Greetings from the VMware Security Response Center!
Today we released VMSA-2018-0012 which documents Hypervisor-Assisted Guest Mitigations for CVE-2018-3639 (Speculative Store Bypass). In addition CVE-2018-3640 (Rogue System Register Read) was also disclosed today.
We thought a few points and a documentation summary would be in order to help sum up what this issue means for VMware products:
– The issue requires Hypervisor-Assisted Guest Mitigations for vSphere to pass the new Speculative-Store-Bypass-Disable (SSBD) control bit to guest operating systems, it has been classified as Moderate severity. ESXi and vCenter updates will be required.
– Microcode containing the SSBD control bits are not yet available from 3rd parties so vSphere patches are on hold for now.
– Workstation/Fusion patches shipped today will support SSBD when microcode patches are available.
– This issue affects applications and/or execution runtimes which rely on managed code security mechanisms. Applications which consume untrusted data and rely on these mechanisms are at risk.
– Operating System-Specific Mitigations are required as well, but we have not found any VMware appliances which would be affected by this issue. Regardless, we will be updating applicable open-source software in upcoming maintenance releases as a precautionary measure.
– This issue led to a 4th speculative execution category which we have called Microcode Mitigations.
– This issue is resolved by a microcode update and does not require any code changes for VMware products. Please contact your hardware vendor for information on mitigations for this vulnerability.
Based on current evaluations, we do not believe that CVE-2018-3639 or CVE-2018-3640 could allow for VM to VM or Hypervisor to VM Information disclosure. Thus, Hypervisor-Specific Mitigations are not required.
Customers should review the available documentation and direct questions to VMware Support.