Skip to main content

VMware security advisory update: Critical memory corruption vulnerability

DoD guys and all the other folks who are building expertise around the security which they have gained while building a secured VMware environment by design, are also being exposed to the ones that can play potential havoc in your environments, should you not take security into account when designing and operating your virtual environments.

Ask yourself the following:

  • Do you know that such malicious attacks are not taking place in your environment?
  • Do you know if there is some sort of control in your environments?
  • How many of you have successfully deployed a CCP that makes your ESX complaint or atleast anywhere close to being SOX/PCI DSS 1.x standards? You must be able to control, authorize and demonstrate on your sense of control on these environments, can you do it?
  • Are you doing any sort of assessments in your environments, especially Virtual Infrastructures be it Oracle VM, VMware ESX, Citrix Xen, Xen or whatever?
  • Are some or any of your virtual platforms registered within your centralized directory, any LDAP v3 variants such as ADS etc?
Don't ignore the issues as they will come haunting you in some form or the other. Anyways, here's the advisory.

3. Problem Description

a. Critical Memory corruption vulnerability

A memory corruption condition may occur in the virtual machine
hardware. A malicious request sent from the guest operating
system to the virtual hardware may cause the virtual hardware to
write to uncontrolled physical memory.

VMware would like to thank Andrew Honig of the Department of
Defense for reporting this issue.

The Common Vulnerabilities and Exposures project (
has assigned the name CVE-2008-4917 to this issue.

The following table lists what action remediates the vulnerability
(column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected

Workstation 6.5.x any not affected
Workstation 6.0.x any 6.5.0 build 118166 or later
Workstation 5.x any 5.5.9 build 126128 or later

Player 2.5.x any not affected
Player 2.0.x any 2.5.0 build 118166 or later
Player 1.x any 1.0.9 build 126128 or later

ACE 2.5.x Windows not affected
ACE 2.0.x Windows 2.5.0 build 118166 or later
ACE 1.x Windows 1.0.8 build 125922 or later

Server 2.x any not affected
Server 1.x any 1.0.8 build 126538 or later

Fusion 2.x Mac OS/X not affected
Fusion 1.x Mac OS/X upgrade to Fusion 2.0 or later

ESXi 3.5 ESXi ESXe350-200811401-O-SG

ESX 3.5 ESX ESX350-200811401-SG
ESX 3.0.3 ESX ESX303-200811401-BG
ESX 3.0.2 ESX ESX-1006980
ESX 2.5.5 ESX not affected

VMware Security Lists


Popular posts from this blog

Redhot Future Of IT Part I :Marketing yourself as IT professional

I had promised about the "RedHot IT Future Series" and so we discuss here how you should market yourself EFFECTIVELY as an IT professional in this new (and dangerous) web age! Web is the place where you're a hero today and villain tomorrow. While there are lots of professionals who are active on the web, not all are enjoying a good reputation as they got "personal" with others and got into a cockfight. The passive IT professional has nothing to lose but nothing to gain at all!

I know "marketing" might seem as a greasy term but the idea is to have the truth about you out there. You know you're a good person and your family knows that you're really smart person but the rest of the world doesn't!

So the question is how do I market myself on the web as a true "nouveau IT professional". A guy who companies will be tempted to pick up the phone as say "Hey, we wanna talk with you. Can you fly over to Palo Alto (or Guatemala or Johan…

Redhot Future Of IT Part 2 :Virtualized Workplaces

Click on the title to hear what I have to say, alternatively click here to listen to what I have to say here.

So what is a virtualized workplace? Does it mean it does not exist? That it's virtual? Well in a certain way YES. This is where the future of our workplace is going to be. Well it is already a reality in some countries.

OK lets start by asking ourselves these questions:
Do you really bond with your colleagues? (think Team cohesiveness)
Do you spend great amount of hours talking about great things that you will do together? (think collaboration)
Do you really feel that you give 100% at work? (think effectiveness)
What do you really miss at your desk? (think personalization)
Is your desk comfortable enough? (Again think optimizing personalization, OK you have done your best to make it your place)Does it really matter to your employer that you are there for him/her? (think commitment)
Or do you get micromanaged over petty issues? (think mismanagement)
Do you see your employees perfor…

Avastu Blog is migrating to; 1st Jan 2009 live


I will send out emails personally to those who are using my link(s) on their sites.

Thanks much for your co-operation and hope you enjoy the new site and its cool new features :-)

Not like the site is unlive or something..on the contrary, its beginning to get a lot of attention already. Well most of the work is done, you don't have to worry about anything though:

What won't change

Links/Referrals: I will be redirecting the links (all links which you may have cross-posted) to - so you don't have to do anything in all your posts and links. Although, I would urge however that you do change the permalinks, especially on your blogs etc yourselfThis blog is not going away anywhere but within a few months, I will consider discontinuing its usage. I won't obviously do …