Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Citrix XenServer Multiple Security Updates

Related Vulnerabilities: CVE-2017-8903   CVE-2017-8904   CVE-2017-8905  

Source

Description of Problem

A number of security issues have been identified within Citrix XenServer. These issues could, if exploited, allow a malicious administrator of a PV guest VM to compromise the host. The issues have the identifiers:

  • CVE-2017-8903 (High): x86: 64bit PV guest breakout via pagetable use-after-mode-change
  • CVE-2017-8904 (High): grant transfer allows PV guest to elevate privileges
  • CVE-2017-8905 (Low): possible memory corruption via failsafe callback

Mitigating Factors

Customers using only HVM guest VMs are not affected. Note that all Microsoft Windows VMs are HVM.

To exploit these issues from a 32-bit PV guest VM, collaboration with the administrator of either an HVM guest VM or a 64-bit PV guest VM on the same host is required.  Customers using only 32-bit PV VMs are not affected.

What Customers Should Do

Hotfixes have been released to address these issues. Citrix recommends that affected customers install these hotfixes, which can be downloaded from the following locations:

Citrix XenServer 7.1: CTX223290 – https://support.citrix.com/article/CTX223290

Citrix XenServer 7.0: CTX223289 – https://support.citrix.com/article/CTX223289 

Citrix XenServer 6.5 SP1: CTX223288 – https://support.citrix.com/article/CTX223288

Citrix XenServer 6.2 SP1: CTX223287 – https://support.citrix.com/article/CTX223287

Citrix XenServer 6.0.2 Common Criteria: CTX223286– https://support.citrix.com/article/CTX223286 

Customers who are using the Live Patching feature of Citrix XenServer 7.1 may apply the relevant hotfix without requiring a reboot.

 

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html

Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix

Changelog

Date  Change
2nd May 2017 Initial Publishing
15th May 2017 CVE numbers assigned

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started