VMware Security Advisory VMSA-2015-0001

VMware released security advisory VMSA-2015-0001 on January 27 2015.  A link to the advisory can be found here.  An overview of the items that this advisory addresses is shown below.

  • VMware ESXi, Workstation, Player, and Fusion host privilege escalation vulnerability
    VMware ESXi, Workstation, Player and Fusion contain an arbitrary file write issue. Exploitation this issue may allow for privilege escalation on the host.The vulnerability does not allow for privilege escalation from the guest Operating System to the host or vice-versa. This means that host memory can not be manipulated from the Guest Operating
    System. 
  • VMware Workstation, Player, and Fusion Denial of Service vulnerability
    VMware Workstation, Player, and Fusion contain an input validation issue in the Host Guest File System (HGFS). This issue may allow for a Denial of Service of the Guest Operating system.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-1043 to this issue.
  • VMware ESXi, Workstation, and Player Denial of Service vulnerability
    VMware ESXi, Workstation, and Player contain an input validation issue in VMware Authorization process (vmware-authd). This issue may allow for a Denial of Service of the host. On VMware ESXi and on Workstation running on Linux the Denial of Service would be partial.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-1044 to this issue.
  • Update to VMware vCenter Server and ESXi for OpenSSL 1.0.1 and 0.9.8 package
    The OpenSSL library is updated to version 1.0.1j or 0.9.8zc to resolve multiple security issues.The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-3513, CVE-2014-3567, CVE-2014-3566 (“POODLE”) and CVE-2014-3568 to these issues. 
  • Update to ESXi libxml2 package
    The libxml2 library is updated to version libxml2-2.7.6-17 to resolve a security issue.The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-3660 to this issue.