| New User, Welcome! Login |
VMware Server
2. Relevant releases
VMware Workstation 6.5.1 and earlier,
VMware Player 2.5.1 and earlier,
VMware ACE 2.5.1 and earlier,
VMware Server 2.0,
VMware Server 1.0.8 and earlier,
VMware ESXi 3.5 without patches ESXe350-200811401-O-SG,
ESXe350-200903201-O-UG
2. Relevant releases
VMware Workstation 6.5.1 and earlier,
VMware Player 2.5.1 and earlier,
VMware ACE 2.5.1 and earlier,
VMware Server 2.0,
VMware Server 1.0.8 and earlier,
VMware Fusion 2.0.3 and earlier,
VMware ESXi 3.5 without patch ESXe350-200904201-O-SG,
2. Relevant releases
VMware Workstation 6.5.1 and earlier,
VMware Player 2.5.1 and earlier,
VMware ACE 2.5.1 and earlier,
VMware Server 2.0,
VMware Server 1.0.8 and earlier,
VMware Fusion 2.0.1 and earlier.
VMware ESXi 3.5 without patch ESXe350-200904402-T-BG
2. Relevant releases
VMware Workstation 6.5.2 and earlier,
VMware Player 2.5.2 and earlier,
VMware ACE 2.5.2 and earlier,
VMware Server 2.0.1 and earlier,
VMware Server 1.0.9 and earlier,
VMware Fusion 2.0.5 and earlier,
VMware ESXi 4.0 without patch ESXi400-200909401-BG,
- -------------------------------------------------------------------
~ VMware Security Advisory
Advisory ID: VMSA-2008-0005
Synopsis: Updated VMware Workstation, VMware Player, VMware
~ Server, VMware ACE, and VMware Fusion resolve
~ critical security issues
Issue date: 2008-03-17
Updated on: 2008-03-17 (initial release of advisory)
CVE numbers: CVE-2008-0923 CVE-2008-0923 CVE-2008-1361
~ CVE-2008-1362 CVE-2007-5269 CVE-2006-2940
VMware Workstation 6.5.3 and earlier,
VMware Player 3.0,
VMware Player 2.5.3 and earlier,
VMware ACE 2.6,
VMware ACE 2.5.3 and earlier,
VMware Server 2.0.2 and earlier,
VMware Fusion 3.0,
VMware Fusion 2.0.6 and earlier,
VMware VIX API for Windows 1.6.x,
VMware ESXi 4.0 before patch ESXi400-201002402-BG
VMware Workstation 6.5.3 and earlier,
VMware Player 3.0,
VMware Player 2.5.3 and earlier,
VMware ACE 2.6,
VMware ACE 2.5.3 and earlier,
VMware Server 2.0.2 and earlier,
VMware Fusion 3.0,
VMware Fusion 2.0.6 and earlier,
VMware VIX API for Windows 1.6.x,
VMware ESXi 4.0 before patch ESXi400-201002402-BG
- -------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2008-0009
Synopsis: Updates to VMware Workstation, VMware Player,
VMware ACE, VMware Fusion, VMware Server, VMware
VIX API, VMware ESX, VMware ESXi resolve critical
security issues
Issue date: 2008-06-04
Updated on: 2008-06-04 (initial release of advisory)
CVE numbers: CVE-2007-5671 CVE-2008-0967 CVE-2008-2097
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2008-0014
Synopsis: Updates to VMware Workstation, VMware Player,
VMware ACE, VMware Server, VMware ESX address
information disclosure, privilege escalation and
other security issues.
Issue date: 2008-08-29
Updated on: 2008-08-29 (initial release of advisory)
CVE numbers: CVE-2008-2101 CVE-2007-5269 CVE-2008-1447
VMware Workstation 5.5.8 and earlier,
VMware Player 2.0.5 and earlier,
VMware Player 1.0.8 and earlier,
VMware ACE 2.0.5 and earlier,
VMware ACE 1.0.7 and earlier,
VMware Server 1.0.7 and earlier.
