New VMware Security Advisories VMSA-2019-0002 & VMSA-2019-0003

New VMware Security Advisories VMSA-2019-0002 & VMSA-2019-0003

This post was originally published on this site ---

--- This is a critical security advisory from VMware (VMSA) ---

VMware has released the following new security advisories:

VMSA-2019-0002 – VMware Workstation update addresses elevation of privilege issues.

This documents important severity elevation of privilege issues.

Issue (a) (CVE-2019-5511). Workstation does not handle paths appropriately. Successful exploitation of this issue may allow the path to the VMX executable, on a Windows host, to be hijacked by a non-administrator leading to elevation of privilege.

Issue (b) (CVE-2019-5512). COM classes are not handled appropriately. Successful exploitation of this issue may allow hijacking of COM classes used by the VMX process, on a Windows host, leading to elevation of privilege.

These issues have been addressed in Workstation 15.0.3 and 14.1.6

VMware would like to thank James Forshaw of Google Project Zero for reporting these issues to us.

VMSA-2019-0003 – VMware Horizon update addresses Connection Server information  disclosure vulnerability.

(CVE-2019-5513). The VMware Horizon Connection Server contains a moderate severity information  disclosure vulnerability. Successful exploitation of this issue  may allow disclosure of internal domain names, the Connection Server’s internal name, or the gateway’s internal IP address.

VMware would like to thank Cory Mathews of Critical Start and HD Moore of Atredis Partners for independently reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

The post New VMware Security Advisories VMSA-2019-0002 & VMSA-2019-0003 appeared first on VMware Security & Compliance Blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.