AMD has disclosed an issue that affects AMD CPU hardware and may allow code inside a guest VM to infer the contents of RAM memory elsewhere on the host.  Although this is not an issue in the Citrix Hypervisor product itself, Citrix is releasing hotfixes that include product changes to mitigate this CPU hardware issue.

This issue has the following two CVE identifiers:

• CVE-2022-23825
• CVE-2022-29900

---

Mitigating Factors

This issue affects systems running Citrix Hypervisor when running on AMD Zen 1 or AMD Zen 2 CPUs; it does not affect Citrix Hypervisor when running on AMD Zen 3 CPUs or on Intel CPUs if those systems have all previous security updates applied.

---

Instructions

Citrix has released hotfixes to address this issue. Citrix recommends that affected customers install these hotfixes as their patching schedule allows.  The hotfixes can be downloaded from the following locations:

Citrix Hypervisor 8.2 CU1 LTSR: CTX461352 – https://support.citrix.com/article/CTX461352
Citrix XenServer 7.1 CU2 LTSR: CTX461353 – https://support.citrix.com/article/CTX461353

Note that remediating this hardware issue in software may impact performance on affected CPUs.
 

Date	Change
2022-07-12	Initial Publication
2022-07-13	Updated CVE ID
2022-07-13	Change title of article to reflect updated CVEs