VMware has started to reissue patches and workarounds for the affected?Virtual Appliance products that are at risk of the Meltdown and Spectre security flaws. This company said its VMware VA products, including vCloud Usage Meter (UM),?Identity Manager (vIDM),?vCenter Server (vCSA), vSphere Data Protection (VDP),?vSphere Integrated Containers (VIC), and vRealize Automation (vRA) suffer.
Publishing its advisory, the firm asserted CPU data cache timing can be abused to “leak information outside of mis-speculated CPU execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries within contexts.” If successful, the exploitation may lead to information disclosure.
RelatedIntel in Hot Water for Hiding Meltdown & Spectre Bugs from Government Officials
Only one patch provided by VMware so far
The company has just released an individual patch for their?vSphere Integrated Containers (VIC) products. However, mitigation tips are shared for all the other things that are typically in the affected list. The advisory warns that this Meltdown and Spectre chip bugs impact several products, encouraging users to utilise workarounds before patches arrive. However, this also added that users shouldn’t panic or implement workarounds and patches about the products that aren’t vulnerable since they are only intended for these products they are mentioned for.
After several companies were forced to pull back their fixes for that Spectre and Meltdown flaws, VMware had announced delaying its patches. Intel stated that it has finally identified the foundation issue in the patches that have been causing systems to reboot and has now since begun release new patches. It’s likely that more and more companies will now start releasing their patches towards the three variants of the two attacks.
For VMware products, book the precise advisories for additional details on the workaround until permanent fixes are created available:
- vCloud Usage Meter (UM): KB52467
- Identity Manager (vIDM) 3.x, 2.x: KB52284
- vCenter Server (vCSA) 6.0, 6.5: KB52312?[5.5 isn’t affected]
- vSphere Data Protection (VDP): Unavailable
- vSphere Integrated Containers (VIC): Patch available
- vRealize Automation (vRA): 7.x KB52377 | 6.x KB52497
For more info, want security advisory.