VMware has released additional information, in the form of KB52264, regarding the impact that the recent CPU flaw has had on its virtual appliances.
Please note that this KB article is a work in progress and new updates will be published, in this same KB article, as the internal review is completed per virtual appliance.
To summarize the current status, the following virtual appliances are not affected.
- VMware NSX for vSphere
- VMware Unified Access Gateway
- VMware vCenter Server 5.5
- VMware vRealize Log Insight
- VMware vRealize Operations
- VMware vRealize Orchestrator
The following virtual appliances have been identified thus far as being affected.
- VMware Identity Manager
- VMware vCenter Server 6.5
- VMware vCenter Server 6.0
- VMware vSphere Integrated Containers
There is nothing like starting the new year off with a small bout of panic.
As of this morning I’ve had a number of my partners calling up asking for an update on VMware’s position against the recently publicized CPU vulnerabilities, Meltdown and Spectre.
If you don’t know what I’m talking about, have a look at the following article from the Project Zero team at Google. These guys do a really good job of explaining what all the noise is about.
On the VMware side, the good news is that we have already released a number of updates that contain fixes to address the vulnerabilities in question. On an even more positive note, given that these patches were released last year, there is a good chance that many environments out there are already patched.
The 3 identified CVE’s in question are:
The patches that have been made available by VMware address CVE-2017-5753 and CVE-2017-5715.
CVE-2017-5754 (or Meltdown) does not affect ESXi because it does not run untrusted user mode code. For VMware Workstation and VMware Fusion, they rely on the underlying OS that should probably be patched for the vulnerability.
VMware have just released security advisory VMSA-2018-0002 which details VMware ESXi, Workstation and Fusion updates addressing side-channel analysis due to speculative execution. (CVE-2017-5753 and CVE-2017-5715.)
The remediation as documented in VMSA-2018-0002, has been present in VMware Cloud on AWS since early December 2017.
In closing, current tests performed so far have revealed no measurable impact on performance with virtual machines running on ESXi. Guest operating systems that are patched within the virtual machines themselves may however experience a performance impact depending on the patch provided by the OS vendor.
NSX-T is VMware’s Network Virtualization solution for multi-cloud and multi-hypervisor environments enabling advanced networking and security across emerging application architectures (containers), just as it does for traditional 3-tier apps.
Earlier this month VMware announced the release of NSX-T 2.1 which now includes support for Pivotal Cloud Foundry. NSX-T 2.1 will also serve as the networking and security platform for the recently announced VMware Pivotal Container Service (PKS), a Kubernetes solution jointly developed by VMware, Pivotal and Google.