VMware Advisories and Patches

Published: 2008-10-04
Last Updated: 2008-10-04 14:09:17 UTC
by Marcus Sachs (Version: 3)
3 comment(s)

VMware released the following new and updated security advisories on October 4th:

 - VMSA-2008-0016 (new advisory)
  http://www.vmware.com/security/advisories/VMSA-2008-0016.html (link is not live yet)
  http://lists.vmware.com/pipermail/security-announce/2008/000037.html

 - VMSA-2008-0014.2 (updated advisory)
  http://www.vmware.com/security/advisories/VMSA-2008-0014.html
  http://lists.vmware.com/pipermail/security-announce/2008/000038.html

These advisories list security issues that have been fixed in the following releases:

- VirtualCenter 2.5 Update 3 released on 10/3/08
- patches for ESXi and ESX 3.5 released on 10/3/08
- patches for ESX 3.0.1, 3.0.2, 3.0.3 released on 9/30/08
- new versions of VMware Workstation, Player, ACE, Server released on 7/28/08

The corresponding new blog entry is linked from http://www.vmware.com/security/

Please contact security@vmware.com if you have any questions.

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords:
3 comment(s)

Comments

from http://blogs.vmware.com/security/2008/10/new-and-updated.html

"One of the fixed security issues is a privilege escalation on certain 64-bit guest operating systems, CVE-2008-4279. It allows an attacker with a login account on a guest operating system to elevate their privileges on that system. The flaw doesn't allow for compromising the host system."

Two things, the link on CVE-2008-4279 is broken - not a SANS issue but it makes one wonder about control processes at VMWare especially in light of the last sentence in the excerpt above.

If a user can elevate their privileges on a guest system, they can gain access to areas they are normally prevented from reaching, thereby effecting a compromise. How can the blog statement possibly be true? It is if you consider insider exploitation to not be a compromise. An inappropriate view, but again, it makes one wonder about the thought processes over at VMWare.
Sorry about the broken links. I just fixed them. Also, two of the VMware links are not live yet. I just made a note of that.
Sorry about the broken links. I just fixed them. Also, two of the VMware links are not live yet. I just made a note of that.

Diary Archives