Citrix Hypervisor Security Update


## Description of Problem A security issue has been identified in certain CPU hardware that may allow unprivileged code running on a CPU core to infer the value of memory data belonging to other processes, virtual machines or the hypervisor that are, or have recently been, running on the same CPU core. This issue has the following identifier: • CVE-2019-11135: TSX Asynchronous Abort A further security issue has been identified in certain CPU hardware that may allow privileged code running in an HVM guest VM to cause the host to crash. This issue has the following identifier: • CVE-2018-12207: Machine Check Error on Page Size Change Although these are not vulnerabilities in the Citrix Hypervisor (formerly Citrix XenServer) product, this bulletin and associated hotfixes provide assistance in mitigating these CPU issues. These hotfixes include updated CPU microcode that address these and other CPU issues and may, depending on workload, have a noticeable performance impact. In addition to these CPU issues, Citrix is aware of certain issues involving Intel 700 Series network interface cards (NICs) that may require vendor firmware updates. Although these are not vulnerabilities in Citrix Hypervisor, Citrix is providing updated drivers for both the Long-Term Support Release (LTSR) and the latest Current Release (CR) to support new firmware. These issues affect all currently supported versions of Citrix Hypervisor up to and including Citrix Hypervisor 8.0. * * * ## Mitigating Factors Customers running only AMD CPUs and with no Intel 700 Series NICs are unaffected by these issues. CVE-2019-11135 only affects certain Intel CPUs; Citrix expects that details of which models are affected by these issues will be available at <https://blogs.intel.com/technology/2019/11/ipas-november-2019-intel-platform-update-ipu> * * * ## What Customers Should Do Citrix recommends that customers take four actions to mitigate these issues: i) apply firmware updates; ii) apply hotfixes; iii) apply driver updates and iv) consider enabling/disabling CVE-2018-12207 protection. Note that these steps need not be performed in this order and customers wishing to minimise reboot cycles may wish to consider enabling CVE-2018-12207 and applying the hotfix and driver updates and then updating firmware during the reboot cycle for the hotfix/driver updates. Customers should also be alert to potential workload-dependent performance impacts from updated microcode. _Applying firmware_ Citrix recommends that customers follow the guidance of their hardware vendor with respect to obtaining and applying updated firmware for their hardware, both for the base system firmware (“BIOS”) and for any Intel 700 Series NICs. _Applying hotfixes_ Hotfixes have been released to mitigate these issues. Citrix recommends that affected customers install these hotfixes as their patching schedules allow. The hotfixes can be downloaded from the following locations: Citrix Hypervisor 8.0: CTX263663 – <https://support.citrix.com/article/CTX263663> Citrix XenServer 7.6: CTX263662 – <https://support.citrix.com/article/CTX263662> Citrix XenServer 7.1 LTSR CU2: CTX263661 – <https://support.citrix.com/article/CTX263661> Citrix XenServer 7.0: CTX263660 – <https://support.citrix.com/article/CTX263660> _Apply driver updates_ Citrix has released i40e driver update disks for Intel 700 Series NICs for the LTSR and latest CR release. These may be found at: Citrix Hypervisor 8.0: CTX263699 – <https://support.citrix.com/article/CTX263699> Citrix XenServer 7.1 LTSR CU2: CTX263698 – <https://support.citrix.com/article/CTX263698> _Enabling/disabling CVE-2018-12207 protection_ This issue may allow privileged code running in an HVM guest VM to crash the host. Mitigating this hardware issue in software has a further performance impact; the size of this further impact is heavily workload dependent but is expected to be noticeable. Citrix therefore recommends that customers carefully consider the relative impacts of not mitigating this issue against the performance impact and enable or disable the CVE-2018-12207 mitigations by following the instructions in CTX263718 – <https://support.citrix.com/article/CTX263718> Note that CVE-2018-12207 will not be mitigated unless this protection has been explicitly enabled. * * * ## What Citrix Is Doing Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at _ <http://support.citrix.com/>_. * * * ## Obtaining Support on This Issue If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html>_. * * * ## Reporting Security Vulnerabilities Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – [Reporting Security Issues to Citrix](<http://support.citrix.com/article/CTX081743>) * * * ## Changelog Date | Change ---|--- 12th November 2019| Initial Publication * * *

Affected Software

CPE Name Name Version
citrix hypervisor 8.0
citrix xenserver 7.6
citrix xenserver 7.1
citrix xenserver 7.0
citrix hypervisor 8.0
citrix xenserver 7.1