FYI...

- http://secunia.com/advisories/29032/
Release Date: 2008-02-22
Critical: Moderately critical
Impact: Security Bypass, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
OS: VMware ESX Server 2.x, VMware ESX Server 3.x ...
Solution: Apply patches...
Original Advisory:
http://lists.vmware.com/pipermail/security...008/000005.html ...

VMware client products on Windows...
> http://isc.sans.org/diary.html?storyid=4018
Last Updated: 2008-02-24 12:19:22 UTC
"... VMware vulnerability*... full scape from the guest virtual machine to the host is possible: "On Windows hosts, if you have configured a VMware host-to-guest shared folder, it is possible for a program running in the guest to gain access to the host's complete file system and create or modify executable files in sensitive locations." It has been rated as critical by VMware and it affects all VMware client products on Windows, that is:
- VMware Workstation 6.0.2 and earlier, AND 5.5.4 and earlier
- VMware Player 2.0.2 and earlier, AND 1.0.4 and earlier
- VMware ACE 2.0.2 and earlier, AND 1.0.2 and earlier..."
* http://preview.tinyurl.com/2vybj7
Last Modified Date: 02-22-2008 (VMware KB)
Workaround:
Until VMware releases a patch to fix this issue, users of affected Windows-hosted VMware products should disable shared folders...

> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1744
...Patch Information
http://www.vmware.com/support/ws55/doc/rel...s_ws55.html#554 ...

This post has been edited by AplusWebMaster: Jun 7 2008, 03:48 AM

FYI...

VMSA-2009-0015 - VMware Security Advisory
- http://lists.vmware.com/pipermail/security...009/000069.html
2009-10-27
CVE numbers: CVE-2009-2267, CVE-2009-3733...
Initial security advisory after release of Server 1.0.10, Server 2.0.2 and Upgrade Patch 15 for ESX 2.5.5 on 2009-10-27. The versions of Workstation, Player, ACE, Fusion, and patches for ESXi 4.0, ESXi 3.5, ESX 4.0, ESX 3.5, ESX 3.0.3 mentioned above have already been released..."

- http://www.vmware.com/security/advisories/...-2009-0015.html



This post has been edited by AplusWebMaster: Oct 28 2009, 07:52 AM

FYI...

VMware Security Advisory - VMSA-2009-0016
- http://www.vmware.com/security/advisories/...-2009-0016.html
Nov 20, 2009 - "... Updated Java JRE packages and Tomcat packages address several security issues. Updates for the ESX Service Console and vMA include kernel, ntp, Python, bind libxml, libxml2, curl and gnutil packages. ntp is also updated for ESXi userworlds..."

- http://secunia.com/advisories/37470/2/

- http://secunia.com/advisories/37471/2/

- http://secunia.com/advisories/37460/2/



This post has been edited by AplusWebMaster: Nov 24 2009, 06:40 AM

FYI..

VMSA-2009-0017 - Security Advisory
- http://www.vmware.com/security/advisories/...-2009-0017.html
Synopsis: VMware vCenter, ESX patch and vCenter Lab Manager releases address cross-site scripting issues
Issue date: 2009-12-15
CVE numbers: CVE-2009-3731 ...
Summary:
VMware vCenter and ESX update releases address cross-site scripting issues in the Help functionality of WebAccess. A vCenter Lab Manager release addresses the same issues which are present in the online Help functionality of Lab Manager and Stage Manager..."

FYI...

VMSA-2010-0001 - ESX Service Console updates...
- http://secunia.com/advisories/38091/2/
Release Date: 2010-01-07
Critical: Highly critical
Impact: Security Bypass, Manipulation of data, DoS, System access
Where: From remote
Solution Status: Partial Fix
OS: VMware ESX Server 4.x
Software: VMware vMA 4.x...
Solution:
VMware ESX 4.0: Apply ESX400-200912403-SG.
VMware vMA (on RHEL5) 4.0: A patch is still pending.
Original Advisory: VMSA-2010-0001:
http://lists.vmware.com/pipermail/security...010/000075.html ...

- http://www.vmware.com/security/advisories/...-2010-0001.html

- http://secunia.com/advisories/38091/3/
CVE reference: CVE-2009-1563, CVE-2009-2404, CVE-2009-2408, CVE-2009-2409, CVE-2009-3274, CVE-2009-3370, CVE-2009-3372, CVE-2009-3373, CVE-2009-3374, CVE-2009-3375, CVE-2009-3376, CVE-2009-3380, CVE-2009-3382
___

- http://www.us-cert.gov/current/#vmware_rel...urity_advisory3
"... Additionally, VMware has updated two previously released advisories: VMSA-2009-0014.2 that addresses vulnerabilities in the DHCP, Service Console Kernel, and Java JRE packages for ESX, and VMSA-2009-0004.3 that addresses vulnerabilities in the OpenSSL, BIND, and Vim packages for ESX.
... review VMware Security Advisory... VMSA-2009-0014.2*, and VMSA-2009-0004.3** and apply any necessary updates to help mitigate the risks.
* http://lists.vmware.com/pipermail/security...010/000076.html
** http://lists.vmware.com/pipermail/security...010/000077.html



This post has been edited by AplusWebMaster: Jan 9 2010, 06:56 AM

FYI...

