This hotfix provides mitigations for certain recently disclosed vulnerabilities in the speculative execution functionality of multiple vendors' CPUs: 

• CVE-2017-5753, also known as ‘Variant 1: bounds check bypass’
• CVE-2017-5715, also known as ‘Variant 2: branch target injection’
• CVE-2017-5754, also known as ‘Variant 3: rogue data cache load’ 

For Variant 1, Citrix is not currently aware of any exploit vectors in Citrix XenServer.

For Variant 2, an attacker running code in a guest VM may be able to read in-memory data from other VMs on the same host. This is independent of the CPU vendor.

For Variant 3, an attacker running code in a 64 bit PV guest VM running on an Intel CPU may be able to read in-memory data from other VMs on the same host.

As these are issues in the underlying hardware, all versions of Citrix XenServer are affected. 

In addition to the mitigations for these CPU speculative execution issues, this hotfix also addresses a number of vulnerabilities that have been identified in Citrix XenServer:

• CVE-2017-TBD - x86 PV guests may gain access to internally used pages
• CVE-2017-TBD - broken x86 shadow mode refcount overflow check
• CVE-2017-TBD - improper x86 shadow mode refcount error handling
• CVE-2017-TBD - improper bug check in x86 log-dirty handling

Collectively, these four issues could allow a malicious guest administrator to crash the host.

The CPU speculative execution mitigations require system firmware/BIOS upgrades to be applied before becoming fully effective. Citrix strongly recommends that customers contact their hardware vendors for further information on these firmware upgrades.

As these issues are in optimisation features of the underlying physical CPU, mitigating them will necessarily cause a reduction of CPU performance. This performance impact will depend on a number of factors, including workload and CPU model. Customers are recommended to monitor their system loads after installing these hotfixes.

After applying the relevant firmware/BIOS upgrades and XenServer hotfixes, guest VMs will need to be fully shut down and started at least once after the application of relevant guest operating system updates. This will allow any corresponding security updates for the guest operating system to become fully effective.

Citrix has released hotfixes that contain mitigations for Variant 2. These hotfixes can be found on the Citrix website at the following locations:

Citrix XenServer 7.3: CTX230790 – https://support.citrix.com/article/ctx230790

Citrix XenServer 7.2: CTX230789 – https://support.citrix.com/article/ctx230789

Citrix XenServer 7.1 LTSR CU1: CTX230788 – https://support.citrix.com/article/ctx230788

Citrix XenServer 7.0: Citrix is actively working on a hotfix for this version. This document will be updated when a hotfix is available.

Note that these updates are not Livepatchable.

Customers using End of Maintenance versions of Citrix XenServer, i.e. Citrix XenServer version 6.0.2 Common Criteria, 6.2 SP1 and 6.5 SP1 are strongly recommended to upgrade to a more recent version. 

Citrix is actively working on additional mitigations for Variant 3, but strongly recommends that customers that have deployed untrusted PV guests on Intel CPUs consider transitioning to HVM-based guests.