181 replies to this topic

[AplusWebMaster]

FYI...

- http://secunia.com/advisories/29032/
Release Date: 2008-02-22
Critical: Moderately critical
Impact: Security Bypass, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
OS: VMware ESX Server 2.x, VMware ESX Server 3.x ...
Solution: Apply patches...
Original Advisory:
http://lists.vmware....008/000005.html ...

VMware client products on Windows...
> http://isc.sans.org/...ml?storyid=4018
Last Updated: 2008-02-24 12:19:22 UTC
"... VMware vulnerability*... full scape from the guest virtual machine to the host is possible: "On Windows hosts, if you have configured a VMware host-to-guest shared folder, it is possible for a program running in the guest to gain access to the host's complete file system and create or modify executable files in sensitive locations." It has been rated as critical by VMware and it affects all VMware client products on Windows, that is:
- VMware Workstation 6.0.2 and earlier, AND 5.5.4 and earlier
- VMware Player 2.0.2 and earlier, AND 1.0.4 and earlier
- VMware ACE 2.0.2 and earlier, AND 1.0.2 and earlier..."
* http://preview.tinyurl.com/2vybj7
Last Modified Date: 02-22-2008 (VMware KB)
Workaround:
Until VMware releases a patch to fix this issue, users of affected Windows-hosted VMware products should disable shared folders...

> http://nvd.nist.gov/...e=CVE-2007-1744
...Patch Information
http://www.vmware.co...s_ws55.html#554 ...

Edited by AplusWebMaster, 07 June 2008 - 03:48 AM.

[AplusWebMaster]

FYI...

- http://isc.sans.org/...ml?storyid=4018
Last Updated: 2008-02-26 02:29:41 UTC ...(Version: 3)
"UPDATE... Although the VMware alert mentions VMware Workstation 5.5.4 (or earlier), ACE 1.0.2 (or earlier) and Player 1.0.4 (or earlier), the latest versions available are VMware Workstation 5.5.5, ACE 1.0.4 and Player 1.0.5. We have confirmed with VMware that -all- versions of Workstation, ACE and Player are affected. They will release a fix ASAP."

> http://preview.tinyurl.com/2vybj7
Last Modified Date: 02-22-2008 (VMware KB) - "...Workaround:
Until VMware releases a patch to fix this issue, users of affected Windows-hosted VMware products should disable shared folders..."

[AplusWebMaster]

FYI...

VMware Workstation 6.0.3 for Windows released
- http://www.vmware.com/download/ws/
Latest Version: 6.0.3 | 3/14/08 | Build: 80004

Workstation 6.0 Release Notes
- http://www.vmware.co...enotes_ws6.html
...Workstation 6.0.3 addresses the following security issues:
* On Windows hosts, if you have configured and enabled a shared folder, it is possible for an attacker to write arbitrary content from a guest system to arbitrary locations on the host system (CORE-2007-0930). (bug 200360)...
(... other issues also addressed)

- http://www.vmware.co...ity/advisories/
March 17, 2008 VMSA-2008-0005

-----------------------------------------------

- http://secunia.com/advisories/29412/
Release Date: 2008-03-17
Software: VMware Server 1.x
Impact: Security Bypass, Privilege escalation, DoS
Where: From remote
Solution Status: Vendor Patch
...The vulnerabilities are reported in versions prior to 1.0.5.
Solution: Update to version 1.0.5...

VMware server release notes
- http://www.vmware.co...r.html#resolved

Download:
- http://www.vmware.com/download/server/
Latest Version: 1.0.5 | 3/14/08 | Build: 80187

Edited by AplusWebMaster, 20 March 2008 - 04:31 AM.

[AplusWebMaster]

FYI...

VMware ESX Server update
- http://secunia.com/advisories/29591/
Release Date: 2008-03-31
Critical: Moderately critical
Impact: DoS
Where: From remote
Solution Status: Vendor Patch
OS: VMware ESX Server 2.x
Solution: Apply patches. ESX 2.5.5 Upgrade Patch 6
- http://vmware.com/su...0803-patch.html
Original Advisory:
- http://lists.vmware....008/000009.html

[AplusWebMaster]

FYI...

VMSA-2008-0008
- http://www.vmware.co...-2008-0008.html
"Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion resolve critical security issues.
Synopsis: Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion resolve critical
security issues
Issue date: 2008-05-30
Updated on: 2008-05-30 (initial release of advisory)
CVE numbers:
- http://nvd.nist.gov/...e=CVE-2008-2098
- http://nvd.nist.gov/...e=CVE-2008-2099

- http://isc.sans.org/...ml?storyid=4501
Last Updated: 2008-06-01 13:56:42 UTC - "...The advisory affects the following products:
VMware Workstation 6.0.3 and earlier
VMware Player 2.0.3 and earlier
VMware ACE 2.0.3 and earlier
VMware Fusion 1.1.1 and earlier

Windows based VMCI arbitrary code execution vulnerability...