New and updated VMWare advisories
- http://isc.sans.org/diary.html?storyid=8122
Last Updated: 2010-01-30 11:04:17 UTC - "Today VMware has released the following new and updated security advisories:
New - VMSA-2010-0002:
- http://lists.vmware.com/pipermail/security...010/000078.html
This is described as - VMware vCenter update release addresses multiple security issues in Java JRE. The JRE is updated to version 1.5.0_22 and this covers a *lot* of CVE's.
CVE numbers: --- JRE ---
CVE-2009-1093 CVE-2009-1094 CVE-2009-1095 CVE-2009-1096 CVE-2009-1097 CVE-2009-1098
CVE-2009-1099 CVE-2009-1100 CVE-2009-1101 CVE-2009-1102 CVE-2009-1103 CVE-2009-1104
CVE-2009-1105 CVE-2009-1106 CVE-2009-1107 CVE-2009-2625 CVE-2009-2670 CVE-2009-2671
CVE-2009-2672 CVE-2009-2673 CVE-2009-2675 CVE-2009-2676 CVE-2009-2716 CVE-2009-2718
CVE-2009-2719 CVE-2009-2720 CVE-2009-2721 CVE-2009-2722 CVE-2009-2723 CVE-2009-2724
CVE-2009-3728 CVE-2009-3729 CVE-2009-3864 CVE-2009-3865 CVE-2009-3866 CVE-2009-3867
CVE-2009-3868 CVE-2009-3869 CVE-2009-3871 CVE-2009-3872 CVE-2009-3873 CVE-2009-3874
CVE-2009-3875 CVE-2009-3876 CVE-2009-3877 CVE-2009-3879 CVE-2009-3880 CVE-2009-3881
CVE-2009-3882 CVE-2009-3883 CVE-2009-3884 CVE-2009-3886 CVE-2009-3885

Updated - VMSA-2009-0016.2:
- http://lists.vmware.com/pipermail/security...010/000079.html "

> http://www.vmware.com/security/advisories/...-2010-0002.html

- http://secunia.com/advisories/38384/2/
Release Date: 2010-02-01
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, DoS, System access
Where: From remote
Software: VMware VirtualCenter 2.x
Solution: VMware VirtualCenter 2.5: Update to version 2.5 update 6.
VMware VirtualCenter 2.0.2: A patch is pending.
Original Advisory: VMSA-2010-0002:
http://lists.vmware.com/pipermail/security...010/000078.html

- http://secunia.com/advisories/38438/2/
Release Date: 2010-02-01
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, DoS, System access
Where: From remote
OS: VMware ESX Server 3.x, VMware ESX Server 4.x
Original Advisory: VMSA-2010-0002:
http://lists.vmware.com/pipermail/security...010/000078.html



This post has been edited by AplusWebMaster: Feb 1 2010, 10:48 PM

FYI...

VMSA-2010-0003 - VMware ESX Server update
- http://secunia.com/advisories/38562/
Release Date: 2010-02-17
Impact: DoS
Where: From local network
Solution Status: Vendor Patch
Operating System: VMware ESX Server 3.x
Original Advisory: VMSA-2010-0003:
http://lists.vmware.com/pipermail/security...010/000080.html

- http://www.vmware.com/security/advisories/...-2010-0003.html

Multiple Security Updates for ESX 3.x and ESXi 3.x
- http://isc.sans.org/diary.html?storyid=8254
Last Updated: 2010-02-17 14:26:08 UTC



This post has been edited by AplusWebMaster: Feb 20 2010, 02:29 PM

FYI...

VMSA-2010-0004 - VMware ESX Servers...

- http://www.vmware.com/security/advisories/...-2010-0004.html

- http://secunia.com/advisories/38833/
Release Date: 2010-03-04
Criticality level: Moderately critical
Impact: Security Bypass, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Operating System: VMware ESX Server 4.x
Solution: Apply ESX400-201002404-SG, ESX400-201002407-SG, and ESX400-201002406-SG:
Original Advisory: VMSA-2010-0004:
http://lists.vmware.com/pipermail/security...010/000082.html

- http://secunia.com/advisories/38794/
Release Date: 2010-03-04
Criticality level: Moderately critical
Impact: Security Bypass, Spoofing, Exposure of sensitive information, Privilege escalation, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: VMware vMA 4.x
Solution: Apply vMA 4.0 Patch 3.
Original Advisory: VMSA-2010-0004:
http://lists.vmware.com/pipermail/security...010/000082.html

- http://secunia.com/advisories/38834/
Release Date: 2010-03-04
Criticality level: Less critical
Impact: Spoofing, Exposure of sensitive information, Privilege escalation, DoS
Where: From local network
Solution Status: Unpatched
Operating System: VMware ESX Server 4.x
Original Advisory: VMSA-2010-0004:
http://lists.vmware.com/pipermail/security...010/000082.html
Mar 3, 2010 - "... table lists what action remediates the vulnerability..."

- http://secunia.com/advisories/38832/
Release Date: 2010-03-04
Criticality level: Less critical
Impact: DoS
Where: From local network
Solution Status: Unpatched
Operating System: VMware ESX Server 2.x, VMware ESX Server 3.x
Solution: Restrict network access to trusted users only.
Original Advisory: VMSA-2010-0004:
http://lists.vmware.com/pipermail/security...010/000082.html

- http://lists.vmware.com/pipermail/security...10/subject.html



This post has been edited by AplusWebMaster: Mar 6 2010, 05:27 PM

FYI...

VMware updates...
- http://lists.vmware.com/pipermail/security...date.html#start
Mar 8, 2010
UPDATED VMSA-2010-0003.1 ESX Service Console update for net-snmp...
UPDATED VMSA-2010-0001.1 ESX Service Console and vMA updates for nss and nspr
UPDATED VMSA-2009-0016.4 VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components