VMware Virtual Appliances and CVE-2017-5753, CVE-2017-5715 (Spectre), CVE-2017-5754 (Meltdown)
Article ID: 317812
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Update: The Operating System-Specific Mitigations described in KB55807 are cumulative and will also mitigate the issues described in this article.
The VMware Security Engineering, Communications, and Response group (vSECR) is investigating the impact these vulnerabilities may have on VMware virtual appliances.
CPU data cache timing can be abused by software to efficiently leak information out of mis-speculated CPU execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts. Three variants have been recently discovered by Google Project Zero and other security researchers; these can affect many modern processors, including certain processors by Intel, AMD and ARM:
Variant 1: Bounds check bypass (CVE-2017-5753) also known as part of the Spectre Attacks.
Variant 2: Branch target injection (CVE-2017-5715) also known as part of the Spectre Attacks.
Variant 3: Rogue data cache load (CVE-2017-5754) also known as the Meltdown Attack.
Operating systems (OS), virtual machines, virtual appliances, hypervisors, server firmware, and CPU microcode must all be patched or upgraded for effective mitigation of these known variants.
This document will focus on Operating System-Specific Mitigations as they pertain to VMware Virtual Appliances.
Please review KB52245: VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) for a holistic view on VMware’s response to these issues.
The VMware Security Engineering, Communications, and Response group (vSECR) is investigating the impact these vulnerabilities may have on VMware virtual appliances.
CPU data cache timing can be abused by software to efficiently leak information out of mis-speculated CPU execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts. Three variants have been recently discovered by Google Project Zero and other security researchers; these can affect many modern processors, including certain processors by Intel, AMD and ARM:
Variant 1: Bounds check bypass (CVE-2017-5753) also known as part of the Spectre Attacks.
Variant 2: Branch target injection (CVE-2017-5715) also known as part of the Spectre Attacks.
Variant 3: Rogue data cache load (CVE-2017-5754) also known as the Meltdown Attack.
Operating systems (OS), virtual machines, virtual appliances, hypervisors, server firmware, and CPU microcode must all be patched or upgraded for effective mitigation of these known variants.
This document will focus on Operating System-Specific Mitigations as they pertain to VMware Virtual Appliances.
Please review KB52245: VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) for a holistic view on VMware’s response to these issues.
Resolution
Important:
- This section will be updated with additional virtual appliances as investigations continue.
- When Operating System-Specific Mitigations are made available for vCenter Server Appliance itself these will be in addition to the Hypervisor-Assisted Guest Mitigation which were added in the vCenter Sever versions described in VMSA-2018-0004.
- Operating System-Specific Mitigations will include both Virtual Machine Hardware updates and guest OS fixes. Manually updating Virtual Machine Hardware in VMware Virtual Appliances is not supported.
Affected Virtual Appliances:
vSECR has evaluated the following appliances and determined that they may be affected by CVE-2017-5753, CVE-2017-5715, or CVE-2017-5754.
Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories and click ‘subscribe to article’ on the right side of this page to be alerted when new information is added to this document. If a specific version number is not listed, then that entry refers to all supported versions of the appliance.
Mitigations and workarounds for the following affected virtual appliances are now documented in VMSA-2018-0007.
- VMware vCloud Usage Meter
- VMware Identity Manager
- VMware vCenter Server 6.5
- VMware vCenter Server 6.0
- VMware vSphere Data Protection
- VMware vSphere Integrated Containers
- VMware vRealize Automation
vSECR has completed evaluation of the following appliances and determined that under supported configurations they are not affected because there is no available path to execute arbitrary code without administrative privileges. This assumes that the underlying hypervisor(s) have been patched according to VMSA-2018-0002 to mitigate CVE-2017-5753, and CVE-2017-5715. If a specific version number is not listed, then the entry refers to all supported versions of the appliance.
- VMware AppDefense Appliance
- VMware Horizon DaaS Platform
- VMware Horizon Mirage
- VMware HCX
- VMware Integrated OpenStack
- VMware IoT Pulse
- VMware Mirage
- VMware NSX for vSphere
- VMware NSX-T
- VMware Skyline Appliance
- VMware Unified Access Gateway
- VMware vCenter Server 5.5
- VMware vCloud Availability for vCloud Director
- VMware vCloud Director Extender
- VMware vRealize Business for Cloud
- VMware vRealize Log Insight
- VMware vRealize Network Insight
- VMware vRealize Operations
- VMware vRealize Orchestrator
- VMware vSphere Replication
- VMware Workbench
Note: Automated vulnerability scanners may report that these appliances are vulnerable to CVE-2017-5753, CVE-2017-5715, or CVE-2017-5754 even though the issue is not exploitable. These products will still be updating their respective kernels in scheduled maintenance releases as a precautionary measure.
Changelog:
01/18/18: Added VMware AppDefense, VMware vCloud Extender, VMware Horizon Mirage, VMware vRealize Business for Cloud, VMware Workbench, VMware HCX, VMware IoT Pulse, and VMware vSphere Data Protection. Updated VMware vRealize Automation with workaround.
01/22/18: Added VMware vCloud Usage Meter to list of affected products with workaround.
01/25/18: Added workaround for vRealize Automation 6.2.x.
02/08/18: Mitigation and workaround information has moved to VMSA-2018-0007 in conjunction with the release of vSphere Integrated Containers mitigations. Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.
04/09/19: Updated KB with information that the Operating System-Specific Mitigations described in KB55807 are cumulative and will also mitigate the issues described in this article
Additional Information
Feedback
Yes
No
Powered by
