[Security-announce] Updated VMSA-2017-0015.2 - VMware ESXi, vCenter Server, Fusion & Workstation updates resolve multiple security vulnerabilities

VMware Security Announcements security-announce at lists.vmware.com
Mon Sep 18 22:22:00 PDT 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------

                               VMware Security Advisory

Advisory ID: VMSA-2017-0015.2
Severity:    Critical
Synopsis:    VMware ESXi, vCenter Server, Fusion & Workstation updates
             resolve multiple security vulnerabilities
Issue date:  2017-09-14
Updated on:  2017-09-18
CVE number:  CVE-2017-4924, CVE-2017-4925, CVE-2017-4926

1. Summary

   VMware ESXi, vCenter Server, Fusion and Workstation updates resolve
   multiple security vulnerabilities.

2. Relevant Products

   VMware ESXi (ESXi)
   VMware vCenter Server
   VMware Fusion Pro / Fusion (Fusion)
   VMware Workstation Pro / Player (Workstation)

3. Problem Description

   a. Out-of-bounds write vulnerability in SVGA

   VMware ESXi, Workstation & Fusion contain an out-of-bounds write
   vulnerability in SVGA device. This issue may allow a guest to
   execute code on the host.

   VMware would like to thank Nico Golde and Ralf-Philipp Weinmann of
   Comsecuris UG (haftungsbeschraenkt) working with ZDI for reporting
   this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2017-4924 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware      Product Running           Replace with/       Mitigation
   Product     Version on      Severity  Apply patch         Workaround
   =========== ======= ======= ========  =============       ==========
      ESXi      6.5     ESXi   Critical ESXi650-201707101-SG   None
      ESXi      6.0     ESXi    N/A       Not affected          N/A
      ESXi      5.5     ESXi    N/A       Not affected          N/A
   Workstation  12.x    Any    Critical    12.5.7              None
     Fusion     8.x     OS X   Critical    8.5.8               None

   b. Guest RPC NULL pointer dereference vulnerability

   VMware ESXi, Workstation & Fusion contain a NULL pointer dereference
   vulnerability. This issue occurs when handling guest RPC requests.
   Successful exploitation of this issue may allow attackers with
   normal user privileges to crash their VMs.

   VMware would like to thank Zhang Haitao for reporting this issue
   to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2017-4925 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware      Product Running          Replace with/        Mitigation
   Product     Version on      Severity Apply patch          Workaround
   =========== ======= ======= ======== =============        ==========
      ESXi      6.5     ESXi   Moderate ESXi650-201707101-SG   None
      ESXi      6.0     ESXi   Moderate ESXi600-201706101-SG   None
      ESXi      5.5     ESXi   Moderate ESXi550-201709101-SG   None
   Workstation  12.x    Any    Moderate    12.5.3              None
     Fusion     8.x     OS X   Moderate     8.5.4              None

   c. Stored XSS in H5 Client

   vCenter Server H5 Client contains a vulnerability that may allow for
   stored cross-site scripting (XSS). An attacker with VC user
   privileges can inject malicious java-scripts which will get executed
   when other VC users access the page.

   VMware would like to thank Thomas Ornetzeder for reporting this
   issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2017-4926 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware          Product Running           Replace with/   Mitigation
   Product         Version on      Severity  Apply patch     Workaround
   ==============  ======= ======= ========  =============   ==========
   vCenter Server   6.5     Any    Moderate     6.5 U1         None
   vCenter Server   6.0     Any     N/A      Not affected      N/A
   vCenter Server   5.5     Any     N/A      Not affected      N/A

4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   ESXi 6.5
   -------------
   Downloads:
   https://www.vmware.com/patchmgr/findPatch.portal
   Documentation:
   http://kb.vmware.com/kb/2149933

   ESXi 6.0
   -------------
   Downloads:
   https://www.vmware.com/patchmgr/findPatch.portal
   Documentation:
   http://kb.vmware.com/kb/2149960

   ESXi 5.5
   ------------
   Downloads:
   https://www.vmware.com/patchmgr/findPatch.portal
   Documentation:
   http://kb.vmware.com/kb/2150876

   VMware vCenter Server 6.5 U1
   Downloads:
   https://my.vmware.com/web/vmware/details?downloadGroup=VC65U1
   &productId=614&rPId=17343
   Documentation:
   https://docs.vmware.com/en/VMware-vSphere/index.html

   VMware Workstation Pro 12.5.7
   Downloads and Documentation:
   https://www.vmware.com/go/downloadworkstation
   https://www.vmware.com/support/pubs/ws_pubs.html

   VMware Workstation Player 12.5.7
   Downloads and Documentation:
   https://www.vmware.com/go/downloadplayer
   https://www.vmware.com/support/pubs/player_pubs.html

   VMware Workstation Pro 12.5.3
   Downloads and Documentation:
   https://www.vmware.com/go/downloadworkstation
   https://www.vmware.com/support/pubs/ws_pubs.html

   VMware Workstation Player 12.5.3
   Downloads and Documentation:
   https://www.vmware.com/go/downloadplayer
   https://www.vmware.com/support/pubs/player_pubs.html

   VMware Fusion Pro / Fusion 8.5.8
   Downloads and Documentation
   https://www.vmware.com/go/downloadfusion
   https://www.vmware.com/support/pubs/fusion_pubs.html

   VMware Fusion Pro / Fusion 8.5.4
   Downloads and Documentation
   https://www.vmware.com/go/downloadfusion
   https://www.vmware.com/support/pubs/fusion_pubs.html


5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4924
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4925
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4926

- ------------------------------------------------------------------------

6. Change log

   2017-09-14 VMSA-2017-0015
   Initial security advisory in conjunction with the release of VMware
   ESXi 5.5 patches on 2017-09-14

   2017-09-15 VMSA-2017-0015.1 Corrected the underlying component
   affected from SVGA driver to device.

   2017-09-18 VMSA-2017-0015.2 Updated the security advisory to reflect
   the correct platform for the XSS issue 3(c).

- ------------------------------------------------------------------------
7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

     security-announce at lists.vmware.com
     bugtraq at securityfocus.com
     fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   VMware Security & Compliance Blog
   https://blogs.vmware.com/security

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2017 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.4.1 (Build 490)
Charset: utf-8

wj8DBQFZwKbaDEcm8Vbi9kMRArZ4AJ4x3UZXWhnMjiM6bWm3+AbVOWL1/gCeME1g
Zm6b0n/dE8r06O+chFE3E9k=
=NJvM
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.vmware.com/pipermail/security-announce/attachments/20170919/03e3b5e0/attachment.html>


More information about the Security-announce mailing list