-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2008-0016 Synopsis: VMware Hosted products, VirtualCenter Update 3 and patches for ESX and ESXi resolve multiple security issues Issue date: 2008-10-03 Updated on: 2008-10-03 (initial release of advisory) CVE numbers: CVE-2008-4279 CVE-2008-4278 CVE-2008-3103 CVE-2008-3104 CVE-2008-3105 CVE-2008-3106 CVE-2008-3107 CVE-2008-3108 CVE-2008-3109 CVE-2008-3110 CVE-2008-3111 CVE-2008-3112 CVE-2008-3113 CVE-2008-3114 CVE-2008-3115 - ------------------------------------------------------------------------ 1. Summary VMware addresses a in-guest privilege escalation on 64-bit guest operating systems in ESX, ESXi, and previously released versions of our hosted product line. Updated VMware VirtualCenter Update 3 addresses potential information disclosure and updates Java JRE packages. 2. Relevant releases VirtualCenter 2.5 before Update 3 build 119838 VMware Workstation 6.0.4 and earlier, VMware Workstation 5.5.7 and earlier, VMware Player 2.0.4 and earlier, VMware Player 1.0.7 and earlier, VMware ACE 2.0.4 and earlier, VMware ACE 1.0.6 and earlier, VMware Server 1.0.6 and earlier, VMware ESXi 3.5 without patch ESXe350-200809401-I-SG ESX 3.5 without patch ESX350-200809404-SG ESX 3.0.3 without patch ESX303-200809401-SG ESX 3.0.2 without patch ESX-1006361 ESX 3.0.1 without patch ESX-1006678 NOTE: Hosted products VMware Workstation 5.x, VMware Player 1.x, and VMware ACE 1.x will reach end of general support 2008-11-09. Customers should plan to upgrade to the latest version of their respective products. Extended support (Security and Bug fixes) for ESX 3.0.2 ends on 10/29/2008 and Extended support for ESX 3.0.2 Update 1 ends on 8/8/2009. Users should plan to upgrade to ESX 3.0.3 and preferably to the newest release available. Extended Support (Security and Bug fixes) for ESX 3.0.1 has ended on 2008-07-31. 3. Problem Description a. Privilege escalation on 64-bit guest operating systems VMware products emulate hardware functions, like CPU, Memory, and IO. A flaw in VMware's CPU hardware emulation could allow the virtual CPU to jump to an incorrect memory address. Exploitation of this issue on the guest operating system does not lead to a compromise of the host system but could lead to a privilege escalation on guest operating system. An attacker would need to have a user account on the guest operating system. Affected 64-bit Windows and 64-bit FreeBSD guest operating systems and possibly other 64-bit operating systems. The issue does not affect the 64-bit versions of Linux guest operating systems. VMware would like to thank Derek Soeder for discovering this issue and working with us on its remediation. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-4279 this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation 6.5.x any not affected Workstation 6.0.x any 6.0.5 build 109488 or later Workstation 5.x any 5.5.8 build 108000 or later Player 2.5.x any not affected Player 2.0.x any 2.0.5 build 109488 or later Player 1.x any 1.0.8 build or later ACE 2.5.x Windows not affected ACE 2.0.x Windows not affected ACE 1.x Windows not affected Server 2.x any not affected Server 1.x any 1.0.7 build 108231 or later Fusion 2.x Mac OS/X not affected Fusion 1.x Mac OS/X not affected ESXi 3.5 ESXi ESXe350-200809401-I-SG ESX 3.5 ESX ESX350-200809404-SG ESX 3.0.3 ESX ESX303-200809401 ESX 3.0.2 ESX ESX-1006361 ESX 3.0.1 ESX ESX-1006678 ESX 2.5.5 ESX not affected ESX 2.5.4 ESX not affected NOTE: The set of guest operating systems which is affected by this issue is a subset of 64-bit operating systems (see above for details) b. Update for VirtualCenter fixes a potential information disclosure This release resolves an issue where a user's password could be displayed in cleartext. When logging into VirtualCenter Server 2.0 with Virtual Infrastructure Client 2.5, the user password might be displayed if it contains certain special characters. The dialog box displaying the password can appear in front or hidden behind other windows. To remediate this issue the VirtualCenter client installations must be updated after updating to VirtualCenter Update 3 VMware would like to thank Mark Woollatt for reporting this issue to VMware. