-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2014-006 Title: VMware multiple vulnerabilities Version history: 22.01.2014 Initial publication Summary ======= VMware Workstation, Player, Fusion, ESXi, ESX and vCloud Director address several security issues: VMware ESXi and ESX NFC NULL pointer dereference (CVE-2014-1207). Due to a flaw in the handling of invalid ports, it is possible to cause the VMX process to fail. This vulnerability may allow a guest user to affect the VMX process resulting in a partial denial of service on the host (CVE-2014-1208). VMware vCloud Director contains a vulnerability in the Hyper Text Transfer Protocol (http) session management. An attacker may trick an authenticated user to click a malicious link, which would result in the user being logged out. The user is able to immediately log back into the system (CVE-2014-1211). CVE numbers: CVE-2014-1207 CVSS v2 Base Score:4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P) [2] CVE-2014-1208 CVSS v2 Base Score:3.3 (LOW) (AV:A/AC:L/Au:N/C:N/I:N/A:P) [3] CVE-2014-1211 CVSS v2 Base Score:6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P) [4] Vulnerable systems ================== VMware Workstation 9.x prior to version 9.0 VMware Player 5.x prior to version 5.0 VMware Fusion 5.x prior to version 5.0 VMware ESXi 5.1 without patch ESXi510-201401101 VMware ESXi 5.0 without patch ESXi500-201310101 VMware ESXi 4.1 without patch ESXi410-201312401 VMware ESXi 4.0 without patch ESXi400-201310401 VMware ESX 4.1 without patch ESX410-201312401 VMware ESX 4.0 without patch ESX400-201310401 vCloud Director 5.1.x prior to version 5.1.3 - See more at: http://www.vmware.com/security/advisories/VMSA-2014-0001.html#sthash.3VMSP5Mb.dpuf What can you do? ================ Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. What to tell your users? ======================== N/A More information ================ [1] http://www.vmware.com/security/advisories/VMSA-2014-0001.html [2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1207 [3] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1208 [4] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1211 Best regards, CERT-EU configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJS39FdAAoJEPpzpNLI8SVoDpAP/1cPSM/ndBOfCYAFdYTSvv4g VwaRYkHE5Aflhs2dDOYq8I8CQlxsiq+jNio2JSbLuCYRAK/0mgfbMz5RBDVq1BcX aMlRud05BUPHYQNcN25xt9f9SAIIZNKV1YLDoBG5EN4+oMpydRQHTxLA6Idkp2BJ vXtoQAzZ2DeXha/eJz8m3MOw/m470JTdtKlyWFjz3MKBbhdg68LRrsdYRCbAHFi7 qUi3vCMFIyAqGZJlnH5gmwZ6X5RXzMlopxDZpAlCTm/eYucxbkoSqO5w6lTmyH9o JExtO8UAfu4GKE0wAEMHISPZ76126a2u7lX0VvJXB1tEGCo2GUHAc4qO3k8DW7xe bAnrB4seX89ZZ9QUQ0pV3mikUmw9qFhC8D7zJXaqQT05oW0kjaorF/CHOBugnNBy qaP7VivdcZDWiT3WyTTxHh4hPGB9zTZz2LDjISmMlz9+NC5+FinIqKOccvJ6wBi6 G2UeMzTBQJWyq+6ugECx4flZz0hRCv4ZNKrUCB/udFqGEspv3MRELfAXq12p/ZKB YDh2xoRokDDwbulENbbukVrEV7/RrQGTrZ7A3pixHdCURpqrdVqgA4Zpe2wFWsL3 4gi9e+Iwg6b0neyNF6CoE/f+abvoZqI/kK7GT2o59jYu0EtnHf8a6CPsFjinLE0N Ha9IIynG89xjY2HRLzxo =2tRA -----END PGP SIGNATURE-----