The purpose of this article is to provide an overview of the security issues related to speculative execution in Intel processors described by
CVE-2018-3646 (L1 Terminal Fault - VMM),
CVE-2018-3620 (L1 Terminal Fault - OS), and
CVE-2018-3615 (L1 Terminal Fault - SGX) as they apply to VMware products. Because there will be multiple documents necessary to respond to these issues, consider this document as the centralized source of truth for these issues.
The Update History section of this article will be revised when there is a significant change to any of the related documentation. Click Subscribe to Article in the Actions box to be alerted when new information is added to this document and sign up at our
Security-Announce mailing list to receive new and updated VMware Security Advisories.
BackgroundTo assist in understanding Speculative Execution vulnerabilities, VMware previously defined the following categories in
KB52245 and
KB54951 - here is a brief summary of these four categories:
- Hypervisor-Specific Mitigations prevent information leakage from the hypervisor or guest VMs into a malicious guest VM. These mitigations require code changes for VMware products.
- Hypervisor-Assisted Guest Mitigations virtualize new speculative-execution hardware control mechanisms for guest VMs so that Guest OSes can mitigate leakage between processes within the VM. These mitigations require code changes for VMware products.
- Operating System-Specific Mitigations are applied to guest operating systems. These updates will be provided by a 3rd party vendor or in the case of VMware virtual appliances, by VMware.
- Microcode Mitigations are applied to a system’s processor(s) by a microcode update from the hardware vendor. These mitigations do not require hypervisor or guest operating system updates to be effective.
Mitigation Category Summary for current Speculative Execution Issues:
Mitigation of
CVE-2018-3646 requires
Hypervisor-Specific Mitigations for hosts running on Intel hardware.
Mitigation of
CVE-2018-3620 requires
Operating System-Specific Mitigations.