VMware ESXi 3.5 without patch ESXe350-200810401-O-UG
VMware ESX 3.5 without patch ESX350-200810201-UG
- - -------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2007-0006
Synopsis: Critical security updates for all supported
versions of VMware ESX Server, VMware Server,
VMware Workstation, VMware ACE, and
VMware Player
Issue date: 2007-09-18
Updated on: 2007-09-18
VMware Workstation 5.5.7 and earlier,
VMware Player 2.0.4 and earlier,
VMware Player 1.0.7 and earlier,
VMware ACE 2.0.4 and earlier,
VMware ACE 1.0.6 and earlier,
VMware Server 1.0.6 and earlier,
VMware ESXi 3.5 without patch ESXe350-200809401-I-SG
ESX 3.5 without patch ESX350-200809404-SG
VMware Workstation 6.0.5 and earlier,
VMware Workstation 5.5.8 and earlier,
VMware Player 2.0.5 and earlier,
VMware Player 1.0.8 and earlier,
VMware Server 1.0.9 and earlier,
VMware ESXi 3.5 without patch ESXe350-200811401-O-SG
VMware ESX 3.5 without patches ESX350-200811406-SG and
ESX350-200811401-SG
. VMWare ACE 1.0.2
*Non-vulnerable Packages*
. VMWare ESX
. VMWare Server
*Vendor Information, Solutions and Workarounds*
Disable the Shared Folders feature for all virtual machines. On VMWare
Workstation this can be done by clicking on "Edit virtual machine
-----------------
(for a complete list, see:
http://www.vmware.com/security/advisories/VMSA-2008-0016.html or
http://lists.vmware.com/pipermail/security-announce/2008/000037.html)
VMware Player 2.0.4-Build 93057
VMware Server 1.0.6 Build-91891
VMware Workstation 6.0.4 Build-93057
PATCHED SOFTWARE
---------------------
-----------------
(for a complete list, see:
http://www.vmware.com/security/advisories/VMSA-2008-0018.html or
http://lists.vmware.com/pipermail/security-announce/2008/000042.html)
VMware Player 2.0.5-Build 109488
VMware Server 1.0.7-Build 108231
VMware Workstation 6.0.5-Build 109488
PATCHED SOFTWARE
---------------------
2. Relevant releases
Virtual Center 2.5 with WebAccess
Virtual Center 2.0.2 with WebAccess
VMware Server 2.0.2 with WebAccess
VMware Server 1.0.10
ESX 3.5 with WebAccess
ESX 3.0.3 with WebAccess
2. Relevant releases
ESX 4.0 without patch ESX400-200911223-UG
vCenter 4.0 GA
VMware Server 2.0.2
VMware Lab Manager 2.x
VMware vCenter Lab Manager 3.x
VMware vCenter Lab Manager 4.0
VMware vCenter Stage Manager 1.x
*Affected products:*
This behavior is only present in Workstation 6.0, Workstation 6.0 with
ACE Option Pack, and VMware Player 2.0.
This issue does not affect any released version of VMware Server, VMware
ESX Server, or VMware GSX Server.
This issue also does not affect deployed ACE 2.0 virtual machines.
ESX 4.1 without patch ESX410-201010405-BG
ESX 4.0 without patch ESX400-201009401-SG
ESX 3.5 without patch ESX350-201008409-BG
Note: VMware Server was declared End Of Availability on January 2010,
support will be limited to Technical Guidance for the duration
of the support term.
3. Problem Description
-- Affected Vendors:
VMWare, Inc.
-- Affected Products:
VMWare, Inc. VMWare Server
VMWare, Inc. VMWare ACE
VMWare, Inc. VMWare Player
VMWare, Inc. VMWare Workstation
-- Vulnerability Details:
One benefit of using virtual machines is that it allows you to work with
several operating systems on the same machine and provides effective
isolation between each operating system.
The VIX API provides an interface to manipulate virtual machines from the
host machine. This API is available on any machine with VMware Server or
Workstation installed. Certain commands-such as RunProgramInGuest -do
require authentication to run commands on a VMware guest OS, you can
instruct them to use the credentials of the user currently logged in at the
console. If no user is currently logged in, the command can wait until the
next user does log in.
be selected from the host system to be shared. No folders are shared
by default in any version of our products, which means this
vulnerability is not exploitable by default. Workstation 6.x,
Player 2.x, and ACE 2.x have shared folders disabled by default.
VMware Server, ESX and ESXi do not provide the shared folders feature.
Because there is no back-end for the HGFS protocol on the virtualization
host, these products are architecturally immune to this issue.
This issue might not be exploitable on host operating systems which
have implemented heap protection.
You stated: "usually such people don't have the skills" Humor me and
others on this list why don't you... Reported to CERT two days ago:
Vulnerability Report
Vulnerability Description Over 300 ActiveX based vulnerabilities have
been discovered on multiple VMWare Server applications. Vulnerabilities
range from denial of service attacks to full control of EIP which can
lead to code execution
Vulnerability Impact Attacker can trigger code execution
Date 2011-03-21T11:53:40
VMware Workstation 7.1.1 and earlier,
VMware Player 3.1.1 and earlier,
VMware ACE Management Server 2.7.1 and earlier,
Note: VMware Server was declared End Of Availability on January 2010,
support will be limited to Technical Guidance for the duration
of the support term.
3. Problem Description
III. AFFECTED PRODUCTS
---------------------------
VMware Workstation versions prior to 6.5.4 build 246459
VMware Player versions prior to 2.5.4 build 246459
VMware Server versions 2.x
VMware Movie Decoder versions prior to 6.5.4 Build 246459
IV. Binary Analysis & Proof-fo-concept
------------------------
- VMware Workstation
- VMware Player
- VMware ACE
- VMware Server
- VMware ESX
- VMware Fusion
- Etc.
--------------------
*Affected products:*
This behavior is only present in Workstation 6.0 and VMware Player 2.0.
This issue does not affect any released version of VMware Server, VMware
ESX Server, or VMware GSX Server.
*How to disable this behavior*
You can disable this behavior by adding an entry to the host
VMWare, Inc.
-- Affected Products:
VMWare, Inc. VMWare Player
VMWare, Inc. VMWare Workstation
VMWare, Inc. VMWare Server
VMWare, Inc. VMWare ACE
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of multiple VMWare products. User interaction
|
|
|
