We have just published Qubes Security Bulletin (QSB) 077: Multiple speculative security issues (XSA-398). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack).

View QSB-077 in the qubes-secpack:


In addition, you may wish to:

             ---===[ Qubes Security Bulletin 077 ]===---


             Multiple speculative security issues (XSA-398)

User action required

Users must install the following specific packages in order to address
the issues discussed in this bulletin:

  For Qubes 4.0, in dom0:
  - Xen packages, version 4.8.5-38

  For Qubes 4.1, in dom0:
  - Xen packages, version 4.14.4-2

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]

Dom0 must be restarted afterward in order for the updates to take

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.

Note: As of the publication date of this QSB, the Xen Project's patches
for XSA-398 are incomplete. Specifically, they do not protect systems
running on CET-capable Intel platforms (11th generation and later). This
limitation affects Qubes 4.1 but not Qubes 4.0. In light of this
situation, we have decided to push both the complete 4.0 patches and the
incomplete 4.1 patches to the security-testing repository immediately.
The Xen Project expects to make complete patches available in the near
future. We will push the complete 4.1 patches as soon as possible after
they become available to us.


On 2022-03-08, the Xen Project published XSA-398, "Multiple
speculative security issues" [3]:

| 1) Researchers at VU Amsterdam have discovered Spectre-BHB, pertaining
|    to the use of Branch History between privilege levels.
|    ARM have assigned CVE-2022-23960.  Intel have assigned CVE-2022-0001
|    (Branch History Injection) and CVE-2022-0002 (Intra-mode BTI).  AMD
|    have no statement at the time of writing.
|    For more details, see:
|      https://vusec.net/projects/bhi-spectre-bhb
|      https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
|      https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00598.html
| 2) Researchers at Open Source Security, Inc. have discovered that AMD
|    CPUs may speculate beyond direct branches.
|    AMD have assigned CVE-2021-26341.
|    For more details, see:
|      https://grsecurity.net/amd_branch_mispredictor_part_2_where_no_cpu_has_gone_before
|      https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1026
| 3) Researchers at Intel have discovered that previous Spectre-v2
|    recommendations of using lfence/jmp is incomplete.
|    AMD have assigned CVE-2021-26401.
|    For more details, see:
|      https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1036


The Xen Project's summary above enumerates three security issues. The
first one, in practice, affects only newer Intel systems (11th
generation and later). For other systems, previous mitigations
are already sufficient. The second issue does not, in practice, affect
any configuration supported by Qubes OS. The third issue affects only
AMD systems.
On affected systems, an attacker might be able to infer the contents
of arbitrary host memory, including memory assigned to other guests.


See the original Xen Security Advisory.


[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://xenbits.xen.org/xsa/advisory-398.html

The Qubes Security Team