VMware Host Guest File System (HGFS) shared folders...

Edited by AplusWebMaster, 02 June 2008 - 12:17 PM.

[AplusWebMaster]

FYI...

VMware ESX Server Multiple Security Updates
- http://secunia.com/advisories/30535/
Release Date: 2008-06-05
Critical: Highly critical
Impact: Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
OS: VMware ESX Server 2.x, VMware ESX Server 3.x
...fixes some vulnerabilities, which can be exploited by malicious people to disclose potentially sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system...
Solution: Apply patches...
Original Advisory:
http://www.vmware.co...-2008-0009.html
VMSA-2008-0009
"Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues..."

Also see: http://secunia.com/advisories/30556/

.

Edited by AplusWebMaster, 06 June 2008 - 04:44 AM.

[AplusWebMaster]

FYI...

VMSA-2008-0010
- http://www.vmware.co...-2008-0010.html
Synopsis: Updated Tomcat and Java JRE packages for VMware ESX 3.5
Issue date: 2008-06-16
Summary: Updated Tomcat and Java JRE packages for VMware ESX 3.5
Notes: These vulnerabilities can be exploited remotely only if the attacker has access to the service console network. Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see http://www.vmware.co...chresources/726 for more information on VMware security best practices. The currently installed versions of Tomcat and JRE depend on your patch deployment history...

- http://www.vmware.co...ity/advisories/

- http://secunia.com/advisories/30676/
Release Date: 2008-06-17
Critical: Highly critical
Impact: Security Bypass, Manipulation of data, Exposure of system information, Exposure of sensitive information, DoS, System access...

[AplusWebMaster]

FYI...

VMware updates for OpenSSL, net-snmp, and perl
- http://secunia.com/advisories/31467/
Release Date: 2008-08-13
Critical: Highly critical
Impact: Spoofing, DoS, System access
Where: From remote
Solution Status: Partial Fix
OS: VMware ESX Server 3.x ...
Solution: Update to version 3.0.3 if possible or apply patches if available.
-- VMware ESX 3.0.1 and 3.0.2 --
Patches are not yet available. The vendor recommends to upgrade to version 3.0.3.
-- VMware ESX 3.5 --
Patches for CVE-2007-3108 and CVE-2007-5135 are available via VMSA-2008-0001...
Patches for the other issues are still pending.
Original Advisory: VMware VMSA-2008-0013:
http://www.vmware.co...-2008-0013.html ...

VMware ESXi OpenSSL vulns
- http://secunia.com/advisories/31489/
Release Date: 2008-08-13
Critical: Highly critical
Impact: DoS, System access
Where: From remote
Solution Status: Unpatched
OS: VMware ESXi 3.x...
...The vulnerabilities are reported in version 3.5. Other versions may also be affected.
Solution: Use in a trusted network environment only.
Original Advisory: VMware VMSA-2008-0013:
http://www.vmware.co...-2008-0013.html ...

VMware VirtualCenter User Account Disclosure - update available
- http://secunia.com/advisories/31468/
Release Date: 2008-08-13
Critical: Not critical
Impact: Exposure of system information
Where: From local network
Solution Status: Vendor Patch
Software: VMware VirtualCenter 2.x ...
Original Advisory: VMware VMSA-2008-0012:
http://www.vmware.co...-2008-0012.html ...

VMSA-2008-0012:
- http://nvd.nist.gov/...e=CVE-2008-3514

VMSA-2008-0013:
- http://nvd.nist.gov/...e=CVE-2007-3108
- http://nvd.nist.gov/...e=CVE-2007-5135
- http://nvd.nist.gov/...e=CVE-2008-0960
- http://nvd.nist.gov/...e=CVE-2008-1927
- http://nvd.nist.gov/...e=CVE-2008-2292

Edited by AplusWebMaster, 16 August 2008 - 11:20 AM.
Added CVE references...

[AplusWebMaster]

FYI...

- http://isc.sans.org/...ml?storyid=4949
Last Updated: 2008-08-29 22:20:32 UTC - "...VMware released updates for for ACE, Server, Player and Workstation products:

VMware ACE 2.0.5
- http://www.vmware.co....html#bugfix205
Release Date: August 28, 2008

VMware Player 2.0.5
- http://www.vmware.co....html#bugfix205
Release Date: August 28, 2008

VMware Server 1.0.7
- http://www.vmware.co....html#bugfix107
Release Date: August 28, 2008

VMware Workstation 6.0.5
- http://www.vmware.co....html#bugfix605
Release Date: August 28, 2008 ..."

[AplusWebMaster]

FYI...

