Executive Summary
Summary | |
---|---|
Title | VMware ESXi, Workstation and Fusion updates address critical and moderate security issues |
Informations | |||
---|---|---|---|
Name | VMSA-2017-0006 | First vendor Publication | 2017-03-28 |
Vendor | VMware | Last vendor Modification | 2017-03-28 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 7.2 | Attack Range | Local |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 3.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
a. ESXi, Workstation, Fusion SVGA memory corruption ESXi, Workstation, Fusion have a heap buffer overflow and uninitialized stack memory usage in SVGA. These issues may allow a guest to execute code on the host. VMware would like to thank ZDI and Team 360 Security from Qihoo for reporting these issues to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2017-4902 (heap issue) and CVE-2017-4903 (stack issue) to these issues. Note: ESXi 6.0 is affected by CVE-2017-4903 but not by CVE-2017-4902. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. b. ESXi, Workstation, Fusion XHCI uninitialized memory usage The ESXi, Workstation, and Fusion XHCI controller has uninitialized memory usage. This issue may allow a guest to execute code on the host. The issue is reduced to a Denial of Service of the guest on ESXi 5.5. VMware would like to thank ZDI and Team Sniper from Tencent Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4904 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. c. ESXi, Workstation, Fusion uninitialized memory usage ESXi, Workstation, and Fusion have uninitialized memory usage. This issue may lead to an information leak. VMware would like to thank ZDI and Team Sniper from Tencent Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4905 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. |
Original Source
Url : http://www.vmware.com/security/advisories/VMSA-2017-0006.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2017-03-31 | Name : The remote VMware ESXi 5.5 host is affected by multiple vulnerabilities. File : vmware_esxi_5_5_build_5230635_remote.nasl - Type : ACT_GATHER_INFO |
2017-03-31 | Name : The remote VMware ESXi 6.0 host is affected by multiple vulnerabilities. File : vmware_esxi_6_0_build_5251621_remote.nasl - Type : ACT_GATHER_INFO |
2017-03-31 | Name : The remote VMware ESXi 6.5 host is affected by multiple vulnerabilities. File : vmware_esxi_6_5_build_5224529_remote.nasl - Type : ACT_GATHER_INFO |
2017-03-30 | Name : A virtualization application installed on the remote macOS or Mac OS X host i... File : macosx_fusion_vmsa_2017_0006.nasl - Type : ACT_GATHER_INFO |
2017-03-30 | Name : The remote VMware ESXi host is missing one or more security-related patches. File : vmware_VMSA-2017-0006.nasl - Type : ACT_GATHER_INFO |
2017-03-30 | Name : A virtualization application installed on the remote Linux host is affected b... File : vmware_workstation_linux_vmsa_2017_0006.nasl - Type : ACT_GATHER_INFO |
2017-03-30 | Name : A virtualization application installed on the remote Windows host is affected... File : vmware_workstation_win_vmsa_2017_0006.nasl - Type : ACT_GATHER_INFO |
2017-01-16 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2017-0006.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2017-06-14 17:23:30 |
|
2017-06-08 00:24:29 |
|
2017-04-01 13:25:06 |
|
2017-03-31 13:22:46 |
|
2017-03-28 21:21:58 |
|