meltdown / Spectre and VMWare 5.5 and 5.1

We have a couple vcenters with esxi hosts. 5.5 and 5.1. Should we be concerned about all the hype over the meltdown and Spectre vulnerabilities? I know it has caused havoc in the Microsoft world. What should we be concerned about in the VMware world?
LVL 1
Thor2923Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ajay ChananaMCSE-2003/08|RHCSA| VCP5/6 |vExpert2018Commented:
There are patches been released so if you apply those you can avoid the above vulnerabilities.

Stay tuned for more information.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ajay ChananaMCSE-2003/08|RHCSA| VCP5/6 |vExpert2018Commented:
5.1 is out of support , so I don't think there will be patches for it. I would recommend to have your environment upgraded to be on safer side.

For more information please open ticket with VMware on this.
0
Ajay ChananaMCSE-2003/08|RHCSA| VCP5/6 |vExpert2018Commented:
You may download patch following below kb.

https://kb.vmware.com/s/article/2150882

Please note other than above guest side patching is also required.
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

btanExec ConsultantCommented:
Virtually all machine including VMWare are affected as the underlying vulnerabilities are due to the INtel, AMD and ARM CPU. It is unlikely any hardware is not using these hardware. VMware released security advisory VMSA-2018-0002 in regards to Meltdown and Spectre vulnerabilities.
VMSA-2018-0002 – VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution.

This advisory documents remediation for known variants of the Bounds-Check Bypass (CVE-2017-5753) and Branch Target Injection (CVE-2017-5715) issues due to speculative execution disclosed today by Google Project Zero. These issues may result in information disclosure from one Virtual Machine to another Virtual Machine that is running on the same host.

A third issue due to speculative execution, Rogue Data Cache Load (CVE-2017-5754), was disclosed along the other two issues. It does not affect ESXi, Workstation, and Fusion because ESXi does not run untrusted user mode code, and Workstation and Fusion rely on the protection that the underlying operating system provides.
The remediation as documented in VMSA-2018-0002, has been present in VMware Cloud on AWS since early December 2017.
https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html

The short of it, result of exploitation may allow for information disclosure from one Virtual Machine to another Virtual Machine that is running on the same host. Go to the advisory to patch the multiple VMware products affected:

  1. ESXi 5.5, 6.0, and 6.5 (install relevant patches: ESXi550-201709101-SG, ESXi600-201711101-SG, ESXi650-201712101-SG; ESXi 5.5 patch has remediation against CVE-2017-5715, but not against CVE-2017-5753)
  2. Workstation 12.x (update to 12.5.8)
  3. Fusion 8.x (update to 8.5.9)

https://cloudhat.eu/vmware-security-advisory-vmsa-2018-0002-meltdown-specter-vulnerabilities/

Specific patch available
Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

VMware ESXi 6.5
Downloads:  
https://my.vmware.com/group/vmware/patch
Documentation:  
http://kb.vmware.com/kb/2151099

VMware ESXi 6.0
Downloads:  
https://my.vmware.com/group/vmware/patch
Documentation:  
http://kb.vmware.com/kb/2151132

VMware ESXi 5.5
Downloads:  
https://my.vmware.com/group/vmware/patch
Documentation:  
http://kb.vmware.com/kb/2150876

VMware Workstation Pro, Player 12.5.8
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://www.vmware.com/support/pubs/ws_pubs.html

VMware Fusion Pro / Fusion 12.5.9
Downloads and Documentation:  
https://www.vmware.com/go/downloadfusion 
https://www.vmware.com/support/pubs/fusion_pubs.html
0
Giridhara Raam MDigital Marketing SpecialistCommented:
Mitigate @intel bugs,

Join this free webinar titled "How to mitigate Meltdown and Spectre bugs" on Jan 10, 11:00 am EDT to get hands on experience.

https://www.manageengine.com/products/desktop-central/meltdown-and-spectre-webinar.html?EE

melt-webinar-social-banner.jpg
0
btanExec ConsultantCommented:
For author advice
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.