CERT-Bund Meldung
—————–
KURZINFO CB-K18/0257 UPDATE 1
Titel: VMware Virtual Appliances: Mehrere Schwachstellen
ermöglichen u.a. das Ausspähen von Informationen
Datum: 16.02.2018
Software: VMware vCenter Server (vCSA) 6.0, VMware vCenter
Server (vCSA) 6.5, VMware vSphere Data Protection
(VDP) 6.x
Plattform: VMware vCenter Server (vCSA), VMware vSphere Data
Protection (VDP)
Auswirkung: Ausspähen von Informationen
Remoteangriff: Nein
Risiko: hoch
CVE Liste: CVE-2017-5753, CVE-2017-5754
Bezug: https://www.vmware.com/us/security/advisories/VMSA-2018-0007.1.html
REVISIONS HISTORIE
Version: 2
VMware hat die aktualisierte Sicherheitsmeldung VMSA-2018-0007.1
veröffentlicht und informiert darüber auch in einem Blog-Beitrag,
um klarzustellen, welche der Angriffsvarianten durch die derzeit
verfügbaren Sicherheitsupdates mitigiert werden. CVE-2017-5715
(Spectre-2) wurde durch diese noch nicht adressiert und deshalb
entfernt, während Mitigationen für die von einigen als besonders
schwerwiegend und ausnutzbar angesehene Schwachstelle
CVE-2017-5754 (Meltdown) sowie CVE-2017-5753 (Spectre-1) bereits
enthalten sind, weshalb die Installation der aktuellen
Sicherheitsupdates empfohlen wird.
Version: 1
Neues Advisory
BESCHREIBUNG
VMware vCenter Server bietet eine zentrale, erweiterungsfähige Plattform
für das Management virtueller Infrastruktur.
VMware vSphere Data Protection basiert auf der EMC Avamar Backup und
Restore Software und ist in die Verwaltung von vSphere integriert. Das
gilt sowohl für den vSphere Web Client, wie auch für den vCenter Server.
Die als ‚Spectre‘ und ‚Meltdown‘ bekannten Schwachstellen CVE-2017-5715,
CVE-2017-5753 und CVE-2017-5754 betreffen auch eine Reihe von VMware
Produkten, unter anderem vCenter Server (vCSA) und vSphere Data
Protection (VDP). Ein nicht authentisierter Angreifer im benachbarten
Netzwerk, beispielsweise als Benutzer einer virtuellen Maschine, kann die
Schwachstellen laut Hersteller ausnutzen, um Informationen aus anderen
virtuellen Maschinen auf demselben Host auszuspähen und dadurch weitere
Angriffe durchzuführen.
Die Schwachstellen betreffen unter anderem vCenter Server (vCSA) 6.0 und
6.5 und vSphere Data Protection (VDP) 6.x. Bislang stellt der Hersteller
für diese noch keine Sicherheitsupdates bereit. Für vCenter Server wird
auf eine Mitigation / Workaround verwiesenen (siehe ‚vCenter Server
Appliance (and PSC) 6.5 / 6.0 Workaround for CVE-2017-5753,
CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) (52312)‘
während für vSphere Data Protection keine Abwehrmaßnahmen beschrieben
werden, bis ein Patch in Zukunft zur Verfügung gestellt werden soll.
Einen Zeithorizont für die Patches hat der Hersteller ebenfalls noch
nicht genannt.
[1] Schwachstelle CVE-2017-5715 (NVD)
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5715>
[2] Schwachstelle CVE-2017-5753 (NVD)
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5753>
[3] Schwachstelle CVE-2017-5754 (NVD)
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5754>
[4] VMware Security Advisories VMSA-2018-0007
<https://www.vmware.com/us/security/advisories/VMSA-2018-0007.html>
[5] vCenter Server Appliance (and PSC) 6.5 / 6.0 Workaround for
CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and
Meltdown) (52312)
<https://kb.vmware.com/s/article/52312>
[6] VMware Security Advisories VMSA-2018-0007.1
<https://www.vmware.com/us/security/advisories/VMSA-2018-0007.1.html>
[7] VMware Security & Compliance Blog: VMSA-2018-0007.1 – VMware Virtual
Appliance updates address side-channel analysis due to speculative
execution
<https://blogs.vmware.com/security/2018/02/vmsa-2018-0007-1-vmware-virtual-appliance-updates-address-side-channel-analysis-due-speculative-execution.html>
Mit freundlichen Grüßen
das Team CERT-Bund
——————————
Bundesamt für Sicherheit in der Informationstechnik (BSI)
Referat C 21
Godesberger Allee 185 -189
53175 Bonn
Postfach 20 03 63
53133 Bonn
Telefon:
+49 (0)228 99 9582 222
Telefax:
+49 (0)228 99 9582 5427
E-Mail: wid-kontakt@bsi.bund.de
Internet: www.cert-bund.de
——————————
3 Gedanken zu „[BSI CERT] VMware vCenter (Meltdown, Spectre)“
Your article helped me a lot, is there any more related content? Thanks!
