Lucene search

K
citrixCitrixCTX225941
HistoryAug 15, 2017 - 4:00 a.m.

Citrix XenServer Multiple Security Updates

2017-08-1504:00:00
support.citrix.com
40

0.001 Low

EPSS

Percentile

26.7%

<section>
<div><div>
<div>

<h2> Description of Problem</h2>

<div>
<div>
<div>
<p>A number of security vulnerabilities have been identified in Citrix XenServer that may allow a malicious administrator of a guest VM to compromise the host.</p>
<p>These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including Citrix XenServer 7.2.</p>
<p>The following vulnerabilities have been addressed:</p>
<ul>
<li>CVE-2017-12134: (High) linux: Fix Xen block IO merge-ability calculation</li>
<li>CVE-2017-12135: (Medium) multiple problems with transitive grants</li>
<li>CVE-2017-12136: (High) grant_table: Race conditions with maptrack free list handling</li>
<li>CVE-2017-12137: (High) x86: PV privilege escalation via map_grant_ref</li>
<li>CVE-2017-12855: (Low) grant_table: possibly premature clearing of GTF_writing / GTF_reading</li>
</ul>
</div>
</div>
</div>

<hr />
</div>
<div>

<h2> Mitigating Factors</h2>

<div>
<div>
<div>
<p>For Citrix XenServer installations using both version 6.2 SP1 or earlier and also HVM guests only, the risk of a host compromise is replaced by a risk of a host crash.</p>
</div>
</div>
</div>

<hr />
</div>
<div>

<h2> What Customers Should Do</h2>

<div>
<div>
<div>
<p>Hotfixes have been released to address these issues. Citrix strongly recommends that affected customers install these hotfixes, which can be downloaded from the following locations:</p>
<p>Citrix XenServer 7.2: CTX226375– <a href=“https://support.citrix.com/article/CTX226375”>https://support.citrix.com/article/CTX226375</a> and CTX226378 – <a href=“https://support.citrix.com/article/CTX226378”>https://support.citrix.com/article/CTX226378</a><br /> <br /> Citrix XenServer 7.1: CTX226298 – <a href=“https://support.citrix.com/article/CTX226298”>https://support.citrix.com/article/CTX226298</a> and CTX226299 – <a href=“https://support.citrix.com/article/CTX226299”>https://support.citrix.com/article/CTX226299</a><br /> <br /> Citrix XenServer 7.0: CTX226374 – <a href=“https://support.citrix.com/article/CTX226374”>https://support.citrix.com/article/CTX226374</a> and CTX226377 – <a href=“https://support.citrix.com/article/CTX226377”>https://support.citrix.com/article/CTX226377</a><br /> <br /> Citrix XenServer 6.5 SP1: CTX226373 – <a href=“https://support.citrix.com/article/CTX226373”>https://support.citrix.com/article/CTX226373</a> and CTX226376 – <a href=“https://support.citrix.com/article/CTX226376”>https://support.citrix.com/article/CTX226376</a><br /> <br /> Citrix XenServer 6.2 SP1: CTX226372 – <a href=“https://support.citrix.com/article/CTX226372”>https://support.citrix.com/article/CTX226372</a><br /> <br /> Citrix XenServer 6.0.2 Common Criteria: CTX226371 – <a href=“https://support.citrix.com/article/CTX226371”>https://support.citrix.com/article/CTX226371</a></p>
<p>Customers who are using the Live Patching feature of Citrix XenServer 7.2 may apply the relevant hotfix without requiring a reboot.<br /> </p>
</div>
</div>
</div>

<hr />
</div>
<div>

<h2> What Citrix Is Doing</h2>

<div>
<div>
<div>
<div>
<div>
<p>Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at <u> <a href=“http://support.citrix.com/”>http://support.citrix.com/</a></u>.</p>
</div>
</div>
</div>
</div>
</div>

<hr />
</div>
<div>

<h2> Obtaining Support on This Issue</h2>

<div>
<div>
<div>
<div>
<div>
<p>If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at <u> <a href=“https://www.citrix.com/support/open-a-support-case.html”>https://www.citrix.com/support/open-a-support-case.html</a></u>. </p>
</div>
</div>
</div>
</div>
</div>

<hr />
</div>
<div>

<h2> Reporting Security Vulnerabilities</h2>

<div>
<div>
<div>
<div>
<div>
<p>Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – <a href=“http://support.citrix.com/article/CTX081743”>Reporting Security Issues to Citrix</a></p>
</div>
</div>
</div>
</div>
</div>

<hr />
</div>
<div>

<h2> Changelog</h2>

<div>
<div>
<div>
<table border=“1” width=“100%”>
<tbody>
<tr>
<td>Date </td>
<td>Change</td>
</tr>
<tr>
<td>15th August, 2017</td>
<td>Initial publishing</td>
</tr>
<tr>
<td>16th August, 2017</td>
<td>CVE number assigned</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>

<hr />
</div>
</div></div>
</section>

CPENameOperatorVersion
citrix xenservereq7.2