- http://isc.sans.org/...ml?storyid=4949
Last Updated: 2008-08-30 15:51:06 UTC ...(Version: 2)
"...Update: (2008-08-30-15:50 UTC) The VMware bulletin can be found at http://lists.vmware....008/000033.html ..."

http://secunia.com/advisories/31711/ - VMware Fusion Multiple Vulnerabilities
http://secunia.com/advisories/31710/ - VMware ACE Multiple Vulnerabilities
http://secunia.com/advisories/31709/ - VMware Player Multiple Vulnerabilities
http://secunia.com/advisories/31708/ - VMware Server Multiple Vulnerabilities
http://secunia.com/advisories/31707/ - VMware Workstation Multiple Vulnerabilities
Release Date: 2008-09-01

[AplusWebMaster]

FYI...

VMWare ESX(i) 3.5 security patches
- http://isc.sans.org/...ml?storyid=5056
Last Updated: 2008-09-19 08:10:50 UTC - "VMWare released a new security patch and updated two old patches for ESX 3.5 and ESXi 3.5 today. The following patches are released and re-released:

VMSA-2008-0015: http://www.vmware.co...-2008-0015.html
Issue date: 2008-09-18
– fixing two remote buffer overflow vulnerabilities in openwsman which is installed and running by default.
VMSA-2008-0014: http://www.vmware.co...-2008-0014.html
Issue date: 2008-08-29 / Updated on: 2008-09-18
– added fixes for libpng and bind for ESX 3.5 servers
VMSA-2008-0013: http://www.vmware.co...-2008-0013.html
Issue date: 2008-08-12 / Updated on: 2008-09-18
– added fixes for net-snmp and perl for ESX 3.5 servers

- http://web.nvd.nist....d=CVE-2008-2234

- http://secunia.com/advisories/31942/

Edited by AplusWebMaster, 19 September 2008 - 04:43 AM.
Added CVE and Secunia advisory links...

[AplusWebMaster]

FYI...

VMware advisories and patches
- http://isc.sans.org/...ml?storyid=5123
Last Updated: 2008-10-04 14:09:17 UTC ...(Version: 3) - "VMware released the following new and updated security advisories on October 4th:
- VMSA-2008-0016 (new advisory)
http://www.vmware.co...-2008-0016.html
http://lists.vmware....008/000037.html
- VMSA-2008-0014.2 (updated advisory)
http://www.vmware.co...-2008-0014.html
http://lists.vmware....008/000038.html
These advisories list security issues that have been fixed in the following releases:
- VirtualCenter 2.5 Update 3 released on 10/3/08
- patches for ESXi and ESX 3.5 released on 10/3/08
- patches for ESX 3.0.1, 3.0.2, 3.0.3 released on 9/30/08
- new versions of VMware Workstation, Player, ACE, Server released on 7/28/08
The corresponding new blog entry is linked from http://www.vmware.co...ity/advisories/ ..."

Release Date: 2008-10-06
- http://secunia.com/advisories/32157/
- http://secunia.com/advisories/32179/
- http://secunia.com/advisories/32180/

- VMSA-2008-0016
http://web.nvd.nist....d=CVE-2008-3103
http://web.nvd.nist....d=CVE-2008-3104
http://web.nvd.nist....d=CVE-2008-3105
http://web.nvd.nist....d=CVE-2008-3106
http://web.nvd.nist....d=CVE-2008-3107
http://web.nvd.nist....d=CVE-2008-3108
http://web.nvd.nist....d=CVE-2008-3109
http://web.nvd.nist....d=CVE-2008-3110
http://web.nvd.nist....d=CVE-2008-3111
http://web.nvd.nist....d=CVE-2008-3112
http://web.nvd.nist....d=CVE-2008-3113
http://web.nvd.nist....d=CVE-2008-3114
http://web.nvd.nist....d=CVE-2008-3115
http://web.nvd.nist....d=CVE-2008-4278
http://web.nvd.nist....d=CVE-2008-4279

- VMSA-2008-0014.2
http://web.nvd.nist....d=CVE-2007-5269
http://web.nvd.nist....d=CVE-2007-5438
http://web.nvd.nist....d=CVE-2007-5503
http://web.nvd.nist....d=CVE-2008-1447
http://web.nvd.nist....d=CVE-2008-1806
http://web.nvd.nist....d=CVE-2008-1807
http://web.nvd.nist....d=CVE-2008-1808
http://web.nvd.nist....d=CVE-2008-2101
http://web.nvd.nist....d=CVE-2008-3691
http://web.nvd.nist....d=CVE-2008-3692
http://web.nvd.nist....d=CVE-2008-3693
http://web.nvd.nist....d=CVE-2008-3694
http://web.nvd.nist....d=CVE-2008-3695
http://web.nvd.nist....d=CVE-2008-3696
http://web.nvd.nist....d=CVE-2008-3697
http://web.nvd.nist....d=CVE-2008-3698

Edited by AplusWebMaster, 06 October 2008 - 03:59 PM.
Added Secunia advisory links...

