Closed sammcj closed 5 years ago
Note that CentOS 7 VMs, running in HVM mode with the latest stable kernel (4.20.0-1.el7.elrepo.x86_64) is far better off that the dom0:
SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:KO
aka, just CVE-2018-3646
Hi,
FYI, I already asked some Citrix dev about it: this script doesn't check the specific stuff needed to be checked for the dom0, which contains specific patches (remember: dom0 kernel is NOT an upstream kernel, it contains around 300 patches from Citrix). Closing the issue (but not the discussion). We can consider this as a "false alarm".
Very interesting @olivierlambert and thanks for that information. 👍
I'm a little surprised as looking at the code for spectre-meltdown-checker I can see it's testing actual kernel build options, flags and capabilities - not simply things like the kernel version / number / build date / RHEL (or CentOS) patches etc...
What I might need to do when I get time is prove that one of these CVEs is exploitable and - hopefully as Citrix says - it's not :)
I asked that months ago so I don't remember the technical answer, but it was convincing enough so I decided to not continue on this side.
Now, your next step will be to discover that current XS/XCP-ng uses CentOS 7.2 packages, ie very outdated and containing CVE's fixed in upstream CentOS since. And then you'll write an email to secure at citrix dot com about it, and they'll explain to you that's not a really a problem for no good reasons :wink: Finally, you'll spend days comparing CentOS upstream packages and those in XS/XCP-ng, and starting to update them. You'll enter in a world of pain, even reporting/helping XS project by reporting circular deps, but you'll make it.
I don’t have an appropriate emoji for this 😂😥😭
-- Sam McLeod
On 7 Jan 2019, at 16:30, Olivier Lambert notifications@github.com wrote:
I asked that months ago so I don't remember the technical answer, but it was convincing enough so I decided to not continue on this side.
Now, your next step will be to discover that current XS/XCP-ng uses CentOS 7.2 packages, ie very outdated and containing CVE's fixed in upstream CentOS since. And then you'll write an email to secure at citrix dot com about it, and they'll explain to you that's not a really a problem for no good reasons 😉 Finally, you'll spend days comparing CentOS upstream packages and those in XS/XCP-ng, and starting to update them. You'll enter in a world of pain, even reporting/helping XS project by reporting circular deps, but you'll make it.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.
Feel free to test our experimental "fully updated" Dom0 (not in production of course). Being more upstream is one of our objective. Citrix told us that we should wait for XS 8.0 to get more recent packages. That doesn't answer CVEs nor even the current LTS status, in terms of security. It seems there is no imminent threats, but as I said to them, it's a bit risky due to a lot of minor CVEs piling up (death by thousand paper-cuts).
Also, it also seems (within XS team) there is no proper workflow (even manual) to try to keep using latest CentOS packages. We'll see on our side what to do with that. We hope to be more close to latest CentOS.
Would be lovely to see a clean CentOS based XCP based platform, much easier said than done I know and certainly worth waiting for RHEL 8 to come out of beta.
-- Sam McLeod
On 7 Jan 2019, at 20:55, Olivier Lambert notifications@github.com wrote:
Feel free to test our experimental "fully updated" Dom0 (not in production of course). Being more upstream is one of our objective. Citrix told us that we should wait for XS 8.0 to get more recent packages. That doesn't answer CVEs nor even the current LTS status, in terms of security. It seems there is no imminent threats, but as I said to them, it's a bit risky due to a lot of minor CVEs piling up (death by thousand paper-cuts).
Also, it also seems (within XS team) there is no proper workflow (even manual) to try to keep using latest CentOS packages. We'll see on our side what to do with that. We hope to be more close to latest CentOS.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.
I noticed thatXCP-ng 7.6 (dom0) with the latest updates installed is still very vulnerable to several serious CVEs:
tldr - bad things:
In fact, the only CVE fixed in XCP-ng 7.6 compared to XenServer 7.2 is CVE-2018-3640.
Tooling used: The very helpful spectre-meltdown-checker