Contact Support
  • Open or view cases
  • Chat live
  • Site feedback
Sign in
Contact Support
  • Open or view cases
  • Chat live
  • Site feedback

Customers who viewed this article also viewed
banner icon

Identify Changes in NetScaler build files with

File Integrity Monitoring

Learn More Watch Video
CTX263477 {{tooltipText}}

Citrix Hypervisor Security Update

Security Bulletin | Severity: High | {{likeCount}} found this helpful | Created: {{articleFormattedCreatedDate}} | Modified: {{articleFormattedModifiedDate}}
download Why can't I download this file? Log in to Verify Download Permissions

Applicable Products

  • Citrix Hypervisor 8.0

Description of Problem

A number of vulnerabilities have been found in Citrix Hypervisor (formerly Citrix XenServer) that allow the host to be compromised by:

i. Privileged code in a guest VM that has been assigned a PCI passthrough device

ii. Privileged code in a PV guest VM

iii. Unprivileged code in a 32-bit PV guest VM

 

These vulnerabilities have the following identifiers:

• CVE-2019-18420

• CVE-2019-18421

• CVE-2019-18424

• CVE-2019-18425

These issues affect all currently supported versions of Citrix Hypervisor up to and including Citrix Hypervisor 8.0.

Mitigating Factors

Customers running only HVM workloads and not making use of PCI passthrough functionality are not affected by these issues.  Note that all Microsoft Windows VMs run as HVM VMs.

What Customers Should Do

Hotfixes have been released to address these issues. Citrix recommends that affected customers install these hotfixes as their patching schedules allow. The hotfixes can be downloaded from the following locations:

Citrix Hypervisor 8.0:

    CTX262555 -  https://support.citrix.com/article/CTX262555

    CTX258428 -  https://support.citrix.com/article/CTX258428

Citrix XenServer 7.6:

    CTX262554 - https://support.citrix.com/article/CTX262554

    CTX258425 - https://support.citrix.com/article/CTX258425

Citrix XenServer 7.1 LTSR CU2:

    CTX262553 - https://support.citrix.com/article/CTX262553

    CTX258424 - https://support.citrix.com/article/CTX258424

Citrix XenServer 7.0:

    CTX258417 - https://support.citrix.com/article/CTX258417

    CTX258423 - https://support.citrix.com/article/CTX258423

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at  http://support.citrix.com/.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at  https://www.citrix.com/support/open-a-support-case.html

Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix

Changelog

Date  Change
31st October 2019 Initial publication
Page feedback
Name is required
Cancel Submit

Featured Products

Failed to load featured products content, Please try again .

{{ getHeading('digitalWorkspaces') }}

{{ getHeading('networking') }}

View support numbers
Share this page