Citrix has announced the release of crucial security updates for XenServer and Citrix Hypervisor to address several vulnerabilities that could potentially allow cyber threat actors to gain control over affected systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged users and administrators to promptly review and apply these necessary updates.
Vulnerabilities Addressed:
- CVE-2023-46842: Affects all deployments; could allow privileged code in a guest VM to crash the host.
- CVE-2024-2201: Affects only Intel CPU deployments; may allow unprivileged code in a guest VM to infer memory contents of its own or other VMs on the same host.
- CVE-2024-31142: Affects only AMD CPU deployments; similar potential for memory inference as CVE-2024-2201.
Update and Mitigation Guidance:
- XenServer 8 Users: Updates are available through the Early Access and Normal update channels. Instructions for updating can be found at the XenServer documentation site.
- Citrix Hypervisor 8.2 CU1 LTSR Users: A hotfix addressing these issues is available. Citrix advises installing this hotfix as per the update schedule permits. The hotfix is downloadable at CTX588044 – Citrix Support Article.
Additional Resources and Support:
- Citrix is actively notifying customers and partners through their security bulletin on the Citrix Knowledge Center.
- Customers requiring assistance can contact Citrix Technical Support.
- To stay updated on new security bulletins or modifications, subscribe at Citrix Alert Subscriptions.
Vulnerability Reporting:
- Citrix encourages the reporting of security vulnerabilities. Details on their vulnerability response process and how to report security issues can be found at the Citrix Trust Center.
