Skip to main content

VMware security advisory update: Critical memory corruption vulnerability

DoD guys and all the other folks who are building expertise around the security which they have gained while building a secured VMware environment by design, are also being exposed to the ones that can play potential havoc in your environments, should you not take security into account when designing and operating your virtual environments.

Ask yourself the following:

  • Do you know that such malicious attacks are not taking place in your environment?
  • Do you know if there is some sort of control in your environments?
  • How many of you have successfully deployed a CCP that makes your ESX complaint or atleast anywhere close to being SOX/PCI DSS 1.x standards? You must be able to control, authorize and demonstrate on your sense of control on these environments, can you do it?
  • Are you doing any sort of assessments in your environments, especially Virtual Infrastructures be it Oracle VM, VMware ESX, Citrix Xen, Xen or whatever?
  • Are some or any of your virtual platforms registered within your centralized directory, any LDAP v3 variants such as ADS etc?
Don't ignore the issues as they will come haunting you in some form or the other. Anyways, here's the advisory.

3. Problem Description

a. Critical Memory corruption vulnerability

A memory corruption condition may occur in the virtual machine
hardware. A malicious request sent from the guest operating
system to the virtual hardware may cause the virtual hardware to
write to uncontrolled physical memory.

VMware would like to thank Andrew Honig of the Department of
Defense for reporting this issue.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2008-4917 to this issue.

The following table lists what action remediates the vulnerability
(column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected

Workstation 6.5.x any not affected
Workstation 6.0.x any 6.5.0 build 118166 or later
Workstation 5.x any 5.5.9 build 126128 or later

Player 2.5.x any not affected
Player 2.0.x any 2.5.0 build 118166 or later
Player 1.x any 1.0.9 build 126128 or later

ACE 2.5.x Windows not affected
ACE 2.0.x Windows 2.5.0 build 118166 or later
ACE 1.x Windows 1.0.8 build 125922 or later

Server 2.x any not affected
Server 1.x any 1.0.8 build 126538 or later

Fusion 2.x Mac OS/X not affected
Fusion 1.x Mac OS/X upgrade to Fusion 2.0 or later

ESXi 3.5 ESXi ESXe350-200811401-O-SG

ESX 3.5 ESX ESX350-200811401-SG
ESX 3.0.3 ESX ESX303-200811401-BG
ESX 3.0.2 ESX ESX-1006980
ESX 2.5.5 ESX not affected



VMware Security Lists

Comments

Popular posts from this blog

DeepLearningTrucker Part 1

Avastu Blog is migrating to IdeationCloud.com; 1st Jan 2009 live

YOU DON'T HAVE TO DO ANYTHING. WITHIN 2 SECONDS YOU WILL BE REDIRECTED TO THE NEW HOME OF AVASTU BLOG. PLEASE DO UPDATE AVASTU BLOG'S URL to : http://www.ideationcloud.com on your website.

I will send out emails personally to those who are using my link(s) on their sites.

Thanks much for your co-operation and hope you enjoy the new site and its cool new features :-)




Not like the site is unlive or something..on the contrary, its beginning to get a lot of attention already. Well most of the work is done, you don't have to worry about anything though:

What won't change

Links/Referrals: I will be redirecting the links (all links which you may have cross-posted) to IdeationCloud.com - so you don't have to do anything in all your posts and links. Although, I would urge however that you do change the permalinks, especially on your blogs etc yourselfThis blog is not going away anywhere but within a few months, I will consider discontinuing its usage. I won't obviously do …

Get Vyatta Virtual Appliance, now VMware certified!

We all know Vyatta, don't we?

Vyatta, the leader in Linux-based networking, today announced that its open-source networking software has received VMware Virtual Appliance Certification, thereby providing customers with a solution that has been optimized for a production-ready VMware environment. The company also announced it has joined the VMware Technology Alliance Partner (TAP) Program. As a member of TAP, Vyatta will offer its solutions via the TAP program website. With the Vyatta virtual appliance for VMware environments, organizations can now include Vyatta’s router, firewall and VPN functions as part of their virtualized infrastructure.

Vyatta combines enterprise-class routing and security capabilities into an integrated, reliable and commercially supported software solution, delivering twice the performance of proprietary network solutions at half the price. Running Vyatta software as virtual appliances gives customers many more options for scaling their data centers and cons…