Lucene search

K
vmwareVMwareVMSA-2017-0006
HistoryMar 28, 2017 - 12:00 a.m.

VMware ESXi, Workstation and Fusion updates address critical and moderate security issues

2017-03-2800:00:00
www.vmware.com
555
vmware
security updates
esxi
workstation
fusion
heap buffer overflow
uninitialized stack memory
svga
zdi
team 360 security
cve-2017-4902
cve-2017-4903

EPSS

0.001

Percentile

48.1%

a. ESXi, Workstation, Fusion SVGA memory corruption

ESXi, Workstation, Fusion have a heap buffer overflow and uninitialized stack memory usage in SVGA. These issues may allow a guest to execute code on the host.

VMware would like to thank ZDI and Team 360 Security from Qihoo for reporting these issues to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2017-4902 (heap issue) and CVE-2017-4903 (stack issue) to these issues.

Note: ESXi 6.0 is affected by CVE-2017-4903 but not by CVE-2017-4902.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

Affected configurations

Vulners
Node
-esxiMatch6.0_u2
OR
-esxiMatch6.0_u1
OR
-esxiRange<ESXi600-201703401-SG
OR
-esxiRange<ESXi650-201703410-SG
OR
-esxiRange<ESXi550-201703401-SG
OR
-workstationRange<12.5.5
OR
-fusionRange<8.5.6
VendorProductVersionCPE
-esxi6.0_u2cpe:2.3:a:-:esxi:6.0_u2:*:*:*:*:*:*:*
-esxi6.0_u1cpe:2.3:a:-:esxi:6.0_u1:*:*:*:*:*:*:*
-esxi*cpe:2.3:a:-:esxi:*:*:*:*:*:*:*:*
-workstation*cpe:2.3:a:-:workstation:*:*:*:*:*:*:*:*
-fusion*cpe:2.3:a:-:fusion:*:*:*:*:*:*:*:*