Where are we with Spectre and Meltdown vulnerabilities in VMware environments


Since these vulnerabilities were publicly disclosed, there have been several articles (Security Advisories and KBs) and recommendations on how to patch VMware environments. Some of the updates are overriding the initial ones and some are adding more details. Naturally, with so much information flying around and the pressure to mitigate these critical vulnerabilities as soon as possible, there is some level of confusion to what needs to be done. 

The status, as of the time of this article (January 16th 2018 11:00 UTC) is as follows:

Spectre

There are two VMware Security Advisory documents for the Spectre vulnerability

Document Title Exploit Recommended actions
VMSA-2018-0002 VMware ESXi Hypervisor mitigation for side-channel analysis due to speculative execution.

CVE-2017-5753
Bounds check bypass

CVE-2017-5715
Branch target injection

Install the recommended ESXi patches:

   6.5    ESXi650-201712101-SG
   6.0    ESXi600-201711101-SG
   5.5    ESXi550-201709101-SG

VMSA-2018-0004 VMware vSphere Hypervisor- Assisted Guest Remediation for speculative execution issue. CVE-2017-5715
Branch target injection

1. Upgrade vCenter

2. Install microcode on hosts*

3. Install Guest OS patches

4. Power Cycle VMs (min HW version >= 9)

* The situation with the microcode patches is quite complicated, especially if you reacted fast. The initial response of VMware for this issue was to aid customers in patching microcode by releasing ESXi patch (see KB 52085) , but a few days after, Intel notified VMware that some CPU families using this microcode are affected by Intel Sightings (a CPU related bug): KB 52345 , so these patches have been pulled back by VMware and a workaround was announced for the customers who have already installed the patches. 

The diagram below summarizes the current situation for these two advisories:

spectre and meltdown patches


Meltdown

The ESXi hypervisor is not affected by this vulnerability, but some other VMware products deployed as virtual appliance might be affected, so make sure to check which appliances are affected in KB 52264.


At Runecast, we are continuously monitoring the trusted sources of information and we keep our issues definition database up to date so you can have the peace of mind that your VMware infrastructure is rock solid. As you've seen in the previous blog post we respond very fast and we have included all the needed automatic checks in the latest update, so you can easily find the affected components.

VMware KB scan Meltdown adn Spectre

Additional details regarding these vulnerabilities: VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) (52245)