We have just published Qubes Security Bulletin (QSB) 077: Multiple speculative security issues (XSA-398). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack).
View QSB-077 in the qubes-secpack:
In addition, you may wish to:
- Get the qubes-secpack: https://www.qubes-os.org/security/pack/
- View all past QSBs: https://www.qubes-os.org/security/qsb/
- View the XSA Tracker: https://www.qubes-os.org/security/xsa/
---===[ Qubes Security Bulletin 077 ]===--- 2022-03-09 Multiple speculative security issues (XSA-398) User action required --------------------- Users must install the following specific packages in order to address the issues discussed in this bulletin: For Qubes 4.0, in dom0: - Xen packages, version 4.8.5-38 For Qubes 4.1, in dom0: - Xen packages, version 4.14.4-2 These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community.  Once available, the packages are to be installed via the Qubes Update tool or its command-line equivalents.  Dom0 must be restarted afterward in order for the updates to take effect. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. Note: As of the publication date of this QSB, the Xen Project's patches for XSA-398 are incomplete. Specifically, they do not protect systems running on CET-capable Intel platforms (11th generation and later). This limitation affects Qubes 4.1 but not Qubes 4.0. In light of this situation, we have decided to push both the complete 4.0 patches and the incomplete 4.1 patches to the security-testing repository immediately. The Xen Project expects to make complete patches available in the near future. We will push the complete 4.1 patches as soon as possible after they become available to us. Summary -------- On 2022-03-08, the Xen Project published XSA-398, "Multiple speculative security issues" : | 1) Researchers at VU Amsterdam have discovered Spectre-BHB, pertaining | to the use of Branch History between privilege levels. | | ARM have assigned CVE-2022-23960. Intel have assigned CVE-2022-0001 | (Branch History Injection) and CVE-2022-0002 (Intra-mode BTI). AMD | have no statement at the time of writing. | | For more details, see: | https://vusec.net/projects/bhi-spectre-bhb | https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability | https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00598.html | | 2) Researchers at Open Source Security, Inc. have discovered that AMD | CPUs may speculate beyond direct branches. | | AMD have assigned CVE-2021-26341. | | For more details, see: | https://grsecurity.net/amd_branch_mispredictor_part_2_where_no_cpu_has_gone_before | https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1026 | | 3) Researchers at Intel have discovered that previous Spectre-v2 | recommendations of using lfence/jmp is incomplete. | | AMD have assigned CVE-2021-26401. | | For more details, see: | https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1036 | Impact ------- The Xen Project's summary above enumerates three security issues. The first one, in practice, affects only newer Intel systems (11th generation and later). For other systems, previous mitigations are already sufficient. The second issue does not, in practice, affect any configuration supported by Qubes OS. The third issue affects only AMD systems. On affected systems, an attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests. Credits -------- See the original Xen Security Advisory. References -----------  https://www.qubes-os.org/doc/testing/  https://www.qubes-os.org/doc/how-to-update/  https://xenbits.xen.org/xsa/advisory-398.html -- The Qubes Security Team https://www.qubes-os.org/security/
This is a companion discussion topic for the original entry at https://www.qubes-os.org/news/2022/03/10/qsb-077/