should avoid the crash.
However, it was before the end of the embargo, so we can't comment and release a patch before it's known publicly.
Patched Xen will be available in the usual update channel as soon we got something tested and validated.
Others
The list of other new XSA's are:
- XSA 293: 64 bits PV guests can crash or be used for privilege escalation
- XSA 292: PV guests could cause a host crash or access data of other guests (similar to XSA 294)
- XSA 291: PV guests could cause a DDOS on the host via IOMMU
- XSA 290: PV guests could cause a DDOS on the hostto XSA 294)
All those vuln will be patched in the next Xen update. Stay tuned!
-
@olivierlambert Oli, thanks for the update and all the hard work the guys are putting into XCP.
-
So:
- The updates have been made available by Citrix on last wednesday
- We've published update candidates for testers on thursday
- Updates for XCP-ng 7.6 have been made available to everyone yesterday
- Updates for XCP-ng 7.5 have been made available to everyone this morning
- Blog post published: https://xcp-ng.org/blog/2019/03/12/xcp-ng-security-bulletin-vulnerabilities-pv-guests/