==================================================================== CERT-Renater Note d'Information No. 2018/VULN341 _____________________________________________________________________ DATE : 29/10/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S):Systems running Citrix XenServer versions 7.6, 7.5, 7.1 LTSR CU1. ===================================================================== https://support.citrix.com/article/CTX239100 _____________________________________________________________________ CTX239100 Citrix XenServer Security Update Security Bulletin Severity: Medium Created: 26 Oct 2018 Modified: 26 Oct 2018 Applicable Products o XenServer 7.6 o XenServer 7.5 o XenServer 7.1 LTSR Cumulative Update 1 Description of Problem A security issue has been identified in Citrix XenServer that may allow a malicious administrator of an HVM guest VM to crash the host. This issue affects the following versions of Citrix XenServer: o Citrix XenServer 7.6 o Citrix XenServer 7.5 o Citrix XenServer 7.1 LTSR CU1 The following vulnerabilities have been addressed: o CVE-2018-TBA: Nested VT-x usable even when disabled - ------------------------------------------------------------------------------- Mitigating Factors Customers with only PV guests are not affected by this issue. - ------------------------------------------------------------------------------- What Customers Should Do Hotfixes have been released to address this issue. Citrix recommends that affected customers install these hotfixes as their patching schedule permits. The hotfixes can be downloaded from the following locations: Citrix XenServer 7.6: CTX239128 - https://support.citrix.com/article/CTX239128 Citrix XenServer 7.5: CTX239127 - https://support.citrix.com/article/CTX239127 Citrix XenServer 7.1 LTSR CU1: CTX239126 - https://support.citrix.com/article/ CTX239126 Customers who are using the LivePatching feature of Citrix XenServer will not need to reboot servers to apply this hotfix if those servers were previously fully patched. - ------------------------------------------------------------------------------- Acknowledgements - ------------------------------------------------------------------------------- What Citrix Is Doing Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/. - ------------------------------------------------------------------------------- Obtaining Support on This Issue If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html. - ------------------------------------------------------------------------------- Reporting Security Vulnerabilities Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 - - Reporting Security Issues to Citrix - ------------------------------------------------------------------------------- Changelog +--------------------------------------+--------------------------------------+ |Date |Change | +--------------------------------------+--------------------------------------+ |26th October 2018 |Initial Issue | +--------------------------------------+--------------------------------------+ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================