XenServer and Citrix Hypervisor Security Update for CVE-2024-5661
Security Bulletin | Severity: Medium | Created: 11 Jun 2024 | Modified: 11 Jun 2024 | Status: Final
Applicable Products
- Citrix Hypervisor
Description of Problem
An issue has been identified in both XenServer 8 and Citrix Hypervisor 8.2 CU1 LTSR which may allow a malicious administrator of a guest VM to cause the host to become slow and/or unresponsive.
This issue has the following identifier:
- CVE-2024-5661
CVE-2024-5661 affects all deployments.
Summary
| CVE ID | Description | Pre-requisites | CWE | CVSS |
|---|---|---|---|---|
| CVE-2024-5661 | Potential Denial of Service | Privileged access within a guest VM | CWE-799 | 5,9 |
What Customers Should Do
For customers using XenServer 8, we have pushed an update to both the Early Access and Normal update channels. We recommend that customers update to the latest version from their chosen channel following the instructions at https://docs.xenserver.com/en-us/xenserver/8/update
For customers using Citrix Hypervisor 8.2 CU1 LTSR, we have released a hotfix to address this issue. We recommend that customers install this hotfix and follow the instructions in the linked article as their update schedule permits. The hotfix can be downloaded from the following location:
CTX677067- https://support.citrix.com/article/CTX677067
What Citrix is Doing
Citrix is notifying customers and channel partners about this potential security issue through the publication of this security bulletin on the Citrix Knowledge Center at https://support.citrix.com/securitybulletins.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.