Home > Blogs > VMware Security & Compliance Blog > Monthly Archives: January 2015

Monthly Archives: January 2015

VMware products and “Ghost”, glibc gethostbyname* buffer overflow (CVE-2015-0235)

This Tuesday a buffer overflow in the gethostbyname family of functions (“gethostbyname*”) in the widely used glibc library (CVE-2015-0235) was disclosed.  As soon as we became aware of this vulnerability we began investigating.  We regarded it as a significant vulnerabiliy since the original advisory detailed remote code execution in the Exim mail server.

We quickly realized that exploitability of this vulnerability depends on where and how the vulnerable function is invoked.  In particular, if an attacker cannot control the arguments passed to the gethostbyname* functions, then the overflow cannot be triggered.  Suffice it to say, the applicability of this vulnerability to the Exim mail server, cannot be generalized to all software using glibc, or even to all invocations of gethostbyname*.

We have been reviewing the use of glibc and gethostbyname* in our products.  Based on our current analysis, we have not identified any VMware product that is affected by this issue. Many of our products do use a vulnerable version of the glibc library, but we have not found a way to pass untrusted input to gethostbyname*. Our KB on this issue is published here.

We take the security of customers extremely seriously.  Even though no VMware product has been found to be exploitable using this issue, we will update the glibc library in normal upcoming maintenance releases.

New VMware security advisory VMSA-2015-0002.

Today we released a new security advisory, VMSA-2015-0002.

The advisory documents CVE-2014-4632, a certificate validation vulnerability in VMware vSphere Data Protection (VDP).

Customers should review the advisory and direct any question to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories

Changes to Transparent Page Sharing (reminder) and new and updated VMware Security Advisories

As we noted earlier on Oct 16, Nov 24 and Dec 4, VMware has introduced new TPS (Transparent Page Sharing) management options. Today’s release of ESXi 5.5 U2d restricts TPS to individual VMs and disables inter-VM TPS by default unless an administrator chooses to re-enable it. Please see KB 2097593 for full details on the functionality.

Additionally VMware has today released the following new and updated advisories:

The new advisory details a privilege escalation (CVE-2014-8370), denial of service issues (CVE-2015-1043, CVE-2015-1044) in Workstation, Fusion and ESXi and updates to third-party libraries in VMware vSphere.

Customers should review the security advisory and direct any questions to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.