The 41-year-old television character took to X (formally Twitter) to chip in on the 18-year-old daughter of Ben Affleck and Jennifer Garner making an appeal to the Los Angeles County Board of Supervisors. On June 9, Violet demanded the imposition of ‚mask requireds‘ in medical centers and called for an end to all ‚mask restrictions‘ in a passionate plea to the regulating body for Los Angeles County. You must broaden the accessibility of high-quality complimentary examinations and therapy, and most notably the region has to oppose mask bans for any reason. What we should take away from this and where this separates is that hereditary looks don’t matter, only the look that we develop for ourself does matter. Sometimes no matter exactly how romantic the day spot was, how remarkable you looked in your clothing, and just how much you took pleasure in the conversation, the enchanting link simply isn’t there. Way too much stress or over-thinking will certainly never bring you positive outcomes.
Her plea comes just weeks after it arised that Dr Anthony Fauci confessed the limitations he implemented during lockdown didn’t do much to ’slow the spread‘ of covid, and as legislators are indicating an openness to restoring mask restrictions amid an increase in clashes at protests. Darlington MP Lola McEvoy has actually slammed the firm and is requiring a representative comes to Parliament to describe their actions. He will likewise have an elder perspective when it comes to solving problems and relationship concerns,‘ he included. If you are solitary and have been making use of one or every one of these vehicles for dating without good luck, it could be time to look inwards and assess your personal dating skills. Others stated called it ‚wild‘ to put a time structure on love and urged that 3 months was most definitely too very early to recognize for sure. Twelve weeks, not 52, twelve weeks, three months – that’s all you’ve got,‘ the professional firmly insisted. If a man doesn’t state ‚I enjoy you‘ within three months he’s ’not the one‘ according to a self-described ‚practical‘ dating specialist. Others fired back that those who state I love you ahead of time are often guilty of ‚love bombing‘, as it’s a simple word to spray.
If your companion doesn’t say really plainly ‚I like you‘ by twelve weeks, then he’s not your optimal companion and you’ve lost your time,‘ Jake stated in a video clip online. An older man is most likely to be much less dedication phobic and extra decisive about where he wishes to take the connection,‘ Jake stated. Controversial Australian dating coach Jake Maddock stimulated a warmed argument when he laid down the law concerning how much time it need to take a guy to declare his love. One woman made Jake hotel to the grimace emoji when she said she was still waiting on an ‚I love you‘ after 16 months. You’ll understand with your optimal partner, and they’ll understand, too,‘ Jake added. I know that whole lots of individuals reviewing this possibly won’t either. When you’re prepared, girls, ask those hard inquiries asiame and recognize what you desire, do not work out, and when you find him, trust me, you will know in much less than 12 weeks,‘ she included. As your relationship proceeds, here are the sort of inquiries and ideas you may be troubled by. This isn’t the very first set dating rule that the partnership specialist had shared with his followers.
Many relationship professionals recommend that while the guideline might have been effective in a period of different interaction standards, it has actually come to be less pertinent in today’s instant interaction society. I have sent tonnes of e-mails however after that I obtained a letter adding them all up from 2021 for the times I could not pay within five mins and billed me. Besides the periodic online wink right here and there, messaging is the initial type of interaction you’ll have with an on the internet suit. The online dating site is accountable for over 2 million connections in the U.S., and it produces a new prospective match every 14 mins. When looking for suits, you can pick in between lots of filter options, consisting of: profiles that match your optimal criteria, profiles searching for individuals like you, mutually suitable profiles, your favorites, and profiles like you. But much more „conversation worthy“ shots-meaning images in which you’re doing something interesting, like traveling or playing an instrument-have been located to lead to even more significant interactions than those strictly „attractive“ shots. Such experiences can hurt the total individual experience and might result in lawful difficulties or further reputational damage.
Your article helped me a lot, is there any more related content? Thanks!