Home > Blogs > VMware Security & Compliance Blog > Monthly Archives: December 2018

Monthly Archives: December 2018

New VMware Security Advisory VMSA-2018-0031

Today, VMware has released the following new security advisory:

VMSA-2018-0031vRealize Operations updates address a local privilege escalation vulnerability

This documents the remediation of an important severity local privilege escalation vulnerability (CVE-2018-6978) in vRealize Operations (vROps). The issue exists due to improper permissions of support scripts. Admin** user of the vROps application with shell access may exploit this issue to elevate the privileges to root on a vROps machine.

**The admin user (non-sudoer) should not be confused with root of the vROps machine.

We would like to thank Alessandro Zanni, pentester at OVH for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMware Response to CVE-2018-1002105

Greetings from the VMware Security Response Center!

Yesterday Kubernetes disclosed CVE-2018-1002105 – a critical severity vulnerability in the Kubernetes API server. For more details on the vulnerability please see Kubernetes’ announcement here:


This vulnerability affects the following VMware products:

-VMware Pivotal Container Service (PKS)
-VMware vCloud Director Container Service Extension (CSE)
-Photon OS

There will be no VMware Security Advisory since remediation for these products has already been documented in a separate advisory or the offering’s github page.

Remediation Information:

PKS – Fixed in 1.2.3
Documentation: https://docs.pivotal.io/runtimes/pks/1-2/release-notes.html
Advisory: https://pivotal.io/security/cve-2018-1002105

CSE – Fixed in 1.2.5
Documentation: https://vmware.github.io/container-service-extension/RELEASE_NOTES.html

Photon OS – Fixed in 1.10.11-1 and 1.11.5-1
Advisory: https://github.com/vmware/photon/wiki/Security-Updates-2-112

For our service offerings that use Kubernetes, mitigations are already in place which have closed down the critical severity attack vector associated with CVE-2018-1002105 while full remediation is in progress.