Greetings from the VMware Security Response Center!
We’ve made some minor improvements in our latest VMSA based on community feedback and I thought we should share what these changes are and why we’ve made them.
Added an overall severity to the advisory itself in the header section
This is to better inform you, the customer, of the severity level of the VMSA as a whole. The severity level in this field will always be equal to the highest severity of any individual vulnerability mentioned in the VMSA. For details on our severity classifications, please see our VMware Security Response Policy.
Overhauled the ‘Relevant Releases’ section
We have renamed this section ‘Relevant Products’ and simplified it. Previously we would attempt to enumerate all releases of affected products and list them. We have found this section to be somewhat confusing for our customers. The idea of this section was to provide you with a quick reference to determine if the advisory was applicable to your environment. We have further simplified this to simply list product lines rather than versions. If you have a product from this list in your environment, you should definitely read the rest of the advisory.
Added a severity column to the section “3. Problem Description” tables
It is commonplace that a single vulnerability may affect our different products in various ways. This column will allow us to better describe the severity of an issue as it relates to a specific product.
Added a workaround column to the section “3. Problem Description” tables
This column will be used to point to knowledge base articles which describe workarounds that you can perform immediately to mitigate or remove the possibility of exploitation that the vulnerability presents. Please note, we always recommend upgrading to the product versions listed in the table but we also understand this may take time from a practical standpoint. There will not always be a workaround for every issue, but we will provide them whenever they are possible and functionally feasible.
So those are the improvements we have added to the VMSA. We will not be updating previous VMSAs with this information, but these will persist in all future VMSAs. We hope this will help to simplify and clarify the issues we disclose in these advisories.
Please, drop us a line at firstname.lastname@example.org if you have any questions, comments, or suggestions.
Senior Program Manager
VMware Security Response Center