VMware Releases Workarounds to Address Meltdown & Spectre Flaws Affecting Virtual Appliances
VMware has started to reissue patches and workarounds for its affected Virtual Appliance products that are vulnerable to the Meltdown and Spectre security flaws. The company said its VMware VA products, including vCloud Usage Meter (UM), Identity Manager (vIDM), vCenter Server (vCSA), vSphere Data Protection (VDP), vSphere Integrated Containers (VIC), and vRealize Automation (vRA) are affected.
Publishing its advisory, the firm said that CPU data cache timing can be abused to “leak information out of mis-speculated CPU execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.” If successful, the exploitation can lead to information disclosure.
The company has only released a single patch for its vSphere Integrated Containers (VIC) products. However, mitigation tips are shared for all the other products that are in the affected list. The advisory warns that the Meltdown and Spectre chip bugs impact several products, encouraging users to implement workarounds until the patches arrive. However, it also added that users shouldn’t panic or implement workarounds and patches on the products that aren’t vulnerable since they are only designed for the products they are mentioned for.