Jump to content
Welcome to our new Citrix community!
  • 0

XS7.6 Spectre Meltdown


Justin Grenier

Question

I am having trouble finding information for patching 7.6 against these vulnerabilities. I can find it for 7.0 to 7.4 and XS 8.

Does anyone know if 7.6 is vulnerable or not and if there are any patches for it ?

I tried running a script recommended by Intel and AMD and the script shows that 7.6 is vulnerable.

I am not sure if Citrix is using there own custom solution for this on 7.6

 

Is anyone able to provide clarification on this ?

Link to comment

3 answers to this question

Recommended Posts

  • 0

The original Spectre and Meltdown issues were addressed in https://support.citrix.com/article/CTX231390/citrix-xenserver-multiple-security-updates so those specific issues should have been included in 7.6 which I believe was released several months later.  However, since then, other variants of speculative attacks have appeared; as 7.6 went end-of-life over 3 years ago, it is unlikely to be secure against all the newer variants and may also have other security issues that are fixed in supported releases.

Link to comment
  • 0

Hi Justin, apologies for the delayed response, I was away last week.  As I indicated above, I think that 7.6 was released some time after the publication of CTX231390 (and also after 7.3 went end-of-life).  I would therefore expect that the changes made as hotfixes to 7.3 were already included in 7.6 at the point that 7.6 was released i.e. there would be no 7.6 patches available or necessary to apply for this issue.  In general, if an issue is already fixed in an earlier release, the fix is incorporated into the mainline codebase from which subsequent releases will be formed.  (Where an issue is found and multiple affected versions are in support then patches are typically released for all supported, affected versions but if 7.3 and 7.6 weren't in support at the same time this wouldn't apply.)

Having said that, I'd reiterate my observations above that there may be other variants of speculative attacks and other vulnerabilities that affect a version that is 3 years past end-of-life, so updating to a supported version would be good!

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...