As per Security Advisory VMSA-2018-0007, VMware has begun releasing virtual appliance updates to address side-channel analysis due to speculative execution vulnerabilities. One of the first virtual appliances VMware has patched is vCenter 6.5. The latest release, vCenter 6.5U1f, patches the VCSA’s Photon OS to address Spectre-1 (CVE-2018-5753) and Meltdown (CVE-2017-5754) vulnerabilities. Mitigations for Spectre-2 (CVE-2017-5715) are absent from the latest patch as Spectre-1 and Meltdown mitigations were ready to be released; whereas, Spectre-2 is still being prepared.
- Spectre-1: Bounds Check Bypass (CVE-2018-5753) – Patch 6.5U1f
- Spectre-2: Branch Target Injection (CVE-2017-5715) – Patch Pending
- Meltdown: Rogue Data Cache Load Issues CVE-2017-5754) – Patch 6.5U1f
Patch VMware vCenter Appliance from VAMI
For this example, we utilize URL patching to update vCenter 6.5 to 6.5U1f from the vCenter Server Appliance Management Interface. URL patching will go out to the VMware Repository, check for updates, and patch the VCSA to the latest version.
To begin, log into the vCenter Server Appliance Management Interface at https://vcsaIP:5480. From the Navigator, select Update. Under the Check Updates drop-down, select Check Repository.