Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.0411.2
VMware Virtual Appliance updates address side-channel
analysis due to speculative execution
7 May 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware Virtual Appliance
Publisher: VMWare
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Access Privileged Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2017-5754 CVE-2017-5753 CVE-2017-5715
Reference: ASB-2018.0033
ASB-2018.0030
ASB-2018.0009
ASB-2018.0002.4
ESB-2018.0042.2
Original Bulletin:
https://www.vmware.com/security/advisories/VMSA-2018-0007.html
Revision History: May 7 2018: Additional patches released
February 9 2018: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
VMSA-2018-0007.3
VMware Virtual Appliance updates address side-channel analysis due to
speculative execution
VMware Security Advisory
VMware Security Advisory Advisory ID: VMSA-2018-0007.3
VMware Security Advisory Severity: Important
VMware Security Advisory Synopsis: VMware Virtual Appliance updates address
side-channel analysis due to speculative execution
VMware Security Advisory Issue date: 2018-02-08
VMware Security Advisory Updated on: 2018-05-03
VMware Security Advisory CVE numbers:
CVE-2017-5753, CVE-2017-5715, CVE-2017-5754
1. Summary
VMware Virtual Appliance updates address side-channel analysis due to
speculative execution
In order to clarify the mitigations provided in specific releases CVE-2017-5753
(Spectre-1), and CVE-2017-5754 (Meltdown) have been separated from
CVE-2017-5715 (Spectre-2). Details on this change can be found in our companion
blog.
This document will focus on VMware Virtual Appliances which are affected by the
known variants of CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754.
For more information please see Knowledge Base article 52264.
These mitigations are part of the Operating System-Specific Mitigations
category described in VMware Knowledge Base article 52245.
2. Relevant Products
o vCloud Usage Meter (UM)
o Identity Manager (vIDM)
o vCenter Server (vCSA)
o vSphere Data Protection (VDP)
o vSphere Integrated Containers (VIC)
o vRealize Automation (vRA)
3. Problem Description
a. VMware Virtual Appliance Mitigations for Bounds-Check bypass (Spectre-1),
and Rogue data cache load issues (Meltdown)
CPU data cache timing can be abused to efficiently leak information out of
mis-speculated CPU execution, leading to (at worst) arbitrary virtual memory
read vulnerabilities across local security boundaries in various contexts.
(Speculative execution is an automatic and inherent CPU performance
optimization used in all modern processors.) Successful exploitation may allow
for information disclosure.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the identifiers CVE-2017-5753 (Bounds Check bypass), CVE-2017-5754 (Rogue data
cache load) to these issues.
Column 5 of the following table lists the action required to mitigate the
vulnerability in each release, if a solution is available.
VMware Product Running Replace with/ Mitigation/
Product Version on Severity Apply Patch Workaround
========== ========= ======= ========= ============= ==========
UM 3.x VA Important Patch Pending KB52467
vIDM 3.x, 2.x VA Important 3.2 KB52284
vCSA 6.5 VA Important 6.5 U1f KB52312
vCSA 6.0 VA Important Patch Pending KB52312
vCSA 5.5 VA N/A Unaffected None
VDP 6.x VA Important 6.1.8 None
VIC 1.x VA Important 1.3.1 None
vRA 7.x VA Important 7.3.1 KB52377
vRA 6.x VA Important 7.3.1 KB52497
b. VMware Virtual Appliance Mitigations for Branch Target Injection (Spectre-2)
CPU data cache timing can be abused to efficiently leak information out of
mis-speculated CPU execution, leading to (at worst) arbitrary virtual memory
read vulnerabilities across local security boundaries in various contexts.
(Speculative execution is an automatic and inherent CPU performance
optimization used in all modern processors.) Successful exploitation may allow
for information disclosure.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the identifier CVE-2017-5715 (Branch Target Injection) to this issue.
Column 5 of the following table lists the action required to mitigate the
vulnerability in each release, if a solution is available.
