Users who run four different types of VMware products, ESXi, vCenter Server, Fusion and Workstation, encouraged to update to address a series of vulnerabilities, one critical.
The most serious issue, an out-of-bounds write vulnerability, exists in ESXi, and desktop hypervisors Workstation, and Fusion. An attacker could exploit the issue, which exists in a SVGA device, to execute code on the host, according to a VMware security advisory posted early Friday.
The issue, CVE-2017-4924, discovered by researchers Nico Golde and Ralf-Philipp Weinmann of Comsecuris UG, affects version 6.5 of ESXi but not versions 6.0 and 5.5. It also affects version 12.x of Workstation and version 8.x of Fusion. As the bug allows code execution it’s marked as critical.
NULL pointer reference vulnerability
A NULL pointer reference vulnerability can also exploit when the software handles guest RPC requests, something that could allow an attacker with normal user privileges to crash virtual machines.
The moderate severity bug affects version 6.5, 6.0, and 5.5 of ESXi, version 12.x of Workstation, and 8.x of Fusion. Users urged to apply patches released on Friday as no workaround exist for the vulnerability.
The bug only affects the Windows version 6.5 of vCenter Server. Users encouraged to update to version 6.5 U1 to mitigate it.