Google Project Zero released yesterday information about two vulnerabilities with impact to major processors vendors: Meltdown (CVE-2017-5754 – rogue data cache load) and Spectre (CVE-2017-5753 – bounds check bypass & CVE-2017-5715 – branch target injection). Among other organizations, VMware released a security advisory: VMSA-2018-0002 – VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution.
How to patch your vCenter / ESXi infrastructure against speculative execution vulnerabilities (Meltdown and Spectre). Products, versions, patches, order of upgrade, dependencies, warnings. VMware Patches for Spectre
Meltdown and Spectre Overview
Meltdown breaks the isolation between user applications and the operating system, and allows an application to access all system memory (this includes kernel allocated memory). Meltdown affects a range of Intel processors.
Spectre breaks the memory isolation between different applications, and allows an application to force another application to access arbitrary portions of its memory. Spectre affects a wide range of processors: Intel, AMD, and ARM.
“Both of these vulnerabilities are hardware level vulnerabilities that exist because of a flaw in CPU architecture. They are very serious vulnerabilities because they are operating system and software independent. The long term fix for both of these issues will require that CPU makers change the way their chips work, which means redesigning and releasing new chips.” – Defiant
You can find more information on both vulnerabilities on spectreattack.com. For comprehensive technical details, you can refer to these academic papers: Meltdown and Spectre.
Show your support, share this article: