Description of Problem
A security issue has been identified in Citrix XenServer that may allow a malicious administrator of an HVM guest VM to crash the host.
This issue affects the following versions of Citrix XenServer:
- Citrix XenServer 7.6
- Citrix XenServer 7.5
- Citrix XenServer 7.1 LTSR CU1
The following vulnerabilities have been addressed:
- CVE-2018-18883: Nested VT-x usable even when disabled
Mitigating Factors
Customers with only PV guests are not affected by this issue.
What Customers Should Do
Hotfixes have been released to address this issue. Citrix recommends that affected customers install these hotfixes as their patching schedule permits. The hotfixes can be downloaded from the following locations:
Citrix XenServer 7.6: CTX239128 – https://support.citrix.com/article/CTX239128
Citrix XenServer 7.5: CTX239127 – https://support.citrix.com/article/CTX239127
Citrix XenServer 7.1 LTSR CU1: CTX239126 – https://support.citrix.com/article/CTX239126
Customers who are using the LivePatching feature of Citrix XenServer will not need to reboot servers to apply this hotfix if those servers were previously fully patched.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Changelog
Date | Change |
26th October 2018 | Initial Issue |
1st November 2018 | Update with assigned CVE number |