exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

VMware Security Advisory 2018-0012.1

VMware Security Advisory 2018-0012.1
Posted Jun 29, 2018
Authored by VMware | Site vmware.com

VMware Security Advisory 2018-0012.1 - VMware vSphere, Workstation and Fusion updates enable Hypervisor- Assisted Guest Mitigations for Speculative Store Bypass issue. The mitigations in this advisory are categorized as Hypervisor- Assisted Guest Mitigations described by VMware Knowledge Base article 54951. KB54951 also covers CVE-2018-3640 mitigations which do not require VMware product updates.

tags | advisory
advisories | CVE-2018-3639, CVE-2018-3640
SHA-256 | b7454f0cda78e28fc6b7444ae9be5bdd987d9eaf72ed3ac3ad092d94850944f6

VMware Security Advisory 2018-0012.1

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2018-0012.1
Severity: Moderate
Synopsis: VMware vSphere, Workstation and Fusion updates enable
Hypervisor-Assisted Guest Mitigations for Speculative Store
Bypass issue
Issue date: 2018-05-21
Updated on: 2018-06-28
CVE number: CVE-2018-3639

1. Summary

VMware vSphere, Workstation and Fusion updates enable Hypervisor-
Assisted Guest Mitigations for Speculative Store Bypass issue.

The mitigations in this advisory are categorized as Hypervisor-
Assisted Guest Mitigations described by VMware Knowledge Base article
54951. KB54951 also covers CVE-2018-3640 mitigations which do not
require VMware product updates.

2. Relevant Products

VMware vCenter Server (VC)
VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)

3. Problem Description

vCenter Server, ESXi, Workstation, and Fusion update speculative
execution control mechanism for Virtual Machines (VMs). As a result,
a patched Guest Operating System (GOS) can remediate the Speculative
Store bypass issue (CVE-2018-3639) using the Speculative-Store-
Bypass-Disable (SSBD) control bit. This issue may allow for
information disclosure in applications and/or execution runtimes
which rely on managed code security mechanisms. Based on current
evaluations, we do not believe that CVE-2018-3639 could allow for VM
to VM or Hypervisor to VM Information disclosure.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2018-3639 to this issue.

Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/ Mitigation/
Product Version on Severity Apply Patch Workaround
=========== ======= ======= ======== ==================== ==========
VC 6.7 Any Moderate 6.7.0b * None
VC 6.5 Any Moderate 6.5 U2b * None
VC 6.0 Any Moderate 6.0 U3f * None
VC 5.5 Any Moderate 5.5 U3i * None

ESXi 6.7 Any Moderate ESXi670-201806401-BG * None
ESXi670-201806402-BG **
ESXi 6.5 Any Moderate ESXi650-201806401-BG * None
ESXi650-201806402-BG **
ESXi 6.0 Any Moderate ESXi600-201806401-BG * None
ESXi600-201806402-BG **
ESXi 5.5 Any Moderate ESXi550-201806401-BG * None
ESXi550-201806402-BG **

Workstation 14.x Any Moderate 14.1.2 * None
Fusion 10.x OSX Moderate 10.1.2 * None

* There are additional VMware and 3rd party requirements for
CVE-2018-3639 mitigation beyond applying these updates. Please
see VMware Knowledge Base article 55111 for details.

** If available, these ESXi patches apply the required microcode
updates. The included microcode updates are documented in the
VMware Knowledge Base articles listed in the Solution section.

4. Solution

Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.

vCenter Server 6.7.0b
Downloads:

https://my.vmware.com/web/vmware/details?downloadGroup=VC670B&productId=742
&rPId=24511
Documentation:

https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-670
b-release-notes.html

vCenter Server 6.5 U2b
Downloads:

https://my.vmware.com/web/vmware/details?downloadGroup=VC65U2B&productId=61
4&rPId=24437
Documentation:

https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u
2b-release-notes.html

vCenter Server 6.0 U3f
Downloads:

https://my.vmware.com/web/vmware/details?downloadGroup=VC60U3F&productId=49
1&rPId=24398
Documentation:

https://docs.vmware.com/en/VMware-vSphere/6.0/rn/vsphere-vcenter-server-60u
3f-release-notes.html

vCenter Server 5.5 U3i
Downloads:

https://my.vmware.com/web/vmware/details?downloadGroup=VC55U3I&productId=35
3&rPId=24327
Documentation:

https://docs.vmware.com/en/VMware-vSphere/5.5/rn/vsphere-vcenter-server-55u
3i-release-notes.html

VMware ESXi 6.7
Downloads:
https://my.vmware.com/group/vmware/patch
Documentation:
https://kb.vmware.com/kb/55920
https://kb.vmware.com/kb/55921 (microcode)

VMware ESXi 6.5
Downloads:
https://my.vmware.com/group/vmware/patch
Documentation:
https://kb.vmware.com/kb/55915
https://kb.vmware.com/kb/55916 (microcode)

VMware ESXi 6.0
Downloads:
https://my.vmware.com/group/vmware/patch
Documentation:
https://kb.vmware.com/kb/55910
https://kb.vmware.com/kb/55911 (microcode)

VMware ESXi 5.5
Downloads:
https://my.vmware.com/group/vmware/patch
Documentation:
https://kb.vmware.com/kb/55905
https://kb.vmware.com/kb/55906 (microcode)

VMware Workstation Pro, Player 14.1.2
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://www.vmware.com/go/downloadplayer

VMware Fusion Pro / Fusion 10.1.2
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion

5. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639
https://kb.vmware.com/kb/54951
https://kb.vmware.com/kb/55111

- ------------------------------------------------------------------------

6. Change log

2018-05-21: VMSA-2018-0012
Initial security advisory in conjunction with the release
of Workstation 14.1.2 and Fusion 10.1.2 on 2018-05-21.

2018-06-28: VMSA-2018-0012.1
Updated security advisory in conjunction with the release of vCenter
Server 5.5 U3i, 6.0 U3f, 6.5 U2b, 6.7.0b and ESXi 5.5 - 6.7 patches
on 2018-06-28.

- ------------------------------------------------------------------------

7. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org

E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055

VMware Security Advisories
https://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog
https://blogs.vmware.com/security

Twitter
https://twitter.com/VMwareSRC

Copyright 2018 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFbNaFeDEcm8Vbi9kMRAn4NAJ42HgDjfXkcTVfDupwE4KPdPVsf7wCcDaLy
aN23XiAmhvFSxcQ5GnJR0ls=
=frKv
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close