VMware response to CVE-2019-1125 - Speculative-Execution vulnerability in SWAPGS instruction for VMware Virtual Appliances
search cancel

VMware response to CVE-2019-1125 - Speculative-Execution vulnerability in SWAPGS instruction for VMware Virtual Appliances

book

Article ID: 342266

calendar_today

Updated On:

Products

VMware VMware Aria Suite VMware vCenter Server

Issue/Introduction

The VMware Security Engineering, Communications, and Response group (vSECR) has investigated the impact CVE-2019-1125  may have on VMware products and has determined that VMware Virtual Appliances will  require additional Operating System-Specific Mitigations in the form of Linux kernel updates. Operating System-Specific Mitigations were previously defined in KB55636.

Sign up at our https://www.broadcom.com/support/vmware-security-advisories list to receive new and updated VMware Security Advisories and click Subscribe to Article in the Actions box to be alerted when new information is added to this document.

Resolution

Evaluation and Response Summary:

  • CVE-2019-1125  has been classified as a Speculative-Execution variation of Spectre V1. An unprivileged local attacker could potentially use this flaw to bypass memory security boundaries to read information contained in privileged memory locations.
  • CVE-2019-1125 has the potential of affecting VMware Virtual Appliances by way of their linux-based operating system .
  • VMware Security Response has classified this vulnerability to be in the Moderate severity range with a CVSSv3 score of 4.7 .
  • Future releases of VMware Virtual Appliances will ship with updated linux kernels which contain improved Operating System-Specific Mitigations to address CVE-2019-1125. Check product release notes for information on these mitigations when they ship.
  • VMware ESXi is not affected by CVE-2019-1125.
  • Microcode updates will not be required for the aforementioned Operating System-Specific Mitigations to function.
  • Products that ship as an installable windows or linux binary are not directly affected, but patches may be required from the respective operating system vendor that these products are installed on. VMware recommends contacting your 3rd party operating system vendor to determine appropriate actions for mitigation of CVE-2019-1125.