VMware response to ‘L1 Terminal Fault’ (L1TF) Speculative-Execution vulnerabilities in Intel processors for VMware SaaS offerings: CVE-2018-3646 and CVE-2018-3620
search cancel

VMware response to ‘L1 Terminal Fault’ (L1TF) Speculative-Execution vulnerabilities in Intel processors for VMware SaaS offerings: CVE-2018-3646 and CVE-2018-3620

book

Article ID: 302543

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

The purpose of this article is to provide a response to the security issues related to speculative execution in Intel processors described by CVE-2018-3646 (L1 Terminal Fault - VMM) and CVE-2018-3620 (L1 Terminal Fault - OS) as they apply to VMware SaaS offerings.

Responses have been broken into the following categories for potentially affected offerings. The scope of this document is limited to VMware SaaS offerings that run in a vSphere environment.

  • Infrastructure security impact statement
  • Recommended actions
  • Operational impact statement

 
The Update History section of this article will be revised when there is a significant change to this document. Click Subscribe to Article in the Actions box to be alerted when new information is added to this document and sign up at our Security-Announce mailing list to receive new and updated VMware Security Advisories. In addition, operational events are announced for our various SaaS offerings on our VMware Cloud Services Status Page.

This article is dedicated to VMware SaaS offerings, for an overview of these vulnerabilities and links to on-prem product documentation please see KB55636.

Note: this document uses terminology defined in KB55806.

Resolution

VMware Cloud on AWS (Including MSPs)

Infrastructure security impact statement:
CVE-2018-3646 (L1 Terminal Fault - VMM)
  • VMware Cloud on AWS has completed the mitigation process for CVE-2018-3646.
CVE-2018-3620 (L1 Terminal Fault - OS)
  • Based on current evaluations, CVE-2018-3620 does not affect the VMware Cloud on AWS infrastructure itself.
Recommended customer actions:
CVE-2018-3646 (L1 Terminal Fault - VMM)
  • No customer action required.
CVE-2018-3620 (L1 Terminal Fault - OS)
  • 3rd party operating systems and VMware appliances deployed in an Organization’s SDDC may be affected by CVE-2018-3620. For information on VMware appliances please see KB55807. Customers are advised to contact their 3rd party operating system vendor to determine appropriate actions for mitigation of CVE-2018-3620.
Operational impact statement
  • Customers should not experience any unscheduled operational impacts to their Organization’s SDDC. Please use the in-product support center to file an SR or chat support for any questions or concerns.

VMware Workspace One SaaS (formerly Airwatch Saas)

Infrastructure security impact statement:
CVE-2018-3646 (L1 Terminal Fault - VMM)
  • Based on current evaluations, VMware Workspace One SaaS infrastructure is not impacted by CVE-2018-3646.
CVE-2018-3620 (L1 Terminal Fault - OS)
  • Based on current evaluations, the VMware Workspace One SaaS infrastructure is not impacted by CVE-2018-3620.
Recommended customer actions:
CVE-2018-3646 (L1 Terminal Fault - VMM)
  • No customer action required.
CVE-2018-3620 (L1 Terminal Fault - OS)
  • No customer action required.
Operational impact statement
  • Customers should not experience any unscheduled operational impacts.

VMware Horizon Cloud

Infrastructure security impact statement:
CVE-2018-3646 (L1 Terminal Fault - VMM)
  • VMware Horizon Cloud is affected by CVE-2018-3646 but due to environmental factors the severity of the issue is lowered to Moderate from Important. The VMware Horizon Cloud infrastructure is architected to segment customer environments from one another, therefore, inter-organizational leaks between virtual machines are not possible as different organizations do not share ESXi hosts. Updates to are being prioritized to resolve CVE-2018-3646.
CVE-2018-3620 (L1 Terminal Fault - OS)
  • Based on current evaluations, the VMware Horizon Cloud infrastructure is not impacted by CVE-2018-3620.
Recommended customer actions:
CVE-2018-3646 (L1 Terminal Fault - VMM)
  • No customer action required.
CVE-2018-3620 (L1 Terminal Fault - OS)
  • Virtual Desktops may be affected by CVE-2018-3620. Customers are advised to contact their 3rd party operating system vendor to determine appropriate actions for mitigation of CVE-2018-3620.
Operational impact statement
  • After maintenance is performed by VMware, which should by itself have no operational impact to their Organization's SDDC, customers will no longer be able to publish images until they have upgraded VMware Tools in their images to version 10.2.5 or above. Customers will not experience any impact with use of already provisioned VMs and published images. VMware will notify customers once updates are complete so that you may perform upgrades of VMTools in your images.


Additional Information