The purpose of this article is to provide a response to the security issues related to speculative execution in Intel processors described by CVE-2018-3646 (L1 Terminal Fault - VMM) and CVE-2018-3620 (L1 Terminal Fault - OS) as they apply to VMware SaaS offerings.

Responses have been broken into the following categories for potentially affected offerings. The scope of this document is limited to VMware SaaS offerings that run in a vSphere environment.

• Infrastructure security impact statement
• Recommended actions
• Operational impact statement

 
The Update History section of this article will be revised when there is a significant change to this document. Click Subscribe to Article in the Actions box to be alerted when new information is added to this document and sign up at our Security-Announce mailing list to receive new and updated VMware Security Advisories. In addition, operational events are announced for our various SaaS offerings on our VMware Cloud Services Status Page.

This article is dedicated to VMware SaaS offerings, for an overview of these vulnerabilities and links to on-prem product documentation please see KB55636.

Note: this document uses terminology defined in KB55806.

VMware Cloud on AWS (Including MSPs)

• VMware Cloud on AWS has completed the mitigation process for CVE-2018-3646.

• Based on current evaluations, CVE-2018-3620 does not affect the VMware Cloud on AWS infrastructure itself.

• No customer action required.

• 3rd party operating systems and VMware appliances deployed in an Organization’s SDDC may be affected by CVE-2018-3620. For information on VMware appliances please see KB55807. Customers are advised to contact their 3rd party operating system vendor to determine appropriate actions for mitigation of CVE-2018-3620.

• Customers should not experience any unscheduled operational impacts to their Organization’s SDDC. Please use the in-product support center to file an SR or chat support for any questions or concerns.

VMware Workspace One SaaS (formerly Airwatch Saas)

• Based on current evaluations, VMware Workspace One SaaS infrastructure is not impacted by CVE-2018-3646.

• Based on current evaluations, the VMware Workspace One SaaS infrastructure is not impacted by CVE-2018-3620.

• No customer action required.

• No customer action required.

• Customers should not experience any unscheduled operational impacts.

VMware Horizon Cloud

• VMware Horizon Cloud is affected by CVE-2018-3646 but due to environmental factors the severity of the issue is lowered to Moderate from Important. The VMware Horizon Cloud infrastructure is architected to segment customer environments from one another, therefore, inter-organizational leaks between virtual machines are not possible as different organizations do not share ESXi hosts. Updates to are being prioritized to resolve CVE-2018-3646.

• Based on current evaluations, the VMware Horizon Cloud infrastructure is not impacted by CVE-2018-3620.

• No customer action required.

• Virtual Desktops may be affected by CVE-2018-3620. Customers are advised to contact their 3rd party operating system vendor to determine appropriate actions for mitigation of CVE-2018-3620.

• After maintenance is performed by VMware, which should by itself have no operational impact to their Organization's SDDC, customers will no longer be able to publish images until they have upgraded VMware Tools in their images to version 10.2.5 or above. Customers will not experience any impact with use of already provisioned VMs and published images. VMware will notify customers once updates are complete so that you may perform upgrades of VMTools in your images.

Find out more about L1 Terminal Fault (L1TF) here