Skip to content

VMware VMSA-2018-0002 & VMSA-2018-0003

Google Prohect Zero released these days information about two vulnerabilities found on all major CPUs vendors: Meltdown – CVE-2017-5754  rogue data cache load and Spectre – CVE-2017-5753 & CVE2017-5715 bounds check bypass and branch target injection. You can read more about these here: https://googleprojectzero.blogspot.ro/2018/01/reading-privileged-memory-with-side.html and https://thehackernews.com/2018/01/meltdown-spectre-vulnerability.html

VMware released yesterday and today two security advisors that address this issue: VMSA-2018-0002 VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution and VMSA-2018-0003 vRealize Operations for Horizon, vRealize Operations for Published Applications, Workstation, Horizon View Client and Tools updates resolve multiple security vulnerabilities.

The VMSA-2018-002 address the following issue “CPU data cache timing can be abused to efficiently leak information out of mis-speculated CPU execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts. (Speculative execution is an automatic and inherent CPU performance optimization used in all modern processors.) ESXi, Workstation and Fusion are vulnerable to Bounds Check Bypass and Branch Target Injection issues resulting from this vulnerability.”

Products that are affected:

  • VMware vSphere ESXi from version 5.5 to 6.5
  • VMware Workstation 12.x and 14.x
  • VMware Fusion 8.x and 10.x

The VMSA-2018-003 refers to the following issue “V4H and V4PA desktop agent privilege escalation vulnerability. The V4H and V4PA desktop agents contain a privilege escalation vulnerability. Successful exploitation of this issue could result in a low privileged windows user escalating their privileges to SYSTEM.”

Products that are affected:

  • vRealize Operations for Horizon
  • vRealize Operations for Published Applications
  • VMware Workstation
  • VMware Fusion
  • Horizon View Client for windows

You can read more here: https://www.vmware.com/security/advisories/VMSA-2018-0002.html & https://www.vmware.com/security/advisories/VMSA-2018-0003.html

And don’t forget, sing up for Security Advisories so that you aware of patches faster.

Published inGeneral

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *