Several security issues have been identified that affect Citrix Hypervisor:
An issue has been identified that may allow privileged code in a PV guest VM to cause the host to crash.  This issue has the following identifier:

• CVE-2022-23034

Note that PV guests are supported in Citrix XenServer 7.1 LTSR but are not supported in Citrix Hypervisor 8.2 LTSR.  Customers who have not deployed PV guests are not affected by CVE-2022-23034.

An issue has been identified that may allow privileged code in a guest VM to cause the host to crash.  This issue only affects systems where the malicious guest VM has had a physical PCI device assigned through to it by the host administrator using the PCI passthrough feature.  This issue has the following identifier:

• CVE-2022-23035

Customers who have not assigned a physical PCI device to a guest VM are not affected by CVE-2022-23035.

Intel has disclosed an issue that affects Intel CPU hardware together with corresponding microcode updates.  Although this is not an issue in the Citrix Hypervisor product itself, Citrix is releasing hotfixes that include the updated microcode together with the product changes needed to support the new microcode.  This issue has the following identifier:

• CVE-2021-0145

Customers who are running on systems with only AMD CPUs are not affected by the Intel CPU issue.

---

Instructions

Citrix has released hotfixes to address these issues. Citrix recommends that affected customers install these hotfixes as their patching schedule allows.  The hotfixes can be downloaded from the following locations:
Citrix Hypervisor 8.2 CU1 LTSR: CTX338451 – https://support.citrix.com/article/CTX338451
Citrix Hypervisor 8.2: CTX338452 – https://support.citrix.com/article/CTX338452
Citrix XenServer 7.1 CU2 LTSR: CTX338453 – https://support.citrix.com/article/CTX338453
 

Date	Change
2022-02-08	Initial Publication