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-4278 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ======== ======== ======= ======================= Virtual- 2.5 Windows Update 3 build 119838 Center Virtual- 2.0.2 Windows not affected Center hosted * any any not affected ESXi 3.5 ESXi not affected ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 3.0.2 ESX not affected ESX 3.0.1 ESX not affected ESX 2.5.5 ESX not affected ESX 2.5.4 ESX not affected * hosted products are VMware Workstation, Player, ACE, Server, Fusion. c. Update for VirtualCenter updates JRE to version 1.5.0_16 Update for VirtualCenter updates the JRE package to version 1.5.0_16, which addresses multiple security issues that existed in the previous version of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-3103, CVE-2008-3104, CVE-2008-3105, CVE-2008-3106, CVE-2008-3107, CVE-2008-3108, CVE-2008-3109, CVE-2008-3110, CVE-2008-3111, CVE-2008-3112, CVE-2008-3113, CVE-2008-3114, CVE-2008-3115 to the security issues fixed in JRE 1.5.0_16. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ======== ======== ======= ======================= Virtual- 2.5 Windows Update 3 build 119838 Center Virtual- 2.0.2 Windows affected, patch pending Center hosted * any any not affected ESXi 3.5 ESXi not affected ESX 3.5 ESX affected, patch pending ESX 3.0.3 ESX affected, patch pending ESX 3.0.2 ESX affected, patch pending ESX 3.0.1 ESX affected, patch pending ESX 2.5.5 ESX not affected ESX 2.5.4 ESX not affected * hosted products are VMware Workstation, Player, ACE, Server, Fusion. Notes: These vulnerabilities can be exploited remotely only if the attacker has access to the Service Console network. Security best practices provided by VMware recommend that the Service Console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices. The currently installed version of JRE depends on your patch deployment history. 4. Solution Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file. VirtualCenter ------------- VMware VirtualCenter 2.5 Update 3 build 119838 http://www.vmware.com/download/download.do?downloadGroup=VC250U3 DVD iso image md5sum: 100161907e702ec745f8449f4958b1c4 Zip file md5sum: 5ccc8e915044c046554e39390c2c142a Release Notes http://www.vmware.com/support/vi3/doc/vi3_vc25u3_rel_notes.html VMware Workstation 6.0.5 ------------------------ http://www.vmware.com/download/ws/ Release notes: http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html Windows binary md5sum: 46b4c54f0493f59f52ac6c2965296859 RPM Installation file for 32-bit Linux md5sum: 49ebfbd05d146ecc43262622ab746f03 tar Installation file for 32-bit Linux md5sum: 14ac93bffeee72528629d4caecc5ef37 RPM Installation file for 64-bit Linux md5sum: 0a856f1a1a31ba3c4b08bcf85d97ccf6 tar Installation file for 64-bit Linux md5sum: 3b459254069d663e9873a661bc97cf6c VMware Workstation 5.5.8 ------------------------ http://www.vmware.com/download/ws/ws5.html Release notes: http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html Windows binary: md5sum: 745c3250e5254eaf6e65fcfc4172070f Compressed Tar archive for 32-bit Linux md5sum: 65a454749d15d4863401619d7ff5566e Linux RPM version for 32-bit Linux md5sum: d80adc73b1500bdb0cb24d1b0733bcff VMware Player 2.0.5 and 1.0.8 ----------------------------- http://www.vmware.com/download/player/ Release notes Player 1.x: http://www.vmware.com/support/player/doc/releasenotes_player.html Release notes Player 2.0 http://www.vmware.com/support/player2/doc/releasenotes_player2.html 2.0.5 Windows binary md5sum: 60265438047259b23ff82fdfe737f969 VMware Player 2.0.5 for Linux (.rpm) md5sum: 3bc81e203e947e6ca5b55b3f33443d34 VMware Player 2.0.5 for Linux (.tar) md5sum: f499603d790edc5aa355e45b9c5eae01 VMware Player 2.0.5 - 64-bit (.rpm) md5sum: 85bc2f11d06c362feeff1a64ee5a6834 VMware Player 2.0.5 - 64-bit (.tar) md5sum: b74460bb961e88817884c7e2c0f30215 1.0.8 Windows binary md5sum: e5f927304925297a7d869f74b7b9b053 Player 1.0.8 for Linux (.rpm) md5sum: a13fdb8d72b661cefd24e7dcf6e2a990 Player 1.0.8 for Linux (.tar) md5sum: 99fbe861253eec5308d8c47938e8ad1e VMware ACE 2.0.5 ---------------- http://www.vmware.com/download/ace/ Release notes 2.0: http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html ACE Manager Server Virtual Appliance Virtual Appliance for the ACE Management Server md5sum: 41e7349f3b6568dffa23055bb629208d ACE for Window 32-bit and 64-bit Main installation file for Windows 32-bit and 64-bit host (ACE Option Page key required for enabling ACE authoring) md5sum: 46b4c54f0493f59f52ac6c2965296859 ACE Management Server for Windows ACE Management Server installation file for Windows md5sum: 33a015c4b236329bcb7e12c82271c417 ACE Management Server for Red Hat Enterprise Linux 4 ACE Management Server installation file for Red Hat Enterprise Linux 4 md5sum: dc3bd89fd2285f41ed42f8b28cd5535f ACE Management Server for SUSE Enterprise Linux 9 ACE Management Server installation file for SUSE Enterprise Linux 9 md5sum: 2add6a4fc97e1400fb2f94274ce0dce0 VMware ACE 1.0.7 ---------------- http://www.vmware.com/download/ace/ Release notes: http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html md5sum: 42d806cddb8e9f905722aeac19740f33 VMware Server 1.0.7 ------------------- http://www.vmware.com/download/server/ Release notes: http://www.vmware.com/support/server/doc/releasenotes_server.html VMware Server for Windows 32-bit and 64-bit md5sum: 2e2ee5ebe08ae48eac5e661cad01acf6 VMware Server Windows client package md5sum: ce7d906a5a8de37cbc20db4332de1adb VMware Server for Linux md5sum: 04f201122b16222cd58fc81ca814ff8c VMware Server for Linux rpm md5sum: 6bae706df040c35851823bc087597d8d Management Interface md5sum: e67489bd2f23bcd4a323d19df4e903e8 VMware Server Linux client package md5sum: 99f1107302111ffd3f766194a33d492b ESXi ---- ESXi 3.5 patch ESXe350-200809401-I-SG http://download3.vmware.com/software/esx/ESXe350-200809401-O-SG.zip md5sum: 0eadf92eaf0d721e63200348a53e0469 http://kb.vmware.com/kb/1007090 NOTE: ESXe350-200809401-O-SG contains the following patch bundles: ESXe350-200809401-I-SG ESXe350-200808202-T-UG ESXe350-200808203-C-UG ESX --- ESX 3.5 patch ESX350-200809404-SG http://download3.vmware.com/software/esx/ESX350-200809404-SG.zip md5sum: ee7e7f09e3a1e0aa4cc4b042a9a91a22 http://kb.vmware.com/kb/1007089 ESX 3.0.3 patch ESX303-200809401 http://download3.vmware.com/software/vi/ESX303-200809401-SG.zip md5sum: e3be0f0f0b8a3ae612d99db2fa79c9e8 http://kb.vmware.com/kb/1006673 ESX 3.0.2 patch ESX-1006361 http://download3.vmware.com/software/vi/ESX-1006361.tgz md5sum: f5c997ee045ba190e41f75b65e67c309 http://kb.vmware.com/kb/1006361 ESX 3.0.1 patch ESX-1006678 http://download3.vmware.com/software/vi/ESX-1006678.tgz md5sum: 68e43b272569693b1f54fd206b2a89ca http://kb.vmware.com/kb/1006678 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4279 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4278 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3105 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3106 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3107 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3108 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3110 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3111 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3112 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3113 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3114 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3115 - ------------------------------------------------------------------------ 6. Change log 2008-10-03 VMSA-2008-0016 Initial security advisory after release of ESX 3.5 and ESXi patches and VirtualCenter 2.5 Update 3 on 2008-10-03. Relevant patches for ESX 3.0.x came out on 2008-09-30. Hosted releases were on 2008-08-28, see VMSA-2008-0014 for details. - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2008 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEAREIAAYFAkjmyjYACgkQS2KysvBH1xkdQQCfWgCAtw7u5nEaScAZheYn4Lea 4hUAnjhb/kF2O/QxnvlAzH22aCUOGRfj =pwPz -----END PGP SIGNATURE-----