FYI...

- http://secunia.com/advisories/29032/
Release Date: 2008-02-22
Critical: Moderately critical
Impact: Security Bypass, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
OS: VMware ESX Server 2.x, VMware ESX Server 3.x ...
Solution: Apply patches...
Original Advisory:
http://lists.vmware.com/pipermail/security...008/000005.html ...

VMware client products on Windows...
> http://isc.sans.org/diary.html?storyid=4018
Last Updated: 2008-02-24 12:19:22 UTC
"... VMware vulnerability*... full scape from the guest virtual machine to the host is possible: "On Windows hosts, if you have configured a VMware host-to-guest shared folder, it is possible for a program running in the guest to gain access to the host's complete file system and create or modify executable files in sensitive locations." It has been rated as critical by VMware and it affects all VMware client products on Windows, that is:
- VMware Workstation 6.0.2 and earlier, AND 5.5.4 and earlier
- VMware Player 2.0.2 and earlier, AND 1.0.4 and earlier
- VMware ACE 2.0.2 and earlier, AND 1.0.2 and earlier..."
* http://preview.tinyurl.com/2vybj7
Last Modified Date: 02-22-2008 (VMware KB)
Workaround:
Until VMware releases a patch to fix this issue, users of affected Windows-hosted VMware products should disable shared folders...

> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1744
...Patch Information
http://www.vmware.com/support/ws55/doc/rel...s_ws55.html#554 ...

This post has been edited by AplusWebMaster: Jun 7 2008, 03:48 AM

FYI...

- http://isc.sans.org/diary.html?storyid=4018
Last Updated: 2008-02-26 02:29:41 UTC ...(Version: 3)
"UPDATE... Although the VMware alert mentions VMware Workstation 5.5.4 (or earlier), ACE 1.0.2 (or earlier) and Player 1.0.4 (or earlier), the latest versions available are VMware Workstation 5.5.5, ACE 1.0.4 and Player 1.0.5. We have confirmed with VMware that -all- versions of Workstation, ACE and Player are affected. They will release a fix ASAP."

> http://preview.tinyurl.com/2vybj7
Last Modified Date: 02-22-2008 (VMware KB) - "...Workaround:
Until VMware releases a patch to fix this issue, users of affected Windows-hosted VMware products should disable shared folders..."

FYI...

VMware Workstation 6.0.3 for Windows released
- http://www.vmware.com/download/ws/
Latest Version: 6.0.3 | 3/14/08 | Build: 80004

Workstation 6.0 Release Notes
- http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html
...Workstation 6.0.3 addresses the following security issues:
* On Windows hosts, if you have configured and enabled a shared folder, it is possible for an attacker to write arbitrary content from a guest system to arbitrary locations on the host system (CORE-2007-0930). (bug 200360)...
(... other issues also addressed)

- http://www.vmware.com/security/advisories/
March 17, 2008 VMSA-2008-0005

-----------------------------------------------

- http://secunia.com/advisories/29412/
Release Date: 2008-03-17
Software: VMware Server 1.x
Impact: Security Bypass, Privilege escalation, DoS
Where: From remote
Solution Status: Vendor Patch
...The vulnerabilities are reported in versions prior to 1.0.5.
Solution: Update to version 1.0.5...

VMware server release notes
- http://www.vmware.com/support/server/doc/r...r.html#resolved

Download:
- http://www.vmware.com/download/server/
Latest Version: 1.0.5 | 3/14/08 | Build: 80187

This post has been edited by AplusWebMaster: Mar 20 2008, 04:31 AM

FYI...

VMware ESX Server update
- http://secunia.com/advisories/29591/
Release Date: 2008-03-31
Critical: Moderately critical
Impact: DoS
Where: From remote
Solution Status: Vendor Patch
OS: VMware ESX Server 2.x
Solution: Apply patches. ESX 2.5.5 Upgrade Patch 6
- http://vmware.com/support/esx25/doc/esx-25...0803-patch.html
Original Advisory:
- http://lists.vmware.com/pipermail/security...008/000009.html

FYI...

