CVE-2016-9603 - Citrix XenServer Security Update

2017-03-14T04:00:00
ID CTX221578
Type citrix
Reporter Citrix
Modified 2019-08-15T04:00:00

Description

<section class="article-content" data-swapid="ArticleContent"> <div class="content-block" data-swapid="ContentBlock"><div> <div> <!--googleoff: all--> <h2 id="DescriptionofProblem"> Description of Problem</h2> <!--googleon: all--> <div> <div> <div> <p>A security issue has been identified within Citrix XenServer. This issue could, if exploited, allow the administrator of an HVM guest VM to compromise the host.</p> <p>The following vulnerability has been addressed:</p> <ul> <li>CVE-2016-9603 (High): QEMU: Cirrus VGA Heap overflow via display refresh</li> </ul> </div> </div> </div> <!--googleoff: all--> <hr/> </div> <div> <!--googleoff: all--> <h2 id="MitigatingFactors"> Mitigating Factors</h2> <!--googleon: all--> <div> <div> <div> <p>Customers using only PV guest VMs are not affected by this vulnerability.</p> <p>Customers using only VMs that use the std-vga graphics emulation are not affected by this vulnerability.</p> </div> </div> </div> <!--googleoff: all--> <hr/> </div> <div> <!--googleoff: all--> <h2 id="WhatCustomersShouldDo"> What Customers Should Do</h2> <!--googleon: all--> <div> <div> <div> <p>Hotfixes have been released to address these issues. Citrix recommends that affected customers install these hotfixes, which can be downloaded from the following locations:</p> <p>Citrix XenServer 7.1: CTX221590 – <a href="https://support.citrix.com/article/CTX221590">https://support.citrix.com/article/CTX221590</a> </p> <p>Citrix XenServer 7.0: CTX221571 – <a href="https://support.citrix.com/article/CTX221571">https://support.citrix.com/article/CTX221571</a> </p> <p>Citrix XenServer 6.5 SP1: CTX221716 – <a href="https://support.citrix.com/article/CTX221716">https://support.citrix.com/article/CTX221716</a> </p> <p>Citrix XenServer 6.2 SP1: CTX221569 – <a href="https://support.citrix.com/article/CTX221569">https://support.citrix.com/article/CTX221569</a> </p> <p>Citrix XenServer 6.0.2 Common Criteria: CTX221568– <a href="https://support.citrix.com/article/CTX221568">https://support.citrix.com/article/CTX221568</a></p> </div> </div> </div> <!--googleoff: all--> <hr/> </div> <div> <!--googleoff: all--> <h2 id="WhatCitrixIsDoing"> What Citrix Is Doing</h2> <!--googleon: all--> <div> <div> <div> <div> <div> <p>Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at <u> <a href="http://support.citrix.com/">http://support.citrix.com/</a></u>.</p> </div> </div> </div> </div> </div> <!--googleoff: all--> <hr/> </div> <div> <!--googleoff: all--> <h2 id="ObtainingSupportonThisIssue"> Obtaining Support on This Issue</h2> <!--googleon: all--> <div> <div> <div> <div> <div> <p>If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at <u> <a href="https://www.citrix.com/support/open-a-support-case.html">https://www.citrix.com/support/open-a-support-case.html</a></u>. </p> </div> </div> </div> </div> </div> <!--googleoff: all--> <hr/> </div> <div> <!--googleoff: all--> <h2 id="ReportingSecurityVulnerabilities"> Reporting Security Vulnerabilities</h2> <!--googleon: all--> <div> <div> <div> <div> <div> <p>Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – <a href="http://support.citrix.com/article/CTX081743">Reporting Security Issues to Citrix</a></p> </div> </div> </div> </div> </div> <!--googleoff: all--> <hr/> </div> <div> <!--googleoff: all--> <h2 id="Changelog"> Changelog</h2> <!--googleon: all--> <div> <div> <div> <table border="1" cellpadding="1" cellspacing="0" width="100%"> <tbody> <tr> <td><b>Date </b></td> <td><b>Change</b></td> </tr> <tr> <td>14th March 2017</td> <td>Initial publishing</td> </tr> </tbody> </table> </div> </div> </div> <!--googleoff: all--> <hr/> </div> </div></div> </section>