Tag: ADVISORY

New VMware Security Advisory VMSA-2017-0009

New VMware Security Advisory VMSA-2017-0009

This post was originally published on this site —— This is a critical security advisory from VMware (VMSA) — Today VMware has released the following new security advisory: “VMSA-2017-0009 – VMware Workstation update addresses multiple security issues” This documents an important severity insecure library loading issue via ALSA sound driver configuration files (CVE-2017-4915) and a moderate severity NULL pointer dereference issue (CVE-2017-4916) affecting Workstation Pro/Player. All VMware Workstation Pro/Player 12.x are affected. Successful exploitation of the insecure library loading Read more […]

New VMware Security Advisory VMSA-2017-0008

New VMware Security Advisory VMSA-2017-0008

This post was originally published on this site —— This is a critical security advisory from VMware (VMSA) — Today VMware has released the following new security advisory: VMSA-2017-0008 – VMware Unified Access Gateway, Horizon View and Workstation updates resolve multiple security vulnerabilities This documents several critical memory corruption vulnerabilities affecting VMware Unified Access Gateway (formerly called Access Point) (8.2.x), Horizon View (7.x, 6.2.x) and Workstation (12.5.x). Issue (a) is a heap-based buffer overflow vulnerability (CVE-2017-4907) which affects VMware Unified Access Read more […]

New VMware Security Advisory VMSA-2017-0007

New VMware Security Advisory VMSA-2017-0007

This post was originally published on this site —— This is a critical security advisory from VMware (VMSA) — On Tuesday, 4th of April 2017 a remote code-execution issue in the BlazeDS library (CVE-2017-5641) was disclosed in a US-CERT security advisory. We have reviewed the issue and determined that VMware vCenter Server 6.5 and 6.0 are affected due to the use of BlazeDS to process AMF3 messages. VMware vCenter Server 5.5 is not affected. We have released the following new security advisory which documents the fixes for VMware vCenter Server 6.5 and 6.0 along with the workarounds: VMSA-2017-0007– Read more […]

The Security Landscape: Pwn2Own 2017

The Security Landscape: Pwn2Own 2017

This post was originally published on this site —— This is a critical security advisory from VMware (VMSA) — During the 2017 Pwn2Own competition at CanSecWest, two teams succeeded in demonstrating arbitrary host code execution on VMware Workstation. Today, VMware is releasing updated versions of VMware vSphere ESXi, VMware Fusion, and VMware Workstation to address these vulnerabilities. No active exploitation VMware is not aware of any active exploitation of the vulnerabilities revealed in this competition. Though the vulnerabilities seem to apply to all VMware virtual platforms Read more […]

VMware Workstation target at Pwn2Own 2017

VMware Workstation target at Pwn2Own 2017

This post was originally published on this site —— This is a critical security advisory from VMware (VMSA) — The Pwn2Own competition organized by Trend Micro’s ZDI has just wrapped up at Vancouver. VMware Workstation was a target at this competition. In total, two teams managed to show that they could execute code on the VMware Workstation host from the guest. We are currently investigating these issues after having received the details from the teams directly. The issues were demonstrated on Workstation and we are investigating impact of them on ESXi and Fusion. We would like to thank ZDI, Team Read more […]

New VMware Security Advisory VMSA-2017-0005

New VMware Security Advisory VMSA-2017-0005

This post was originally published on this site —— This is a critical security advisory from VMware (VMSA) — Today VMware has released the following new security advisory: VMSA-2017-0005 – VMware Workstation and Fusion updates address out-of-bounds memory access vulnerability The advisory documents a critical severity out-of-bounds memory access vulnerability (CVE-2017-4901). Exploitation of the issue may allow a guest to execute code on the operating system that runs Workstation or Fusion. ESXi is not affected. Please sign up to the Security-Announce mailing list to receive new and updated VMware Read more […]

VMSA-2017-0004

VMSA-2017-0004

This post was originally published on this site —— This is a critical security advisory from VMware (VMSA) — Greetings from the VMware Security Response Center! By now I am sure you have all heard about the Apache Struts 2 remote code execution vulnerability identified by CVE-2017-5638 which was disclosed last week. If you haven’t, welcome! You can find the original advisory from Apache here to get yourself caught up. In response, the VMware Security Engineering, Communications, and Response group (vSECR) immediately began investigations into the vulnerability and how it may affect our products. The Read more […]

New VMware Security Advisory VMSA-2017-0003

New VMware Security Advisory VMSA-2017-0003

This post was originally published on this site —— This is a critical security advisory from VMware (VMSA) — Today VMware has released the following new security advisory: “VMSA-2017-0003 – VMware Workstation update addresses multiple security issues” The advisory documents an important severity DLL loading issue (CVE-2017-4898) and two moderate severity security issues (CVE-2017-4899  and CVE-2017-4900) in the SVGA driver of VMware Workstation Pro/Player. All versions of Workstation Pro/Player 12.x are affected. Issue a is DLL hijacking issue that occurs due to the “vmware-vmx” Read more […]

New VMware Security Advisory VMSA-2017-0002

New VMware Security Advisory VMSA-2017-0002

This post was originally published on this site —— This is a critical security advisory from VMware (VMSA) — Greetings from the VMware Security Response Center ! Today VMware has released the following new security advisory: “VMSA-2017-0002 – Horizon DaaS update addresses an insecure data validation issue” The advisory documents a moderate severity insecure data validation issue (CVE-2017-4897) in VMware Horizon DaaS. All 6.1.x versions are affected. This vulnerability can be exploited by tricking DaaS client users into connecting to a malicious server and sharing all their drives and Read more […]

VMSA-2016-0023 and VMSA-2016-0024

VMSA-2016-0023 and VMSA-2016-0024

This post was originally published on this site —— This is a critical security advisory from VMware (VMSA) — Greetings from the VMware Security Response Center! Today we released VMSA-2016-0023 and VMSA-2016-0024. VMSA-2016-0023 – VMware ESXi updates address a cross-site scripting issue These updates address a stored cross-site scripting vulnerability (CVE-2016-7463) in the ESXi Host Client which we have rated as an Important severity issue. The issue can be introduced by an attacker that has permission to manage virtual machines through ESXi Host Client or by tricking the vSphere administrator to Read more […]