Vmware Vsphere vulnerabilities

CVE-2018-11066 [CRITICAL] vSphere Data Protection (VDP) updates address multiple security issues. VMSA-2018-0029: vSphere Data Protection (VDP) updates address multiple security issues. vSphere Data Protection (VDP) updates address multiple security issues. 2. Relevant Products vSphere Data Protection (VDP). VDP is based on Dell EMC Avamar Virtual Edition. 3. Problem Description a. Remote code execution vulnerability. VDP contains a remote code execution vulnerability. A remote unauthenticated

CVE-2018-6981 [HIGH] VMware ESXi, Workstation, and Fusion updates address uninitialized stack memory usage VMSA-2018-0027: VMware ESXi, Workstation, and Fusion updates address uninitialized stack memory usage VMware ESXi, Workstation, and Fusion updates address uninitialized stack memory usage. 2. Relevant Products VMware vSphere ESXi (ESXi) VMware Workstation Pro / Player (Workstation) VMware Fusion Pro, Fusion (Fusion)3. Problem Description a. vmxnet3 uninitialized stack memory usage VMware E

CVE-2018-6974 [HIGH] VMware ESXi, Workstation, and Fusion updates address an out-of-bounds read vulnerability VMSA-2018-0026: VMware ESXi, Workstation, and Fusion updates address an out-of-bounds read vulnerability VMware ESXi, Workstation, and Fusion updates address an out-of-bounds read vulnerability 2. Relevant Products VMware vSphere ESXi (ESXi) VMware Workstation Pro / Player (Workstation) VMware Fusion Pro, Fusion (Fusion) 3. Problem Description Out-of-bounds read vulnerability in SVGA De

CVE-2018-6971 [HIGH] VMware Horizon View Agent, VMware ESXi, Workstation, and Fusion updates resolve multiple security issues VMSA-2018-0018: VMware Horizon View Agent, VMware ESXi, Workstation, and Fusion updates resolve multiple security issues a. VMware Horizon View Agent local information disclosure vulnerability VMware Horizon View Agents contain a local information disclosure vulnerability due to insecure logging of credentials in the vmmsi.log file when an account other than the currentl

CVE-2018-6965 [HIGH] VMware ESXi, Workstation, and Fusion updates address multiple out-of-bounds read vulnerabilities VMSA-2018-0016: VMware ESXi, Workstation, and Fusion updates address multiple out-of-bounds read vulnerabilities VMware ESXi, Workstation, and Fusion updates address multiple out-of-bounds read vulnerabilities 2. Relevant Products VMware vSphere ESXi (ESXi) VMware Workstation Pro / Player (Workstation) VMware Fusion Pro, Fusion (Fusion) 3. Problem Description ESXi, Workstation,

CVE-2017-4947 [CRITICAL] vRealize Automation, vSphere Integrated Containers, and AirWatch Console updates address multiple security vulnerabilities VMSA-2018-0006: vRealize Automation, vSphere Integrated Containers, and AirWatch Console updates address multiple security vulnerabilities vRealize Automation, vSphere Integrated Containers, and AirWatch Console updates address multiple security vulnerabilities 2. Relevant Products vRealize Automation (vRA) vSphere Integrated Containers (VIC) VMware

CVE-2017-5715 [MEDIUM] VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution. VMSA-2018-0002: VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution. VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution. Note: This document will focus on the Hypervisor-Specific Mitigations for the known variants of CVE-2017-5753 and CVE-2017-5715. Please review KB522

CVE-2017-4914 [CRITICAL] vSphere Data Protection (VDP) updates address multiple security issues. VMSA-2017-0010: vSphere Data Protection (VDP) updates address multiple security issues. a. VDP Java deserialization issue VDP contains a deserialization issue. Exploitation of this issue may allow a remote attacker to execute commands on the appliance. VMware would like to thank Tim Roberts, Arthur Chilipweli, and Kelly Correll from NTT Security for reporting this issue to us. The Common Vulnerabili

CVE-2016-7463 [MEDIUM] VMware ESXi updates address a cross-site scripting issue VMSA-2016-0023: VMware ESXi updates address a cross-site scripting issue a. Host Client stored cross-site scripting issue The ESXi Host Client contains a vulnerability that may allow for stored cross-site scripting (XSS). The issue can be introduced by an attacker that has permission to manage virtual machines through ESXi Host Client or by tricking the vSphere administrator to import a specially crafted VM. The iss

CVE-2016-7458 [MEDIUM] VMware product updates address information disclosure vulnerabilities VMSA-2016-0022: VMware product updates address information disclosure vulnerabilities a. vSphere Client XML External Entity vulnerability The vSphere Client contains an XML External Entity (XXE) vulnerability. This issue can lead to information disclosure if a vSphere Client user is tricked into connecting to a malicious instance of vCenter Server or ESXi. There are no known workarounds for this issue.

