Home > Blogs > VMware Security & Compliance Blog


VMware products and CVE-2015-7547, glibc getaddrinfo security issue

Last Tuesday, a stack buffer overflow in the glibc library (CVE-2015-7547) was disclosed.  We have reviewed the issue and determined which products are affected. A workaround that blocks malicious traffic has been identified and is being tested on relevant, affected products.

VMware Knowledge Base article 2144032 lists the affected products and documents the workaround for the products where testing has concluded successfully. Customers are advised to deploy the workarounds. Upcoming releases of our products will include the fix for the issue.

2/22 Update
VMware Knowledge Base article 2144032 continues to be updated when new workarounds, patches, and updated releases for CVE-2015-7547 become available.
In addition, we have released VMware Security Advisory VMware Security Advisory VMSA-2016-0002 to alert customers to the release of a patch that addresses CVE-2015-7547 on ESXi 5.5.

2/23 Update
VMware Security Advisory VMSA-2016-0002 has been updated after the release of a patch that addresses CVE-2015-7547 on ESXi 6.0. We’ve also updated VMware Knowledge Base article 2144032 and added more workarounds, patches, and updated releases for CVE-2015-7547 .

3/29 Update
Today new versions of vCenter Server Appliance (VCSA), 5.0 U3f, 5.1 U3c, and 5.5 U3c, which address CVE-2015-7547 have been released. Earlier in February we released workarounds for VCSA.
As mentioned before, update releases that address this CVE on VMware appliances, along with workarounds and patches, are found in VMware Knowledge Base article 2144032. This KB will continue to be updated on a regular basis.