Citrix has released new versions of the virtualization software Hypervisor and Xenserver. In it, the manufacturer closes security gaps that attackers could use to gain unauthorized access to the memory.
The authors write more precisely in their report that code within a guest VM can infer content in RAM elsewhere on the host system. This goes back to errors in AMD processors. Systems with AMD CPUs with the Zen 1 or Zen 2 processor architecture are affected. The Citrix developers explain in the security advisory that systems with AMD CPUs with Zen 3 or newer cores and with Intel processors that have installed all previous patches are not vulnerable.
The vulnerabilities have received the CVE entries CVE-2022-23816 and CVE-2022-23825. However, these are not yet stored in the NIST database. Cisco points out that the vulnerabilities are not caused by its own software, but that the company is nevertheless releasing patches that avert the CPU problems.
The versions fix the bugs Citrix Hypervisor 8.2 CU1 LTSR and Citrix XenServer 7.1 CU2 LTSR. The developers explain that the implemented workarounds can lead to performance losses on affected processors. Although Citrix classifies the risk as high, it only recommends IT managers to install the updates, as permitted by the maintenance plan.
AMD and Intel published information on a comparable security hole called Retbleed on Tuesday of this week, which allows unauthorized reading of memory. However, other processors and architectures are affected.