Home > Blogs > VMware Security & Compliance Blog > Monthly Archives: February 2018

Monthly Archives: February 2018

VMSA-2018-0007.1 – VMware Virtual Appliance updates address side-channel analysis due to speculative execution

Greetings from the VMware Security Response Center!

We thought we should post an explanation of today’s changes to VMSA-2018-0007 as we have removed CVE-2017-5715 from the advisory.

The reason we have done this is to clarify which of these issues have been mitigated against currently known variants of the different vulnerabilities.

Because CVE-2017-5753 (Meltdown) is considered by some to be the most severe/exploitable of the issues, we did not want to wait for CVE-2017-5715 (Spectre-2) mitigations while Spectre-1/Meltdown fixes were ready to ship. We also understand that some customers may want to delay updating until all mitigations are in place. While we strongly recommend taking updates as soon as they become available, we wanted to be transparent about the fact that more updates are on the way.

Products will be enumerated in a new advisory when either of the following requirements are met to mitigate CVE-2017-5715:

1. IBPB/IBRS is supported.
2. Retpoline is supported.

Because this is an ongoing issue, VMware appliances will continue to accept improved open source mitigations as they are created.

VMware Security Advisory VMSA-2018-0007

Today VMware has released the following new and updated security advisories:

VMSA-2018-0007

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.