ESB-2018.0411.2 - UPDATE [Win][UNIX/Linux] VMware Virtual Appliance: Access privileged data - Existing account 2018-05-07

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.0411.2
           VMware Virtual Appliance updates address side-channel
                   analysis due to speculative execution
                                7 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware Virtual Appliance
Publisher:         VMWare
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Access Privileged Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-5754 CVE-2017-5753 CVE-2017-5715

Reference:         ASB-2018.0033
                   ASB-2018.0030
                   ASB-2018.0009
                   ASB-2018.0002.4
                   ESB-2018.0042.2

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2018-0007.html

Revision History:  May      7 2018: Additional patches released
                   February 9 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

VMSA-2018-0007.3

VMware Virtual Appliance updates address side-channel analysis due to
speculative execution

VMware Security Advisory


VMware Security Advisory Advisory ID: VMSA-2018-0007.3

VMware Security Advisory Severity: Important

VMware Security Advisory Synopsis: VMware Virtual Appliance updates address
side-channel analysis due to speculative execution

VMware Security Advisory Issue date: 2018-02-08

VMware Security Advisory Updated on: 2018-05-03

VMware Security Advisory CVE numbers:
CVE-2017-5753, CVE-2017-5715, CVE-2017-5754


1. Summary

VMware Virtual Appliance updates address side-channel analysis due to
speculative execution

In order to clarify the mitigations provided in specific releases CVE-2017-5753
(Spectre-1), and CVE-2017-5754 (Meltdown) have been separated from
CVE-2017-5715 (Spectre-2). Details on this change can be found in our companion
blog.

This document will focus on VMware Virtual Appliances which are affected by the
known variants of CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754.

For more information please see Knowledge Base article 52264.

These mitigations are part of the Operating System-Specific Mitigations
category described in VMware Knowledge Base article 52245.


2. Relevant Products

  o vCloud Usage Meter (UM)
  o Identity Manager (vIDM)
  o vCenter Server (vCSA)
  o vSphere Data Protection (VDP)
  o vSphere Integrated Containers (VIC)
  o vRealize Automation (vRA)


3. Problem Description

a. VMware Virtual Appliance Mitigations for Bounds-Check bypass (Spectre-1),
and Rogue data cache load issues (Meltdown)

CPU data cache timing can be abused to efficiently leak information out of
mis-speculated CPU execution, leading to (at worst) arbitrary virtual memory
read vulnerabilities across local security boundaries in various contexts.
(Speculative execution is an automatic and inherent CPU performance
optimization used in all modern processors.) Successful exploitation may allow
for information disclosure.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the identifiers CVE-2017-5753 (Bounds Check bypass), CVE-2017-5754 (Rogue data
cache load) to these issues.

Column 5 of the following table lists the action required to mitigate the
vulnerability in each release, if a solution is available.

   VMware     Product   Running           Replace with/ Mitigation/
   Product    Version   on      Severity  Apply Patch   Workaround
   ========== ========= ======= ========= ============= ==========
   UM         3.x       VA      Important Patch Pending KB52467

   vIDM       3.x, 2.x  VA      Important 3.2           KB52284

   vCSA       6.5       VA      Important 6.5 U1f       KB52312

   vCSA       6.0       VA      Important Patch Pending KB52312

   vCSA       5.5       VA      N/A       Unaffected    None

   VDP        6.x       VA      Important 6.1.8         None

   VIC        1.x       VA      Important 1.3.1         None

   vRA        7.x       VA      Important 7.3.1         KB52377

   vRA        6.x       VA      Important 7.3.1         KB52497

b. VMware Virtual Appliance Mitigations for Branch Target Injection (Spectre-2)


CPU data cache timing can be abused to efficiently leak information out of
mis-speculated CPU execution, leading to (at worst) arbitrary virtual memory
read vulnerabilities across local security boundaries in various contexts.
(Speculative execution is an automatic and inherent CPU performance
optimization used in all modern processors.) Successful exploitation may allow
for information disclosure.


The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the identifier CVE-2017-5715 (Branch Target Injection) to this issue.

Column 5 of the following table lists the action required to mitigate the
vulnerability in each release, if a solution is available.

