Greetings from the VMware Security Response Center!
Today we released VMSA-2016-0018 which documents products affected by CVE-2016-5195 – aka: the ‘Dirty COW’ vulnerability. In addition, we have also released Knowledge Base Article 2147515 which documents unaffected products.
There are a few points I’d like to make about our evaluation of this issue and its effect on our products.
We have classified the severity of this issue as ‘Important’ in accordance with our Security Response Policy.
There are 2 requirements that must be met for a product to be considered affected by CVE-2016-5195:
- The product must ship with a vulnerable Linux kernel.
- There must be a valid attack vector that can be used to exploit the vulnerability.
During our evaluations we found that VMware appliances do indeed ship with a vulnerable Linux kernel and met requirement 1. However, only a select few of these appliances met requirement 2. and are therefore considered affected. These affected products as well as remediation information is documented in VMSA-2016-0018 which will be updated as more fixes become available.
Also, we understand that various automated vulnerability scanners will most likely flag products we have listed as unaffected in KB 2147515 as affected. We want to make it clear that while these products are not affected, we will still be rolling out kernel updates for them in maintenance releases as a precautionary measure.
That’s it for now.
Drop us a line at firstname.lastname@example.org if you have any questions on the vulnerability or advisory.