VMware Hosted products and patches for ESX and ESXi resolve two security issues

2008-11-0600:00:00

www.vmware.com

122

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.008 Low

EPSS

Percentile

81.9%

JSON

a. A privilege escalation on 32-bit and 64-bit guest operating systemsVMware products emulate hardware functions and create thepossibility to run guest operating systems.A flaw in the CPU hardware emulation might allow the virtual CPU toincorrectly handle the Trap flag. Exploitation of this flaw mightlead to a privilege escalation on guest operating systems. Anattacker needs a user account on the guest operating system andhave the ability to run applications.VMware would like to thank Derek Soeder for discoveringthis issue and working with us on its remediation.The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2008-4915 to this issue.The following table lists what action remediates the vulnerability(column 4) if a solution is available.

CPENameOperatorVersion
workstationltany
workstationlt6.5.0 build 118166
workstationlt5.5.9 build 126128
playerlt2.5.0 build 118166
playerlt1.0.9 build 126128
acelt2.5.0 build 118166
acelt1.0.8 build 125922
serverlt1.0.8 build 126538
esxiltESXe350-200810401-O-UG
esxltESX350-200810201-UG

Name	Operator	Version
workstation	lt	any
workstation	lt	6.5.0 build 118166
workstation	lt	5.5.9 build 126128
player	lt	2.5.0 build 118166
player	lt	1.0.9 build 126128
ace	lt	2.5.0 build 118166
ace	lt	1.0.8 build 125922
server	lt	1.0.8 build 126538
esxi	lt	ESXe350-200810401-O-UG
esx	lt	ESX350-200810201-UG