[AplusWebMaster]

FYI...

VMSA-2008-0017
- http://lists.vmware....008/000039.html
Issue date: 2008-10-31

VMSA-2008-0014.3 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX, VMware VCB address information disclosure, privilege escalation and other security issues
- http://lists.vmware....008/000040.html

VMSA-2008-0011.3 Updated ESX service console packages for Samba and vmnix
- http://lists.vmware....008/000041.html

- http://secunia.com/advisories/32488/
Release Date: 2008-10-31
Critical: Moderately critical

- http://www.vmware.co...-2008-0017.html
Synopsis: Updated ESX packages for libxml2, ucd-snmp, libtiff
Issue date: 2008-10-31 ...

Edited by AplusWebMaster, 31 October 2008 - 04:15 PM.

[AplusWebMaster]

FYI...

VMware - VMSA-2008-0018
- http://lists.vmware....008/000042.html
Advisory ID: VMSA-2008-0018
Synopsis: VMware Hosted products and patches for ESX and ESXi resolve two security issues
Issue date: 2008-11-06
Updated on: 2008-11-06 (initial release of advisory)
CVE numbers: CVE-2008-4915 CVE-2008-4281
> Summary: VMware Hosted products and patches for ESX and ESXi resolve multiple security issues. A flaw in the CPU hardware emulation may allow for a privilege escalation on virtual machine guest operating systems. In addition a directory traversal issue is resolved.
> Relevant releases
VMware Workstation 6.0.5 and earlier,
VMware Workstation 5.5.8 and earlier,
VMware Player 2.0.5 and earlier,
VMware Player 1.0.8 and earlier,
VMware ACE 2.0.5 and earlier,
VMware ACE 1.0.7 and earlier,
VMware Server 1.0.7 and earlier.
VMware ESXi 3.5 without patch ESXe350-200810401-O-UG
VMware ESX 3.5 without patch ESX350-200810201-UG
VMware ESX 3.0.3 without patch ESX303-200810501-BG
VMware ESX 3.0.2 without patch ESX-1006680
VMware ESX 2.5.5 without upgrade patch 10 or later
VMware ESX 2.5.4 without upgrade patch 21

NOTE: Hosted products VMware Workstation 5.x, VMware Player 1.x, and VMware ACE 1.x will reach end of general support 2008-11-09. Customers should plan to upgrade to the latest version of their respective products.

Extended support (Security and Bug fixes) for ESX 3.0.2 ended on 2008-10-29 and Extended support for ESX 3.0.2 Update 1 ends on 2009-08-08. Users should plan to upgrade to ESX 3.0.3 and preferably to the newest release available..."

[AplusWebMaster]

FYI...

VMware - VMSA-2008-0016.1
- http://lists.vmware....008/000043.html
Advisory ID: VMSA-2008-0016.1
Synopsis: VMware Hosted products, VirtualCenter Update 3 and patches for ESX and ESXi resolve multiple security issues.
Issue date: 2008-10-03
Updated on: 2008-11-06
CVE numbers: CVE-2008-4279 CVE-2008-4278 CVE-2008-3103 CVE-2008-3104 CVE-2008-3105 CVE-2008-3106 CVE-2008-3107 CVE-2008-3108 CVE-2008-3109 CVE-2008-3110 CVE-2008-3111 CVE-2008-3112CVE-2008-3113 CVE-2008-3114 CVE-2008-3115
- ------------------------------------------------------------------------
Summary:
VMware addresses a in-guest privilege escalation on 64-bit guest operating systems in ESX, ESXi, and previously released versions of our hosted product line. Updated VMware VirtualCenter Update 3 addresses potential information disclosure and updates Java JRE packages.
- -----------------
Relevant releases:
VirtualCenter 2.5 before Update 3 build 119838
VMware Workstation 6.0.4 and earlier,
VMware Workstation 5.5.7 and earlier,
VMware Player 2.0.4 and earlier,
VMware Player 1.0.7 and earlier,
VMware ACE 2.0.4 and earlier,
VMware ACE 1.0.6 and earlier,
VMware Server 1.0.6 and earlier,
VMware ESXi 3.5 without patch ESXe350-200809401-I-SG
VMware ESX 3.5 without patches ESX350-200809404-SG, ESX350-200810215-UG
VMware ESX 3.0.3 without patch ESX303-200809401-SG
VMware ESX 3.0.2 without patch ESX-1006361
VMware ESX 3.0.1 without patch ESX-1006678...

//