Home > Blogs > VMware Security & Compliance Blog > Monthly Archives: September 2017

Monthly Archives: September 2017

Security Patches for VMware vCenter Server Appliance Photon OS

Our customers have indicated that they would like to see VMware more frequently update the Photon OS operating system that powers the vCenter Server Appliance (VCSA). To follow up on this request, we have now started a program that will provide monthly patches for the VCSA operating system.

The program will address important security issues that are present in the VCSA Photon OS operating system on a monthly basis. In some months (e.g. this month) the update will be through stand-alone patches while in other months they may be rolled into regular VCSA maintenance releases.

The release notes for the first monthly patch are found here, and today’s post on the VMware vSphere blog gives more details about the program.

Please send your feedback and questions to security (at) vmware (dot) com.

October 27 Update
Last night we released the second monthly patch for the VCSA PhotonOS operating system (6.5 U1b). This time the patch also contains a couple of fixes for functional issues, see the reference in the bottom table of the rolling release notes for this program.

New VMware Security Advisory VMSA-2017-0015.1

Update: 2017-09-15 Corrected the underlying component  affected from SVGA driver to device.

Today VMware has released the following new security advisory:

VMSA-2017-0015.1VMware ESXi, vCenter Server, Fusion and Workstation updates resolve multiple security vulnerabilities

This documents the remediation of a critical severity issue (CVE-2017-4924) and two moderate severity issues (CVE-2017-4925 and CVE-2017-4926). These issues affect VMware ESXi, VMware Workstation, VMware Fusion and VMware vCenter Server.

Issue (a) CVE-2017-4924 is an out-of-bounds write vulnerability in SVGA device which may allow a guest to execute code on the host. This issue affects ESXi 6.5, Fusion and Workstation. It has been addressed through an ESXi 6.5 patch, and in Fusion 8.5.8 and Workstation 12.5.7. ESXi 6.0 and 5.x are not affected.

Issue (b) CVE-2017-4925 is a NULL pointer dereference vulnerability that occurs when handling guest RPC requests. This may allow attackers with normal user privileges to crash their VMs. ESXi, Fusion and Workstation are affected. Fusion 8.5.4 and Workstation 12.5.3 fix this issue. Please refer to VMSA-2017-0015 for ESXi 6.5, 6.0 and 5.5 patches.

Issue (c) CVE-2017-4926 is a stored XSS in H5 Client and affects only VMware vCenter Server 6.5. An attacker with VC user privileges can inject malicious java-scripts which will get executed when other VC users access the page. vCenter Server 6.5 U1 fixes this issue.

We would like to thank Nico Golde and Ralf-Philipp Weinmann of Comsecuris UG (haftungsbeschraenkt) working with ZDI, Zhang Haitao, and Thomas Ornetzeder for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.