Google Project Zero, a team of security analysts at Google charged with identifying new vulnerabilities, reported a new class of security vulnerability in computer processors that have certain advanced optimization capabilities. This is an industry-wide issue with the processor hardware architecture, not a problem inherent in operating systems, hypervisors, or applications, and has been referred to as the Meltdown and Spectre attacks
CPU manufacturers are providing microcode updates to hardware manufacturers to help mitigate the issue. These microcode updates, however, are just one step in mitigating the vulnerability. Hypervisors, operating systems, and applications, will also need to be updated to complete the mitigation.
The mitigation updates will potentially impact the performance of processors. The actual performance change will be heavily dependent on workload, mitigations enabled and specific CPU type. Once updates are applied, it is advised that IT teams monitor system performance and prepare to bring additional processing capacity. Citrix will assess and address the need for additional processing power for our cloud customers.
What To Do
Best practices for mitigating threats of this nature include segregation of end user environments from privileged user environments and critical business application infrastructure. This can be done with virtualization and network segmentation.
We recommend that all XenApp and XenDesktop customers immediately update their microcode/BIOS, hypervisors and operating systems. Look to your manufacturer for additional details and patch release dates.
Should you require additional details or guidance, please contact the Citrix Security Response Team at secure@citrix.com.
The Citrix Security bulletin discussing impacted Citrix products and mitigations is available here: https://support.citrix.com/article/CTX231399. And you may register for notifications of security bulletins and updates at https://support.citrix.com/user/alerts.
Additional blog posts from affected vendors can be found at the following links:
