Today (November 13th 2012) Citrix has released a critical update for all of it’s XenServer products.
A number of security vulnerabilities have been identified in Citrix XenServer. These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including version 6.1.
The following denial of service vulnerabilities have been addressed:
- Timer overflow DoS vulnerability (CVE-2012-4535)
- pirq range check DoS vulnerability (CVE-2012-4536)
- Memory mapping failure DoS vulnerability (CVE-2012-4537)
- Unhooking empty PAE entries DoS vulnerability (CVE-2012-4538)
- Grant table hypercall infinite loop DoS vulnerability (CVE-2012-4539)
- XENMEM_add_to_physmap DoS vulnerability (CVE-2012-4557) Continue reading “Citrix XenServer multiple security updates”
Citrix has released hotfix number 11 for XenServer 6.0.2.
This hotfix resolves the following issues:
- Attempts to read the metadata volume of an attached Storage Repository (SR) after the reboot of a multipath-enabled XenServer host, can cause an error and display the Error in Metadata volume Operation on SR error message.
- Storage may take several minutes to become available when using the Dell™ PowerVault™ MD32xxi Storage Arrays with LVMoiSCSI.
- XenServer may not discover all available LUNs when using wildcard IQN on storage arrays which do not support IQNs across multiple target portals. This occurs when using iSCSI storage arrays with multiple controllers, each managing their own LUNs.
- When booting a XenServer host, or re-attaching an iSCSI SR that contains a failed iSCSI path, the SR may fail to connect.
In addition, this hotfix also includes fixes released in CTX132823 – Hotfix XS602E001 – For XenServer 6.0.2, CTX133166 – Hotfix XS602E003 – For XenServer 6.0.2, CTX133812 – Hotfix XS602E005 – For XenServer 6.0.2 and CTX134479 – Hotfix XS602E007 – For XenServer 6.0.2. This means that you will not have to install these hotfixes before you can implement this hotfix. Only reason I see this is usefull is in a clean install of XenServer 6.0.2. In an existing environment I dare to hope you have already implemented these hotfixes by now… Continue reading “Hotfix XS602E011 for XenServer 6.0.2”
A number of security vulnerabilities have been identified in Citrix XenServer. These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including version 6.0.2.
The following denial of service and guest-to-host privilege escalation vulnerabilities have been addressed:
• hypercall physdev_get_free_pirq vulnerability (CVE-2012-3495)
• PHYSDEVOP_map_pirq index vulnerability (CVE-2012-3498)
• Qemu VT100 emulation vulnerability (CVE-2012-3515)
• Grant table entry swaps have inadequate bounds checking (CVE-2012-3516)
• HVM guest user mode MMIO emulation DoS vulnerability (CVE-2012-3432)
• HVM guest destroy p2m teardown host DoS vulnerability (CVE-2012-3433)
• hypercall set_debugreg vulnerability (CVE-2012-3494)
• XENMEM_populate_physmap DoS vulnerability (CVE-2012-3496)
• PV guest console vulnerability (CVE-2012-4606) Continue reading “Citrix XenServer Multiple Security Updates”
IMPORTANT: Any issued driver disk and the Driver Development Kit (DDK) for XenServer 6.0.2 must be updated to be compatible with this hotfix. See CTX134481- [Document Not Found] for a list of the affected driver disks that must be updated.
Issues Resolved In This Hotfix
This hotfix resolves the following issues:
- Restarting XAPI in a pool consisting of a large number of VDIs can cause the pool slaves to enter maintenance mode indefinitely.
- Attaching an SR, containing a large number of VDIs to a pool slave, can fail.
- Copying multiple Virtual Disk Images (VDIs) concurrently across Storage Repositories (SRs) can cause a pool master to slow down and it may sometimes become unresponsive.
- An error message is triggered after a failed attempt to unplug a Virtual Block Device (VBD) connected to a mounted VDI. However, any subsequent attempts to unplug the VBD, will not trigger the expected error message, and instead a time out error message will be displayed after 1200 seconds (20 minutes).
- Creating a NIC bond can result in loss of network connectivity when VLANs are present when using the Linux bridge.
