XSA-468: multiple Windows PV driver vulnerabilities - update now!
-
@pdonias Sure thing. I can test it in my test environment.
-
Just did a couple more tests. Here are my findings:
- Upgrading the tools from v9.3.3 to v9.4.1 does preserve the routing table.
- Upgrading the tools from v9.2.1 to v9.4.1 does not preserve the routing table.
Here are a couple of powershell commands used for testing:
Get-NetRoute -PolicyStore PersistentStore Get-NetAdapter New-NetRoute -DestinationPrefix "10.10.0.0/24" -InterfaceIndex <ifIndex> -NextHop 10.10.0.254 -
@conitrade-as This is a known issue when upgrading from XS WinPV 9.3.0 and below: https://support.citrix.com/s/article/CTX235403-updates-to-xenserver-vm-tools-for-windows-for-xenserver-and-citrix-hypervisor
-
@dinhngtu Thanks for the pointer. Yes, it seems that the root cause also makes routes disappear. Howerver, that the routing information is gone is sadly not mentioned explicitly. May be something to add to your docs as well.
Caution when updating tools: Verify interface IP configuration and routing entries.
-
@Forza said in XSA-468: multiple Windows PV driver vulnerabilities - update now!:
Hi,
It is not clear to me if the old XCP-ng PV drivers (8.2.2.200-RC1) are affected or not. How should we proceed if they are?
Do others share this feeling and have this question after re-reading the whole announcement?
-
@stormi said in XSA-468: multiple Windows PV driver vulnerabilities - update now!:
Do others share this feeling and have this question after re-reading the whole announcement?
No it's pretty clear, update the drivers on everything as all versions are susceptible.
-
One thing i've noticed since upgrading to tools version 9.4.1 is that the version installed will display properly in XOA up until the VM is migrated. After a migration it changed to just "Management agent detected" with no version shown. Not sure if this is an XO issue or an issue with the tools itself?
-
@flakpyro There's also a chance this is a XAPI issue. CC @andriy.sultanov
-
-
@dinhngtu here is the output from one of the VMs recently migrated:
xe vm-param-get uuid=261634d9-b67c-1048-b028-2e33abea6329 param-name=PV-drivers-version micro: -1; xennet: XenServer 9.1.7.65 ; xeniface: XenServer 9.1.12.94 ; xenvif: XenServer 9.1.13.107 ; xenvbd: XenServer 9.1.9.82 ; xenbus: XenServer 9.1.11.115 -
@flakpyro
I've found a similar issue with all VMs I update. After I update and reboot, it stays at "Management agent detected" with no version shown.Once I reboot a second time, it stays at "Management agent detected" with "Management agent 9.4.1-160 detected"
-
@archw I can confirm. That is exactly the behaviour I see with my Windows VMs.
-
HI!
Upgrade Xentools take two reboot for complete! if you have old tools installed isbetter upgrade to 7 and after to 9
About this last somebody have some issue upgrading windows server 2012R2?
Thx
-
@TrapoSAMA Windows Server 2012/2012R2 are no longer supported by our (XCP-ng) drivers nor by XenServer drivers.
-
hi!! normally install Xen drivers not XCP driver yet. Some experience with this issue when install over 2012r2?
Thx
-
@dinhngtu Great. So or forever get that banner about vulnerability, or install new tools=no tools, no migration, no pool upgrade, etc.
Need a option "i don't care, hide this host". -
We will likely have a feature next release with a special tag to ignore it
-
Ping @lsouai-vates we need to be sure it's planned
-
- No one said the banner would stay forever. The vulnerability is important enough that for now there's a banner.
- We addressed what is most urgent: patching supported OSes, and making users aware of the vulnerability. The fact that you're annoyed with the banner at least shows it worked.
- We do plan a way to remove the warning for VMs that you would choose.
- @dinhngtu is already evaluating a mitigation script for the bigger vulnerability on unsupported versions of Windows,
-
@olivierlambert As soon as I've created the feature request.