CVE-2016-5330 [HIGH] VMware product updates address multiple security issues VMSA-2016-0010: VMware product updates address multiple security issues a. DLL hijacking issue in Windows-based VMware Tools A DLL hijacking vulnerability is present in the VMware Tools "Shared Folders" (HGFS) feature running on Microsoft Windows. Exploitation of this issue may lead to arbitrary code execution with the privileges of the victim. In order to exploit this issue, the attacker would need write access to a n

CVE-2016-2076 [HIGH] VMware product updates address a critical security issue in the VMware Client Integration Plugin VMSA-2016-0004: VMware product updates address a critical security issue in the VMware Client Integration Plugin a. Critical VMware Client Integration Plugin incorrect session handling The VMware Client Integration Plugin does not handle session content in a safe way. This may allow for a Man in the Middle attack or Web session hijacking in case the user of the vSphere Web Clien

CVE-2014-4632 [MEDIUM] VMware vSphere Data Protection product update addresses a certificate validation vulnerability. VMSA-2015-0002: VMware vSphere Data Protection product update addresses a certificate validation vulnerability. a. VMware vSphere Data Protection certificate validation vulnerability VMware vSphere Data Protection (VDP) does not fully validate SSL certificates coming from vCenter Server. This issue may allow a Man-in-the-Middle attack that enables the attacker to perform unauth

CVE-2013-1752 [MEDIUM] VMware vSphere product updates address security vulnerabilities VMSA-2014-0012: VMware vSphere product updates address security vulnerabilities a. VMware vCSA cross-site scripting vulnerability VMware vCenter Server Appliance (vCSA) contains a vulnerability that may allow for Cross Site Scripting. Exploitation of this vulnerability in vCenter Server requires tricking a user to click on a malicious link or to open a malicious web page. VMware would like to thank Tanya Seck

CVE-2014-1209 [CRITICAL] VMware vSphere Client updates address security vulnerabilities VMSA-2014-0003: VMware vSphere Client updates address security vulnerabilities a. vSphere Client Insecure Client Download vSphere Client contains a vulnerability in accepting an updated vSphere Client file from an untrusted source. The vulnerability may allow a host to direct vSphere Client to download and execute an arbitrary file from any URI. This issue can be exploited if the host has been compromised or

CVE-2013-5970 [HIGH] VMware vSphere updates address multiple vulnerabilities VMSA-2013-0012: VMware vSphere updates address multiple vulnerabilities a. VMware ESXi and ESX contain a vulnerability in hostd-vmdb. To exploit this vulnerability, an attacker must intercept and modify the management traffic. Exploitation of the issue may lead to a Denial of Service of the hostd-vmdb service. To reduce the likelihood of exploitation, vSphere components should be deployed on an isolated management netw

CVE-2012-2337 [HIGH] VMware security updates for vCenter Server VMSA-2013-0006: VMware security updates for vCenter Server a. vCenter Server AD anonymous LDAP binding credential by-pass vCenter Server when deployed in an environment that uses Active Directory (AD) with anonymous LDAP binding enabled doesn't properly handle login credentials. In this environment, authenticating to vCenter Server with a valid user name and a blank password may be successful even if a non-blank password is require

CVE-2011-1202 [CRITICAL] VMware vSphere security updates for the authentication service and third party libraries VMSA-2013-0001: VMware vSphere security updates for the authentication service and third party libraries a. VMware vSphere client-side authentication memory corruption vulnerability VMware vCenter Server, vSphere Client, and ESX contain a vulnerability in the handling of the management authentication protocol. To exploit this vulnerability, an attacker must convince either vCenter S

CVE-2011-4940 [MEDIUM] VMware security updates for vSphere API and ESX Service Console VMSA-2012-0016: VMware security updates for vSphere API and ESX Service Console a. VMware vSphere API denial of service vulnerability The VMware vSphere API contains a denial of service vulnerability. This issue allows an unauthenticated user to send a maliciously crafted API request and disable the host daemon. Exploitation of the issue would prevent management activities on the host but any virtual machines

CVE-2010-0405 [HIGH] VMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, Workstation, Player, ESXi and ESX address several security issues VMSA-2012-0005: VMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, Workstation, Player, ESXi and ESX address several security issues a. VMware Tools Display Driver Privilege Escalation The VMware XPDM and WDDM display drivers contain buffer overflow vulnerabilities and the XPDM display driver does not prop