- Users can now specify the TimeStamp Counter (TSC) mode for a Virtual Machine (VM) by running the command, xe vm-param-set uuid= platform:tsc_mode=<0,1,2,3>.
- Constant transmission of low data rate Ethernet traffic through the netback interface can saturate a dom0 CPU.
- When creating an SR or a VDI, predefined XML entities, such as â&â entered in the Name and Descriptionfields are written directly into the SR metadata. Any subsequent actions such as creating an SR or a VDI will fail with an error message, as the XML parser will fail to parse metadata which contains predefined entities.
- If there is a failure or a change in the number of paths to storage, attempts to create or destroy a VDI on an LVM-based SR may fail.
In addition, this hotfix also includes fixes released in CTX132823 – Hotfix XS602E001 – For XenServer 6.0.2, CTX133166 – Hotfix XS602E003 – For XenServer 6.0.2, and CTX133812 – Hotfix XS602E005 – For XenServer 6.0.2.
Installing the Hotfix
Customers should use either XenCenter or the XenServer Command Line Interface (CLI) to install this update. Once the update has installed, the server must be restarted for it to take effect. As with any software update, please back up your data before applying this hotfix. Citrix recommends updating all hosts within a pool sequentially. Upgrading of hosts should be scheduled to minimize the amount of time the pool runs in a “mixed state” where some hosts have been upgraded and some have not. Running a mixed pool of updated and non-updated hosts for general operation is not supported.
NOTE: The attachment to this article is a zip file. It contains both the hotfix update package, and the source code for any modified open source components. The source code is not necessary for hotfix installation: it is provided to fulfil licensing obligations.
Installing the update using XenCenter
- Download the update to a known location on a computer that has XenCenter installed.
- In XenCenter, on the Tools menu, select Install New Update. This displays the Install Update wizard.
- Click Nextto start the Wizard.
- Click Add…to upload a new update.
- Browse to the location where you downloaded the hotfix, select it, and then click Open.
- From the list of updates select XS602E007.update and then click Next.
- Select the hosts you wish to apply the hotfix to, and then click Next.
- Follow the recommendations to resolve any upgrade prechecks.
- Click Install to start the installation.
Note: The XenCenter controlled upgrade process reboots each host sequentially starting with the Pool Master, where possible VMs will be migrated to other running hosts to avoid VM downtime. When the Pool Master is being rebooted, XenCenter will be unable to monitor the pool.
Installing the update using the off-host CLI
- Download the update to a known location on a computer that has the XenServer CLI or XenCenter installed.
- Extract the xsupdate file from the zip.
- If using Windows, start a Command Prompt and navigate to the XenCenter directory, for example:
cd C:Program filesCitrixXenCenter
- Upload the xsupdate file to the Pool Master by entering the following commands: (Where hostnameis the Pool Master’s IP address or DNS name.)
xe patch-upload -s
<hostname> -u root -pw
XenServer assigns the update file a UUID which this command prints. Note the UUID.
- Apply the hotfix to all hosts in the pool, specifying the UUID of the hotfix:
xe patch-pool-apply uuid=
- Verify that the update was applied by using the patch-listcommand.
xe patch-list -s
<hostname> -u root -pw
If the update has been successful, the hostsfield will contain the UUIDs of the hosts this patch was successfully applied to. This should be a complete list of all hosts in the pool.
- The hotfix is applied to all hosts in the pool, but it will not take effect until each host has been rebooted. For each host, migrate the VMs that you wish to keep running, and shutdown the remaining VMs before rebooting the host.
- To verify in XenCenter that the update has been applied correctly, select the Pool, and then click the General tab. This displays the Pool properties. In the Updates section, ensure that the update is listed as Fully applied.
In XenServer 6, the direct GUI ability to auto-start a Virtual Machine on the startup of XenServer was removed. This article describes how to set Virtual Machines to auto-start.
In XenServer 6, the auto-start functionality was removed because it interfered with High Availability (HA) and produced unexpected results during HA functions.
Procedure Continue reading “How to setup XenServer 6.x to auto-start Virtual Machines”