Fix is in for VMware’s ESXi, Workstation, Fusion

Monday, April 15, 2019 @ 04:04 PM gHale

VMware has fixes for holes in its ESXi, Workstation and Fusion products that handle multiple out-of-bounds read vulnerabilities.

The products affected by the vulnerabilities are VMware vSphere ESXi (ESXi), Workstation Pro/Player (Workstation), and Fusion Pro/Fusion (Fusion), according to the VMware advisory.
https://www.vmware.com/security/advisories/VMSA-2019-0006.html

RELATED STORIES
VMware Issues Security Updates
VMware Fixes Elevation of Privilege Hole
VMware Releases Security Fixes
VMware Clears Critical Integer Overflow Hole

VMware ESXi, Workstation and Fusion address an out-of-bounds vulnerability with the vertex shader functionality. Exploitation of this issue requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of this issue may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on their own VM.

The workaround for this issue involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.

The case number for the issue is CVE-2019-5516.

In addition, VMware ESXi, Workstation and Fusion contain multiple out-of-bounds read vulnerabilities in the shader translator. Exploitation of these issues requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of these issues may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on their own VM.

The workaround for these issues involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.

CVE-2019-5517 is the case number for these issues.

ESXi, Workstation and Fusion updates address an out-of-bounds read vulnerability. Exploitation of this issue requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of this issue may lead to information disclosure. The workaround for this issue involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.

CVE-2019-5520 is the case number for this issue.

VMware issued updated software for the following:
ESXi 6.7

ESXi 6.5

VMware Workstation Pro 14.1.6, 15.0.3

VMware Workstation Player 14.1.6, 15.0.3

VMware Fusion Pro/Fusion 10.1.6, 11.0.3



Leave a Reply

You must be logged in to post a comment.