VMSA-2008-0008
- http://www.vmware.com/security/advisories/...-2008-0008.html
"Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion resolve critical security issues.
Synopsis: Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion resolve critical
security issues
Issue date: 2008-05-30
Updated on: 2008-05-30 (initial release of advisory)
CVE numbers:
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2098
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2099

- http://isc.sans.org/diary.html?storyid=4501
Last Updated: 2008-06-01 13:56:42 UTC - "...The advisory affects the following products:
VMware Workstation 6.0.3 and earlier
VMware Player 2.0.3 and earlier
VMware ACE 2.0.3 and earlier
VMware Fusion 1.1.1 and earlier

Windows based VMCI arbitrary code execution vulnerability...

VMware Host Guest File System (HGFS) shared folders...



This post has been edited by AplusWebMaster: Jun 2 2008, 12:17 PM

FYI...

VMware ESX Server Multiple Security Updates
- http://secunia.com/advisories/30535/
Release Date: 2008-06-05
Critical: Highly critical
Impact: Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
OS: VMware ESX Server 2.x, VMware ESX Server 3.x
...fixes some vulnerabilities, which can be exploited by malicious people to disclose potentially sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system...
Solution: Apply patches...
Original Advisory:
http://www.vmware.com/security/advisories/...-2008-0009.html
VMSA-2008-0009
"Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues..."

Also see: http://secunia.com/advisories/30556/

.

This post has been edited by AplusWebMaster: Jun 6 2008, 04:44 AM

FYI...

VMSA-2008-0010
- http://www.vmware.com/security/advisories/...-2008-0010.html
Synopsis: Updated Tomcat and Java JRE packages for VMware ESX 3.5
Issue date: 2008-06-16
Summary: Updated Tomcat and Java JRE packages for VMware ESX 3.5
Notes: These vulnerabilities can be exploited remotely only if the attacker has access to the service console network. Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices. The currently installed versions of Tomcat and JRE depend on your patch deployment history...

- http://www.vmware.com/security/advisories/

- http://secunia.com/advisories/30676/
Release Date: 2008-06-17
Critical: Highly critical
Impact: Security Bypass, Manipulation of data, Exposure of system information, Exposure of sensitive information, DoS, System access...

FYI...

VMware updates for OpenSSL, net-snmp, and perl
- http://secunia.com/advisories/31467/
Release Date: 2008-08-13
Critical: Highly critical
Impact: Spoofing, DoS, System access
Where: From remote
Solution Status: Partial Fix
OS: VMware ESX Server 3.x ...
Solution: Update to version 3.0.3 if possible or apply patches if available.
-- VMware ESX 3.0.1 and 3.0.2 --
Patches are not yet available. The vendor recommends to upgrade to version 3.0.3.
-- VMware ESX 3.5 --
Patches for CVE-2007-3108 and CVE-2007-5135 are available via VMSA-2008-0001...
Patches for the other issues are still pending.
Original Advisory: VMware VMSA-2008-0013:
http://www.vmware.com/security/advisories/...-2008-0013.html ...

VMware ESXi OpenSSL vulns
- http://secunia.com/advisories/31489/
Release Date: 2008-08-13
Critical: Highly critical
Impact: DoS, System access
Where: From remote
Solution Status: Unpatched
OS: VMware ESXi 3.x...
...The vulnerabilities are reported in version 3.5. Other versions may also be affected.
Solution: Use in a trusted network environment only.
Original Advisory: VMware VMSA-2008-0013:
http://www.vmware.com/security/advisories/...-2008-0013.html ...

VMware VirtualCenter User Account Disclosure - update available
- http://secunia.com/advisories/31468/
Release Date: 2008-08-13
Critical: Not critical
Impact: Exposure of system information
Where: From local network
Solution Status: Vendor Patch
Software: VMware VirtualCenter 2.x ...
Original Advisory: VMware VMSA-2008-0012:
http://www.vmware.com/security/advisories/...-2008-0012.html ...

VMSA-2008-0012:
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3514

VMSA-2008-0013:
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3108
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5135
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0960
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1927
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2292



This post has been edited by AplusWebMaster: Aug 16 2008, 11:20 AM