VMware response to CVE-2018-3665 (LazyFP)
Article ID: 328938
Updated On:
Products
VMware vCenter Server
Issue/Introduction
The VMware Security Engineering, Communications, and Response group (vSECR) has investigated the impact CVE-2018-3665 may have on VMware products.
Resolution
Evaluation Summary:
vSECR has completed evaluation of the following products and determined that under supported configurations they are not affected as there is no available path to execute arbitrary code without administrative privileges.
Note: Automated vulnerability scanners may report that these products are vulnerable to CVE-2018-3665 even though the issue is not exploitable. These products will still be updating their respective kernels in scheduled maintenance releases as a precautionary measure.
Potentially Affected Products
vSECR has evaluated the following products and determined that they may be affected by CVE-2018-3665 if the underlying hypervisor is running on processor architecture older than Sandy Bridge (2011). If the underlying hypervisor is runs on Sandy Bridge (2011) or newer Intel processors the VMware virtual appliance is not affected in default configuration. Workarounds have been investigated and are noted by the product entry if available. Remediation will be made available in upcoming releases.
Sign up at our Security-Announce mailing list to receive new and updated VMware Security Advisories and click Subscribe to Article in the Actions box to be alerted when new information is added to this document. If a specific version number is not listed, then that entry refers to all supported versions of the appliance.
- CVE-2018-3665 has been classified as a potential local privilege escalation in the Moderate severity range. Review our VMware Security Response Policies for information on severity classifications.
- CVE-2018-3665 has the potential of affecting VMware Virtual Appliances by way of the linux-based operating system that they ship on top of if the underlying hypervisor is running on processor architecture older than Sandy Bridge (2011). If the underlying hypervisor is runs on Sandy Bridge (2011) or newer Intel processors the VMware virtual appliance is not affected in default configuration.
- Products that ship as an installable windows or linux binary are not directly affected, but patches may be required from the respective operating system vendor that these products are installed on.
- VMware hypervisors are not affected by this issue.
vSECR has completed evaluation of the following products and determined that under supported configurations they are not affected as there is no available path to execute arbitrary code without administrative privileges.
Note: Automated vulnerability scanners may report that these products are vulnerable to CVE-2018-3665 even though the issue is not exploitable. These products will still be updating their respective kernels in scheduled maintenance releases as a precautionary measure.
| Products | Version | Evaluation | Workaround |
| VMware App Defense Appliance | Any | Unaffected | N/A |
| VMware ESXi | Any | Unaffected | N/A |
| VMware Horizon DaaS Platform | Any | Unaffected | N/A |
| VMware Horizon Mirage | Any | Unaffected | N/A |
| VMware HCX | Any | Unaffected | N/A |
| VMware Integrated Openstack | Any | Unaffected | N/A |
| VMware IoT Pulse | Any | Unaffected | N/A |
| VMware Mirage | Any | Unaffected | N/A |
| VMware NSX for vSphere | Any | Unaffected | N/A |
| VMware NSX-T | Any | Unaffected | N/A |
| VMware Skyline Appliance | Any | Unaffected | N/A |
| VMware Unified Access Gateway | Any | Unaffected | N/A |
| VMware vCenter Server | 5.5 | Unaffected | N/A |
| VMware vCloud Availability for vCloud Director | Any | Unaffected | N/A |
| VMware vCloud Director Extender | Any | Unaffected | N/A |
| VMware vRealize Business for Cloud | Any | Unaffected | N/A |
| VMware vRealize Log Insight | Any | Unaffected | N/A |
| VMware vRealize Network Insight | Any | Unaffected | N/A |
| VMware vRealize Operations | Any | Unaffected | N/A |
| VMware vRealize Orchestrator | Any | Unaffected | N/A |
| VMware vSphere Replication | Any | Unaffected | N/A |
| VMware Workbench | Any | Unaffected | N/A |
Potentially Affected Products
vSECR has evaluated the following products and determined that they may be affected by CVE-2018-3665 if the underlying hypervisor is running on processor architecture older than Sandy Bridge (2011). If the underlying hypervisor is runs on Sandy Bridge (2011) or newer Intel processors the VMware virtual appliance is not affected in default configuration. Workarounds have been investigated and are noted by the product entry if available. Remediation will be made available in upcoming releases.
| Product | Version | Evaluation | Workaround |
| VMware vCloud Usage Meter | Any | Potentially Affected | KB 52467 |
| VMware Identity Manager | Any | Potentially Affected | KB 52284 |
| VMware vCenter Server | 6.7 | Potentially Affected | KB 52312 |
| VMware vCenter Server | 6.5 | Potentially Affected | KB 52312 |
| VMware vCenter Server | 6.0 | Potentially Affected | KB 52312 |
| VMware Data Protection | Any | Potentially Affected | None |
| VMware vSphere Integrated Containers | Any | Potentially Affected | None |
| VMware vRealize Automation | Any | Potentially Affected | KB 52377 and KB 52497 |
Feedback
Yes
No
Powered by