VMware Product Running Replace with/ Mitigation/
Product Version on Severity Apply Patch Workaround
========== ========= ======= ========= ============= ==========
UM 3.x VA Important Patch Pending KB52467
vIDM 3.x, 2.x VA Important 3.2 KB52284
vCSA 6.5 VA Important Patch Pending KB52312
vCSA 6.0 VA Important Patch Pending KB52312
vCSA 5.5 VA N/A Unaffected None
VDP 6.x VA Important 6.1.8 None
VIC 1.x VA Important Patch Pending None
vRA 7.x VA Important 7.3.1 KB52377
vRA 6.x VA Important 7.3.1 KB52497
4. Solution
Please review the patch/release notes for your product and version and verify
the checksum of your downloaded file.
VMware Identity Manager 3.2
Downloads and Documentation:
https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_identity_manager/3_2
VMware vRealize Automation 7.3.1
Downloads:
https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_management/vmware_vrealize_automation/7_3
Documentation:
https://docs.vmware.com/en/vRealize-Automation/index.html
vCenter Server Appliance 6.5 U1f
Downloads:
https://my.vmware.com/group/vmware/patch
Documentation:
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vcenter-server-appliance-photonos-security-patches.html
vSphere Integrated Containers 1.3.1
Downloads and Documentation:
https://my.vmware.com/group/vmware/get-download?downloadGroup=VIC131
vSphere Data Protection (VDP) 6.1.8
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?productId=614&downloadGroup=VDP618
https://www.vmware.com/support/pubs/vdr_pubs.html
5. References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
https://kb.vmware.com/kb/52264
https://kb.vmware.com/kb/52245
https://kb.vmware.com/kb/52467
https://kb.vmware.com/kb/52284
https://kb.vmware.com/kb/52312
https://kb.vmware.com/kb/52377
https://kb.vmware.com/kb/52497
6. Change log
2018-02-08: VMSA-2018-0007
Initial security advisory in conjunction with the release of vSphere Integrated
Containers 1.3.1 on 2018-02-08.
2018-02-15: VMSA-2018-0007.1
Split CVE-2017-5753 and CVE-2017-5754 from CVE-2017-5715 for clarity in
conjunction with vCenter Server Appliance 6.5 U1f updates on 2018-02-15.
2018-03-15: VMSA-2018-0007.2
Updated in conjunction with the release of Identity Manager (vIDM) 3.2 and
vRealize Automation (vRA) 7.3.1 on 2018-03-15.
2018-05-03: VMSA-2018-0007.3
Updated in conjunction with the release of vSphere Data Protection (VDP) 6.1.8
on 2018-05-03.
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org
E-mail: security@vmware.com
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC
Copyright 2018 VMware Inc. All rights reserved.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWu/BS4x+lLeg9Ub1AQjMpA//WUIlrhD8x2EIxmgWPbv2O8o5yrGK9m12
VqH3PRmtQP9aO982uOu+f6cp05vrLN/ChsuF8CPdPllSjxgeJsqnv1FZJWbnpQwN
BZbWdFi6z2hhaMaLWY4rlwAUaVZazYq8W+QjHz5nErUJpr6B8UTPmigg1aRmCocr
+37KU6cZdWYayrQTbSS5WtFLRrpV79e2I5ysq07Lf2+ipKIr7uoLwMpQ6FqHPT2M
ZnYspvckByTX77fJZfF7DiAaiusqY/oBQAubtvL1aSXmsmWquLM6jPJEENcUGAFo
ws7MYwmc2RDDtTPiAvOppl22Ou1GQ6g7SLOi/4cgx5MghbvclhvUk2UgNDwmJxHY
fHD3cpY56Fx57HCkvpq+mThhGSTefNvegNIGObBjIyIFN+Jn7sEAr7YtdmoILLx6
5fZN+5drfZf7dFlNgYyjVGTYZKitv1wpRRQj8AmgYdM30pcoOzZTDTDPOKP2dsHS
CcMmzNPhhXtS9K6BJx1hssPC7tpnfbpQlzOt/ghWIbUuem4g51m6pSKhZn7mVflN
0fSycmSg7yXsxU1aUWfEwXdG7Fq8Wo/72GsrTpIz62rsoq09GlxIAXEYI4gLlZx3
3qZYHN8rda+wQa6/FvEhdOJ7ymxK5NPDn/yjV79aWRNRlFAh0ba8j6x1OTz42au9
X30zD2JYrtE=
=KSKZ
-----END PGP SIGNATURE-----