The VMware Security Engineering, Communications, and Response group (vSECR) has investigated the impact CVE-2019-1125  may have on VMware products and has determined that VMware Virtual Appliances will  require additional Operating System-Specific Mitigations in the form of Linux kernel updates. Operating System-Specific Mitigations were previously defined in KB55636.

Sign up at our Security-Announce mailing list to receive new and updated VMware Security Advisories and click Subscribe to Article in the Actions box to be alerted when new information is added to this document.

Evaluation and Response Summary:

• CVE-2019-1125  has been classified as a Speculative-Execution variation of Spectre V1. An unprivileged local attacker could potentially use this flaw to bypass memory security boundaries to read information contained in privileged memory locations.
• CVE-2019-1125 has the potential of affecting VMware Virtual Appliances by way of their linux-based operating system .
• VMware Security Response has classified this vulnerability to be in the Moderate severity range with a CVSSv3 score of 4.7 .
• Future releases of VMware Virtual Appliances will ship with updated linux kernels which contain improved Operating System-Specific Mitigations to address CVE-2019-1125. Check product release notes for information on these mitigations when they ship.
• VMware ESXi is not affected by CVE-2019-1125.
• Microcode updates will not be required for the aforementioned Operating System-Specific Mitigations to function.
• Products that ship as an installable windows or linux binary are not directly affected, but patches may be required from the respective operating system vendor that these products are installed on. VMware recommends contacting your 3rd party operating system vendor to determine appropriate actions for mitigation of CVE-2019-1125.