   VMware     Product   Running           Replace with/ Mitigation/
   Product    Version   on      Severity  Apply Patch   Workaround
   ========== ========= ======= ========= ============= ==========
   UM         3.x       VA      Important Patch Pending KB52467

   vIDM       3.x, 2.x  VA      Important 3.2           KB52284

   vCSA       6.5       VA      Important Patch Pending KB52312

   vCSA       6.0       VA      Important Patch Pending KB52312

   vCSA       5.5       VA      N/A       Unaffected    None

   VDP        6.x       VA      Important 6.1.8         None

   VIC        1.x       VA      Important Patch Pending None

   vRA        7.x       VA      Important 7.3.1         KB52377

   vRA        6.x       VA      Important 7.3.1         KB52497


4. Solution

Please review the patch/release notes for your product and version and verify
the checksum of your downloaded file.


VMware Identity Manager 3.2

Downloads and Documentation:

https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_identity_manager/3_2


VMware vRealize Automation 7.3.1

Downloads:

https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_management/vmware_vrealize_automation/7_3

Documentation:

https://docs.vmware.com/en/vRealize-Automation/index.html


vCenter Server Appliance 6.5 U1f

Downloads:

https://my.vmware.com/group/vmware/patch

Documentation:

https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vcenter-server-appliance-photonos-security-patches.html



vSphere Integrated Containers 1.3.1

Downloads and Documentation:

https://my.vmware.com/group/vmware/get-download?downloadGroup=VIC131


vSphere Data Protection (VDP) 6.1.8
Downloads and Documentation:

https://my.vmware.com/web/vmware/details?productId=614&downloadGroup=VDP618

https://www.vmware.com/support/pubs/vdr_pubs.html


5. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
https://kb.vmware.com/kb/52264
https://kb.vmware.com/kb/52245
https://kb.vmware.com/kb/52467
https://kb.vmware.com/kb/52284
https://kb.vmware.com/kb/52312
https://kb.vmware.com/kb/52377
https://kb.vmware.com/kb/52497


6. Change log

2018-02-08: VMSA-2018-0007
Initial security advisory in conjunction with the release of vSphere Integrated
Containers 1.3.1 on 2018-02-08.

2018-02-15: VMSA-2018-0007.1
Split CVE-2017-5753 and CVE-2017-5754 from CVE-2017-5715 for clarity in
conjunction with vCenter Server Appliance 6.5 U1f updates on 2018-02-15.

2018-03-15: VMSA-2018-0007.2
Updated in conjunction with the release of Identity Manager (vIDM) 3.2 and
vRealize Automation (vRA) 7.3.1 on 2018-03-15.

2018-05-03: VMSA-2018-0007.3
Updated in conjunction with the release of vSphere Data Protection (VDP) 6.1.8
on 2018-05-03.


7. Contact

E-mail list for product security notifications and announcements:

http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  security-announce@lists.vmware.com

  bugtraq@securityfocus.com

  fulldisclosure@seclists.org

E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog
https://blogs.vmware.com/security

Twitter
https://twitter.com/VMwareSRC

Copyright 2018 VMware Inc. All rights reserved.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWu/BS4x+lLeg9Ub1AQjMpA//WUIlrhD8x2EIxmgWPbv2O8o5yrGK9m12
VqH3PRmtQP9aO982uOu+f6cp05vrLN/ChsuF8CPdPllSjxgeJsqnv1FZJWbnpQwN
BZbWdFi6z2hhaMaLWY4rlwAUaVZazYq8W+QjHz5nErUJpr6B8UTPmigg1aRmCocr
+37KU6cZdWYayrQTbSS5WtFLRrpV79e2I5ysq07Lf2+ipKIr7uoLwMpQ6FqHPT2M
ZnYspvckByTX77fJZfF7DiAaiusqY/oBQAubtvL1aSXmsmWquLM6jPJEENcUGAFo
ws7MYwmc2RDDtTPiAvOppl22Ou1GQ6g7SLOi/4cgx5MghbvclhvUk2UgNDwmJxHY
fHD3cpY56Fx57HCkvpq+mThhGSTefNvegNIGObBjIyIFN+Jn7sEAr7YtdmoILLx6
5fZN+5drfZf7dFlNgYyjVGTYZKitv1wpRRQj8AmgYdM30pcoOzZTDTDPOKP2dsHS
CcMmzNPhhXtS9K6BJx1hssPC7tpnfbpQlzOt/ghWIbUuem4g51m6pSKhZn7mVflN
0fSycmSg7yXsxU1aUWfEwXdG7Fq8Wo/72GsrTpIz62rsoq09GlxIAXEYI4gLlZx3
3qZYHN8rda+wQa6/FvEhdOJ7ymxK5NPDn/yjV79aWRNRlFAh0ba8j6x1OTz42au9
X30zD2JYrtE=
=KSKZ
-----END PGP SIGNATURE-----

« Back to bulletins