[Security-announce] NEW VMSA VMSA-2018-0002 VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution

\n\n–===============5313349780767451850==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary=”_000_BY2PR0501MB1686B792D1DD7D68BAB0AF67B91F0BY2PR0501MB1686_”

–_000_BY2PR0501MB1686B792D1DD7D68BAB0AF67B91F0BY2PR0501MB1686_
Content-Type: text/plain; charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

– ————————————————————————

VMware Security Advisory

Advisory ID: VMSA-2018-0002
Severity: Important
Synopsis: VMware ESXi, Workstation and Fusion updates address
side-channel analysis due to speculative execution.
Issue date: 2018-01-03
Updated on: 2018-01-03 ((Initial Advisory)
CVE number: CVE-2017-5753, CVE-2017-5715

1. Summary

VMware ESXi, Workstation and Fusion updates address side-channel
analysis due to speculative execution.

2. Relevant Products

VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)

3. Problem Description

Bounds Check bypass and Branch Target Injection issues

CPU data cache timing can be abused to efficiently leak information
out of mis-speculated CPU execution, leading to (at worst) arbitrary
virtual memory read vulnerabilities across local security boundaries
in various contexts. (Speculative execution is an automatic and
inherent CPU performance optimization used in all modern processors.)
ESXi, Workstation and Fusion are vulnerable to Bounds Check Bypass
and Branch Target Injection issues resulting from this vulnerability.

Result of exploitation may allow for information disclosure from one
Virtual Machine to another Virtual Machine that is running on the
same host. The remediation listed in the table below is for the known
variants of the Bounds Check Bypass and Branch Target Injection
issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifiers CVE-2017-5753 (Bounds Check bypass) and
CVE-2017-5715 (Branch Target Injection) to these issues.

Column 5 of the following table lists the action required to
remediate the observed vulnerability in each release, if a solution
is available.

VMware Product Running Replace with/ Mitigation
Product Version on Severity Apply patch Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=
=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

ESXi 6.5 Any Important ESXi650-201712101-SG None
ESXi 6.0 Any Important ESXi600-201711101-SG None
ESXi 5.5 Any Important ESXi550-201709101-SG * None

Workstation 14.x Any N/A Not affected N/A
Workstation 12.x Any Important 12.5.8 None

Fusion 10.x OS X N/A Not affected N/A
Fusion 8.x OS X Important 8.5.9 None

* This patch has remediation against CVE-2017-5715 but not against
CVE-2017-5753.

4. Solution

Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.

VMware ESXi 6.5
Downloads:
https://my.vmware.com/group/vmware/patch
Documentation:
http://kb.vmware.com/kb/2151099

VMware ESXi 6.0
Downloads:
https://my.vmware.com/group/vmware/patch
Documentation:
http://kb.vmware.com/kb/2151132

VMware ESXi 5.5
Downloads:
https://my.vmware.com/group/vmware/patch
Documentation:
http://kb.vmware.com/kb/2150876

VMware Workstation Pro, Player 12.5.8
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://www.vmware.com/support/pubs/ws_pubs.html

VMware Fusion Pro / Fusion 12.5.9
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://www.vmware.com/support/pubs/fusion_pubs.html

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-5753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-5715

– ————————————————————————
6. Change log

2018-01-03 VMSA-2018-0002
Initial security advisory

– ————————————————————————
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org

E-mail: security@vmware.com
PGP key at: https://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog
https://blogs.vmware.com/security

Twitter

Copyright 2018 VMware Inc. All rights reserved.

—–BEGIN PGP SIGNATURE—–
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFaTXExDEcm8Vbi9kMRAr/VAKCOxT1EMDwsspzs5Yc5ENEeQYLEewCgtBlV
FRCvDfKfRLj6SdaI0n+/XY4=3D
=3DK5mR
—–END PGP SIGNATURE—–

