-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ---------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2018-0022 Severity: Critical Synopsis: VMware Workstation and Fusion updates address an out-of- bounds write issue Issue date: 2018-08-14 Updated on: 2018-08-14 (Initial Advisory) CVE number: CVE-2018-6973 1. Summary VMware Workstation and Fusion updates address an out-of-bounds write issue 2. Relevant Releases VMware Workstation Pro / Player (Workstation) VMware Fusion Pro, Fusion (Fusion) 3. Problem Description Workstation and Fusion e1000 device out-of-bounds write vulnerability VMware Workstation and Fusion contain an out-of-bounds write vulnerability in the e1000 device. This issue may allow a guest to execute code on the host. VMware would like to thank Anonymous working with Trend Micro's Zero Day Initiative for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-6973 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigation/ Product Version on Severity Apply patch Workaround =========== ======= ======= ======== ============= ========== ESXi Any Any N/A not affected N/A Workstation 14.x Any Critical 14.1.3 None Fusion 10.x OS X Critical 10.1.3 None 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware Workstation Pro 14.1.3 Downloads and Documentation: https://www.vmware.com/go/downloadworkstation https://docs.vmware.com/en/VMware-Workstation-Pro/index.html VMware Workstation Player 14.1.3 Downloads and Documentation: https://www.vmware.com/go/downloadplayer https://docs.vmware.com/en/VMware-Workstation-Player/index.html VMware Fusion Pro / Fusion 10.1.3 Downloads and Documentation: https://www.vmware.com/go/downloadfusion https://docs.vmware.com/en/VMware-Fusion/index.html 5. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6973 - ----------------------------------------------------------------------- 6. Change log VMSA-2018-0022 2018-08-14 Initial security advisory in conjunction with the release of Workstation 14.1.3 and Fusion 10.1.3 on 2018-08-14 - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2018 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.4.1 (Build 490) Charset: utf-8 wj8DBQFbc7VMDEcm8Vbi9kMRApl0AJ9EWZsdbtZt7Zhn7fm28UwOW0Vo6ACgzRvu jKZB3TiXKcJrObRPaAIEp3E= =R2l8 -----END PGP SIGNATURE-----