A new year…a new vulnerability

There is nothing like starting the new year off with a small bout of panic.

As of this morning I’ve had a number of my partners calling up asking for an update on VMware’s position against the recently publicized CPU vulnerabilities, Meltdown and Spectre.

If you don’t know what I’m talking about, have a look at the following article from the Project Zero team at Google. These guys do a really good job of explaining what all the noise is about.

On the VMware side, the good news is that we have already released a number of updates that contain fixes to address the vulnerabilities in question. On an even more positive note, given that these patches were released last year, there is a good chance that many environments out there are already patched.

The 3 identified CVE’s in question are:

The patches that have been made available by VMware address CVE-2017-5753 and CVE-2017-5715

 CVE-2017-5754 (or Meltdown) does not affect ESXi because it does not run untrusted user mode code. For VMware Workstation and VMware Fusion, they rely on the underlying OS that should probably be patched for the vulnerability.

VMware have just released security advisory VMSA-2018-0002 which details VMware ESXi, Workstation and Fusion updates addressing side-channel analysis due to speculative execution. (CVE-2017-5753 and CVE-2017-5715.)

The remediation as documented in VMSA-2018-0002, has been present in VMware Cloud on AWS since early December 2017.

In closing, current tests performed so far have revealed no measurable impact on performance with virtual machines running on ESXi. Guest operating systems that are patched within the virtual machines themselves may however experience a performance impact depending on the patch provided by the OS vendor.


This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *