VMware Releases Workarounds to Address Meltdown & Spectre Flaws Affecting Virtual Appliances
VMware has started to reissue patches and workarounds for its affected Virtual Appliance products that are vulnerable to the Meltdown and Spectre security flaws. The company said its VMware VA products, including vCloud Usage Meter (UM), Identity Manager (vIDM), vCenter Server (vCSA), vSphere Data Protection (VDP), vSphere Integrated Containers (VIC), and vRealize Automation (vRA) are affected.
Publishing its advisory, the firm said that CPU data cache timing can be abused to "leak information out of mis-speculated CPU execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts." If successful, the exploitation can lead to information disclosure.
Only one patch published by VMware so far
The company has only released a single patch for its vSphere Integrated Containers (VIC) products. However, mitigation tips are shared for all the other products that are in the affected list. The advisory warns that the Meltdown and Spectre chip bugs impact several products, encouraging users to implement workarounds until the patches arrive. However, it also added that users shouldn't panic or implement workarounds and patches on the products that aren't vulnerable since they are only designed for the products they are mentioned for.
After several companies had to pull back their fixes for the Spectre and Meltdown flaws, VMware had announced delaying its patches. Intel said that it has finally identified the root issue in the patches that were causing systems to reboot and has since started to release new patches. It's likely that more companies will now start releasing their patches to the three variants of these two attacks.
For VMware products, please check the correct advisories to learn more about the workaround until permanent fixes are made available:
- vCloud Usage Meter (UM): KB52467
- Identity Manager (vIDM) 3.x, 2.x: KB52284
- vCenter Server (vCSA) 6.0, 6.5: KB52312 [5.5 isn't affected]
- vSphere Data Protection (VDP): Unavailable
- vSphere Integrated Containers (VIC): Patch available
- vRealize Automation (vRA): 7.x KB52377 | 6.x KB52497
For more details, check out this security advisory.