Twenty Year Anniversary

VMware Security Advisory 2018-0012.1

VMware Security Advisory 2018-0012.1
Posted Jun 29, 2018
Authored by VMware | Site vmware.com

VMware Security Advisory 2018-0012.1 - VMware vSphere, Workstation and Fusion updates enable Hypervisor- Assisted Guest Mitigations for Speculative Store Bypass issue. The mitigations in this advisory are categorized as Hypervisor- Assisted Guest Mitigations described by VMware Knowledge Base article 54951. KB54951 also covers CVE-2018-3640 mitigations which do not require VMware product updates.

tags | advisory
advisories | CVE-2018-3639, CVE-2018-3640
MD5 | 5832e15c2d041232da4541136aa10a96

VMware Security Advisory 2018-0012.1

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2018-0012.1
Severity: Moderate
Synopsis: VMware vSphere, Workstation and Fusion updates enable
Hypervisor-Assisted Guest Mitigations for Speculative Store
Bypass issue
Issue date: 2018-05-21
Updated on: 2018-06-28
CVE number: CVE-2018-3639

1. Summary

VMware vSphere, Workstation and Fusion updates enable Hypervisor-
Assisted Guest Mitigations for Speculative Store Bypass issue.

The mitigations in this advisory are categorized as Hypervisor-
Assisted Guest Mitigations described by VMware Knowledge Base article
54951. KB54951 also covers CVE-2018-3640 mitigations which do not
require VMware product updates.

2. Relevant Products

VMware vCenter Server (VC)
VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)

3. Problem Description

vCenter Server, ESXi, Workstation, and Fusion update speculative
execution control mechanism for Virtual Machines (VMs). As a result,
a patched Guest Operating System (GOS) can remediate the Speculative
Store bypass issue (CVE-2018-3639) using the Speculative-Store-
Bypass-Disable (SSBD) control bit. This issue may allow for
information disclosure in applications and/or execution runtimes
which rely on managed code security mechanisms. Based on current
evaluations, we do not believe that CVE-2018-3639 could allow for VM
to VM or Hypervisor to VM Information disclosure.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2018-3639 to this issue.

Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/ Mitigation/
Product Version on Severity Apply Patch Workaround
=========== ======= ======= ======== ==================== ==========
VC 6.7 Any Moderate 6.7.0b * None
VC 6.5 Any Moderate 6.5 U2b * None
VC 6.0 Any Moderate 6.0 U3f * None
VC 5.5 Any Moderate 5.5 U3i * None

ESXi 6.7 Any Moderate ESXi670-201806401-BG * None
ESXi670-201806402-BG **
ESXi 6.5 Any Moderate ESXi650-201806401-BG * None
ESXi650-201806402-BG **
ESXi 6.0 Any Moderate ESXi600-201806401-BG * None
ESXi600-201806402-BG **
ESXi 5.5 Any Moderate ESXi550-201806401-BG * None
ESXi550-201806402-BG **

Workstation 14.x Any Moderate 14.1.2 * None
Fusion 10.x OSX Moderate 10.1.2 * None

* There are additional VMware and 3rd party requirements for
CVE-2018-3639 mitigation beyond applying these updates. Please
see VMware Knowledge Base article 55111 for details.

** If available, these ESXi patches apply the required microcode
updates. The included microcode updates are documented in the
VMware Knowledge Base articles listed in the Solution section.

4. Solution

Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.

vCenter Server 6.7.0b
Downloads:

https://my.vmware.com/web/vmware/details?downloadGroup=VC670B&productId=742
&rPId=24511
Documentation:

https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-670
b-release-notes.html

vCenter Server 6.5 U2b
Downloads:

https://my.vmware.com/web/vmware/details?downloadGroup=VC65U2B&productId=61
4&rPId=24437
Documentation:

https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u
2b-release-notes.html

vCenter Server 6.0 U3f
Downloads:

https://my.vmware.com/web/vmware/details?downloadGroup=VC60U3F&productId=49
1&rPId=24398
Documentation:

https://docs.vmware.com/en/VMware-vSphere/6.0/rn/vsphere-vcenter-server-60u
3f-release-notes.html

vCenter Server 5.5 U3i
Downloads:

https://my.vmware.com/web/vmware/details?downloadGroup=VC55U3I&productId=35
3&rPId=24327
Documentation:

https://docs.vmware.com/en/VMware-vSphere/5.5/rn/vsphere-vcenter-server-55u
3i-release-notes.html

VMware ESXi 6.7
Downloads:
https://my.vmware.com/group/vmware/patch
Documentation:
https://kb.vmware.com/kb/55920
https://kb.vmware.com/kb/55921 (microcode)

VMware ESXi 6.5
Downloads:
https://my.vmware.com/group/vmware/patch
Documentation:
https://kb.vmware.com/kb/55915
https://kb.vmware.com/kb/55916 (microcode)

VMware ESXi 6.0
Downloads:
https://my.vmware.com/group/vmware/patch
Documentation:
https://kb.vmware.com/kb/55910
https://kb.vmware.com/kb/55911 (microcode)

VMware ESXi 5.5
Downloads:
https://my.vmware.com/group/vmware/patch
Documentation:
https://kb.vmware.com/kb/55905
https://kb.vmware.com/kb/55906 (microcode)

VMware Workstation Pro, Player 14.1.2
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://www.vmware.com/go/downloadplayer

VMware Fusion Pro / Fusion 10.1.2
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion

5. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639
https://kb.vmware.com/kb/54951
https://kb.vmware.com/kb/55111

- ------------------------------------------------------------------------

6. Change log

2018-05-21: VMSA-2018-0012
Initial security advisory in conjunction with the release
of Workstation 14.1.2 and Fusion 10.1.2 on 2018-05-21.

2018-06-28: VMSA-2018-0012.1
Updated security advisory in conjunction with the release of vCenter
Server 5.5 U3i, 6.0 U3f, 6.5 U2b, 6.7.0b and ESXi 5.5 - 6.7 patches
on 2018-06-28.

- ------------------------------------------------------------------------

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org

E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog
https://blogs.vmware.com/security

Twitter
https://twitter.com/VMwareSRC

Copyright 2018 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFbNaFeDEcm8Vbi9kMRAn4NAJ42HgDjfXkcTVfDupwE4KPdPVsf7wCcDaLy
aN23XiAmhvFSxcQ5GnJR0ls=
=frKv
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

August 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    19 Files
  • 2
    Aug 2nd
    17 Files
  • 3
    Aug 3rd
    16 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    1 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    15 Files
  • 8
    Aug 8th
    9 Files
  • 9
    Aug 9th
    7 Files
  • 10
    Aug 10th
    10 Files
  • 11
    Aug 11th
    1 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    14 Files
  • 14
    Aug 14th
    18 Files
  • 15
    Aug 15th
    38 Files
  • 16
    Aug 16th
    16 Files
  • 17
    Aug 17th
    22 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close