Lucene search

K
citrixCitrixCTX337526
HistoryFeb 07, 2022 - 2:36 p.m.

Security Advisory for Citrix Hypervisor

2022-02-0714:36:10
support.citrix.com
20
citrix hypervisor
vulnerabilities
cve-2022-23034
cve-2022-23035
intel cpu
hotfixes
amd cpus

CVSS2

4.7

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:N/I:N/A:C

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

52.8%

Several security issues have been identified that affect Citrix Hypervisor:
An issue has been identified that may allow privileged code in a PV guest VM to cause the host to crash. This issue has the following identifier:

  • CVE-2022-23034
    Note that PV guests are supported in Citrix XenServer 7.1 LTSR but are not supported in Citrix Hypervisor 8.2 LTSR. Customers who have not deployed PV guests are not affected by CVE-2022-23034.

An issue has been identified that may allow privileged code in a guest VM to cause the host to crash. This issue only affects systems where the malicious guest VM has had a physical PCI device assigned through to it by the host administrator using the PCI passthrough feature. This issue has the following identifier:

  • CVE-2022-23035
    Customers who have not assigned a physical PCI device to a guest VM are not affected by CVE-2022-23035.

Intel has disclosed an issue that affects Intel CPU hardware together with corresponding microcode updates. Although this is not an issue in the Citrix Hypervisor product itself, Citrix is releasing hotfixes that include the updated microcode together with the product changes needed to support the new microcode. This issue has the following identifier:

  • CVE-2021-0145
    Customers who are running on systems with only AMD CPUs are not affected by the Intel CPU issue.

CVSS2

4.7

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:N/I:N/A:C

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

52.8%