–_000_BY2PR0501MB1686B792D1DD7D68BAB0AF67B91F0BY2PR0501MB1686_
Content-Type: text/html; charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
– ——————————————————————–=
—-
                    =
           VMware Security Advisory
Advisory ID: VMSA-2018-0002
Severity:    Important
Synopsis:    VMware ESXi, Workstation and Fusion updates add=
ress 
             side-channel analysis =
due to speculative execution.
Issue date:  2018-01-03 
Updated on:  2018-01-03 ((Initial Advisory)
CVE number:  CVE-2017-5753, CVE-2017-5715
1. Summary
   VMware ESXi, Workstation and Fusion updates address side-=
channel
   analysis due to speculative execution.
2. Relevant Products
   VMware vSphere ESXi (ESXi)
   VMware Workstation Pro / Player (Workstation) 
   VMware Fusion Pro / Fusion (Fusion)   
3. Problem Description
   Bounds Check bypass and Branch Target Injection issues&nb=
sp;
   CPU data cache timing can be abused to efficiently leak i=
nformation
   out of mis-speculated CPU execution, leading to (at worst=
) arbitrary
   virtual memory read vulnerabilities across local security=
boundaries
   in various contexts. (Speculative execution is an automat=
ic and
   inherent CPU performance optimization used in all modern =
processors.)
   ESXi, Workstation and Fusion are vulnerable to Bounds Che=
ck Bypass
   and Branch Target Injection issues resulting from this vu=
lnerability.   
   Result of exploitation may allow for information disclosu=
re from one
   Virtual Machine to another Virtual Machine that is runnin=
g on the
   same host. The remediation listed in the table below is f=
or the known
   variants of the Bounds Check Bypass and Branch Target Inj=
ection
   issues. 
   The Common Vulnerabilities and Exposures project (cve.mit=
re.org) has
   assigned the identifiers CVE-2017-5753 (Bounds Check bypa=
ss) and
   CVE-2017-5715 (Branch Target Injection) to these issues.

   Column 5 of the following table lists the action required=
to
   remediate the observed vulnerability in each release, if =
a solution
   is available.
  
   VMware     Product Running    &n=
bsp;      Replace with/         Mit=
igation
   Product    Version on      Sever=
ity  Apply patch           Workaround

   =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D =3D=
=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D         =3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
   ESXi        6.5    Any&nbsp=
;    Important ESXi650-201712101-SG   None
   ESXi        6.0    Any&nbsp=
;    Important ESXi600-201711101-SG   None
   ESXi        5.5    Any&nbsp=
;    Important ESXi550-201709101-SG * None
   Workstation 14.x   Any     N/A&n=
bsp;      Not affected          &nb=
sp;N/A
   Workstation 12.x   Any     Impor=
tant 12.5.8                 No=
ne        
 
   Fusion      10.x   OS X  &n=
bsp; N/A       Not affected        =
   N/A
   Fusion      8.x    OS X  &n=
bsp; Important 8.5.9               =
  None 
   * This patch has remediation against CVE-2017-5715 but no=
t against
     CVE-2017-5753.
4. Solution
   Please review the patch/release notes for your product an=
d
   version and verify the checksum of your downloaded file.

   VMware ESXi 6.5
   Downloads:  
   https://my.vmware.com/group/vmware/patch
   Documentation:  
   http://kb.vmware.com/kb/2151099
   VMware ESXi 6.0
   Downloads:  
   https://my.vmware.com/group/vmware/patch
   Documentation:  
   http://kb.vmware.com/kb/2151132
   VMware ESXi 5.5
   Downloads:  
   https://my.vmware.com/group/vmware/patch
   Documentation:  
   http://kb.vmware.com/kb/2150876
   VMware Workstation Pro, Player 12.5.8
   Downloads and Documentation:
   https://www.vmware.com/go/downloadworkstation
   https://www.vmware.com/support/pubs/ws_pubs.html
   VMware Fusion Pro / Fusion 12.5.9
   Downloads and Documentation:  
   https://www.vmware.com/go/downloadfusion  
   https://www.vmware.com/support/pubs/fusion_pubs.html&nbsp=
;                  
   
   
5. References
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-=
5753
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-=
5715
– ——————————————————————–=
—-
6. Change log
   2018-01-03 VMSA-2018-0002
   Initial security advisory
– ——————————————————————–=
—-
7. Contact
   E-mail list for product security notifications and announ=
cements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security=
-announce
   This Security Advisory is posted to the following lists:

   
     security-announce@lists.vmware.com
     bugtraq@securityfocus.com
     fulldisclosure@seclists.org
   E-mail: security@vmware.com
   PGP key at: https://kb.vmware.com/kb/1055
   VMware Security Advisories
   http://www.vmware.com/security/advisories
   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response=
.html
   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   
   VMware Security & Compliance Blog
   https://blogs.vmware.com/security
   Twitter
   https://twitter.com/VMwareSRC
   Copyright 2018 VMware Inc.  All rights reserved.

—–BEGIN PGP SIGNATURE—–
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFaTXExDEcm8Vbi9kMRAr/VAKCOxT1EMDwsspzs5Yc5ENEeQYLEewCgtBlV
FRCvDfKfRLj6SdaI0n+/XY4=3D
=3DK5mR
—–END PGP SIGNATURE—–

–_000_BY2PR0501MB1686B792D1DD7D68BAB0AF67B91F0BY2PR0501MB1686_–

–===============5313349780767451850==
Content-Type: text/plain; charset=”us-ascii”
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
https://lists.vmware.com/mailman/listinfo/security-announce

–===============5313349780767451850==–