Lucene search

HistoryMay 02, 2017 - 4:00 a.m.

Citrix XenServer Multiple Security Updates


0.001 Low





<h2> Description of Problem</h2>

<p>A number of security issues have been identified within Citrix XenServer. These issues could, if exploited, allow a malicious administrator of a PV guest VM to compromise the host. The issues have the identifiers:</p>
<li>CVE-2017-8903 (High): x86: 64bit PV guest breakout via pagetable use-after-mode-change</li>
<li>CVE-2017-8904 (High): grant transfer allows PV guest to elevate privileges</li>
<li>CVE-2017-8905 (Low): possible memory corruption via failsafe callback</li>

<hr />

<h2> Mitigating Factors</h2>

<p>Customers using only HVM guest VMs are not affected. Note that all Microsoft Windows VMs are HVM.</p>
<p>To exploit these issues from a 32-bit PV guest VM, collaboration with the administrator of either an HVM guest VM or a 64-bit PV guest VM on the same host is required. Customers using only 32-bit PV VMs are not affected.</p>

<hr />

<h2> What Customers Should Do</h2>

<p>Hotfixes have been released to address these issues. Citrix recommends that affected customers install these hotfixes, which can be downloaded from the following locations:</p>
<p>Citrix XenServer 7.1: CTX223290 – <a href=“”></a></p>
<p>Citrix XenServer 7.0: CTX223289 – <a href=“”></a> </p>
<p>Citrix XenServer 6.5 SP1: CTX223288 – <a href=“”></a></p>
<p>Citrix XenServer 6.2 SP1: CTX223287 – <a href=“”></a></p>
<p>Citrix XenServer 6.0.2 Common Criteria: CTX223286– <a href=“”></a> </p>
<p>Customers who are using the Live Patching feature of Citrix XenServer 7.1 may apply the relevant hotfix without requiring a reboot.</p>
<p> </p>

<hr />

<h2> What Citrix Is Doing</h2>

<p>Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at <u> <a href=“”></a></u>.</p>

<hr />

<h2> Obtaining Support on This Issue</h2>

<p>If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at <u> <a href=“”></a></u>. </p>

<hr />

<h2> Reporting Security Vulnerabilities</h2>

<p>Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – <a href=“”>Reporting Security Issues to Citrix</a></p>

<hr />

<h2> Changelog</h2>

<table border=“1” width=“100%”>
<td>Date </td>
<td>2nd May 2017</td>
<td>Initial Publishing</td>
<td>15th May 2017</td>
<td>CVE numbers assigned</td>

<hr />