VMware Security Advisory VMSA-2018-0002

Im sure we have all seen the news of the massive chip level security vulnerabilities that are surfacing. Software vendors appear to be actively scrambling to get patches out to side step. Below is the advisory information from VMware.

Original Advisory

Orignal VMware Blog Post

VMSA-2018-0002

VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution.

VMware Security Advisory
Advisory ID:
VMSA-2018-0002
Severity:
Important
Synopsis:
VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution.
Issue date:
2018-01-03
Updated on:
2018-01-03 (Initial Advisory)
CVE numbers:
CVE-2017-5753, CVE-2017-5715
1. Summary

VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution.

2. Relevant Products
  • VMware vSphere ESXi (ESXi)
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
3. Problem Description

Bounds-Check bypass and Branch Target Injection issues

CPU data cache timing can be abused to efficiently leak information out of mis-speculated CPU execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts. (Speculative execution is an automatic and inherent CPU performance optimization used in all modern processors.) ESXi, Workstation and Fusion are vulnerable to Bounds Check Bypass and Branch Target Injection issues resulting from this vulnerability.

Result of exploitation may allow for information disclosure from one Virtual Machine to another Virtual Machine that is running on the same host. The remediation listed in the table below is for the known variants of the Bounds Check Bypass and Branch Target Injection issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2017-5753 (Bounds Check bypass) and CVE-2017-5715 (Branch Target Injection) to these issues.

 

4. Solution

 

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

 

VMware ESXi 6.5
Downloads:
https://my.vmware.com/group/vmware/patch
Documentation:
http://kb.vmware.com/kb/2151099

 

VMware ESXi 6.0
Downloads:
https://my.vmware.com/group/vmware/patch
Documentation:
http://kb.vmware.com/kb/2151132

 

VMware ESXi 5.5
Downloads:
https://my.vmware.com/group/vmware/patch
Documentation:
http://kb.vmware.com/kb/2150876

 

VMware Workstation Pro, Player 12.5.8

Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://www.vmware.com/support/pubs/ws_pubs.html

 

VMware Fusion Pro / Fusion 12.5.9
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://www.vmware.com/support/pubs/fusion_pubs.html

plasebikan