=====================================================================

                                 CERT-Renater

                      Note d'Information No. 2022/VULN247

_____________________________________________________________________

DATE                : 13/07/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running VMware ESXi,
                        VMware Cloud Foundation.

=====================================================================
https://www.vmware.com/security/advisories/VMSA-2022-0020.html
_____________________________________________________________________


Moderate
Advisory ID:    VMSA-2022-0020
CVSSv3 Range:   5.6
Issue Date:     2022-07-12
Updated On:     2022-07-12 (Initial Advisory)
CVE(s):         CVE-2022-29901, CVE-2022-28693, CVE-2022-23816,
                 CVE-2022-23825
Synopsis:
VMware ESXi addresses Return-Stack-Buffer-Underflow and Branch Type
Confusion vulnerabilities


1. Impacted Products

     VMware ESXi
     VMware Cloud Foundation

2. Introduction

Multiple side-channel vulnerabilities in Intel (CVE-2022-29901,
CVE-2022-28693) and AMD (CVE-2022-23816, CVE-2022-23825) CPUs
have been disclosed. Patches are available to mitigate these
vulnerabilities in affected VMware products.

3. Return-Stack-Buffer-Underflow (CVE-2022-29901, CVE-2022-28693)
and Branch Type Confusion (CVE-2022-23816, CVE-2022-23825)
vulnerabilities


Description

VMware ESXi contains Return-Stack-Buffer-Underflow (CVE-2022-29901,
CVE-2022-28693) and Branch Type Confusion (CVE-2022-23816,
CVE-2022-23825) vulnerabilities due to the Intel and AMD processors
it utilizes. VMware has evaluated the severity of these issues
to be in the Moderate severity range with a maximum CVSSv3
base score of 5.6.


Known Attack Vectors

A malicious actor with administrative access to a virtual machine
can take advantage of various side-channel CPU flaws that may leak
information stored in physical memory about the hypervisor or other
virtual machines that reside on the same ESXi host.


Resolution


To mitigate CVE-2022-29901, CVE-2022-28693, CVE-2022-23816, and
CVE-2022-23825, apply the patches listed in the 'Fixed Version'
column of the 'Resolution Matrix' found below. These patches do
not introduce performance impact.


Workarounds

None.


Additional Documentation

A supplemental FAQ was created for additional clarification.


Notes

None.


Acknowledgements

None.


Response Matrix:

Product 	Version 	Running On 	CVE Identifier 	
CVSSv3 	Severity 	Fixed Version 	Workarounds 	
Additional Documentation

ESXi   7.0   Any   CVE-2022-29901, CVE-2022-28693, CVE-2022-23816,
CVE-2022-23825   5.6    moderate   ESXi70U3sf-20036586   None
FAQ

ESXi   6.7   Any   CVE-2022-29901, CVE-2022-28693, CVE-2022-23816,
CVE-2022-23825   5.6   moderate   ESXi670-202207401-SG   None
FAQ

ESXi   6.5   Any   CVE-2022-29901, CVE-2022-28693, CVE-2022-23816,
CVE-2022-23825   5.6   moderate   ESXi650-202207401-SG   None
FAQ


Impacted Product Suites that Deploy Response Matrix Components:

Product 	Version 	Running On 	CVE Identifier 	
CVSSv3 	Severity 	Fixed Version 	Workarounds 	
Additional Documentation

Cloud Foundation (ESXi)   4.x   Any   CVE-2022-29901, CVE-2022-28693,
CVE-2022-23816, CVE-2022-23825   5.6   moderate   KB88695   None
FAQ

Cloud Foundation (ESXi)   3.x   Any   CVE-2022-29901, CVE-2022-28693,
CVE-2022-23816, CVE-2022-23825   5.6   moderate   KB88927   None
FAQ


4. References

ESXi70U3sf-20036586:
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3f-release-notes.html
ESXi670-202207401-SG:
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202207001.html
ESXi650-202207401-SG:
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202207001.html

KB Articles:
VCF 4.x: https://kb.vmware.com/s/article/88695
VCF 3.x: https://kb.vmware.com/s/article/88927

FAQ:
https://via.vmw.com/vmsa-2022-0020-qna

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23816
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23825
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28693
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29901

FIRST CVSSv3 Calculator:
CVE-2022-23816: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
CVE-2022-23825: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
CVE-2022-28693: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
CVE-2022-29901: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N


5. Change Log

2022-07-12: VMSA-2022-0022
Initial security advisory.


6. Contact

E-mail list for product security notifications and
announcements:

https://lists.vmware.com/mailman/listinfo/security-announce



This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org


E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055


VMware Security Advisories
https://www.vmware.com/security/advisories


VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html


VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html


VMware Security & Compliance Blog
https://blogs.vmware.com/security


Twitter
https://twitter.com/VMwareSRC



Copyright 2022 VMware Inc. All rights reserved.

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================