VMware released a security advisory on June 14, 2012 and patch for a variety of virtualization products. Details of the affected products and the vulnerabilities are below. You can download the ESX(i) patches from here.
| VMware | Product | Running | Replace with/ |
| Product | Version | on | Apply Patch |
| ============= | ======= | ======= | ================= |
| vCenter | any | Windows | not affected |
| Workstation | 8.x | any | 8.0.4 or later |
| Workstation | 7.x | any | 7.1.6 or later |
| Player | 4.x | any | 4.0.4 or later |
| Player | 3.x | any | 3.1.6 or later |
| Fusion | 4.x | Mac OS/X | 4.1.3 or later |
| ESXi | 5.0 | ESXi | ESXi500-201206401-SG |
| ESXi | 4.1 | ESXi | ESXi410-201206401-SG |
| ESXi | 4.0 | ESXi | ESXi400-201206401-SG |
| ESXi | 3.5 | ESXi | ESXe350-201206401-I-SG |
| ESX | 4.1 | ESX | ESX410-201206401-SG |
| ESX | 4.0 | ESX | ESX400-201206401-SG |
| ESX | 3.5 | ESX | ESX350-201206401-SG |
VMware Host Checkpoint File Memory CorruptionCertain input data is not properly validated when loading checkpoint files. This might allow an attacker with the ability to load a specially crafted checkpoint file to execute arbitrary code on the host.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-3288 to this issue.
The following workarounds and mitigating controls might be available to remove the potential for exploiting the issue and to reduce the exposure that the issue poses.
Workaround: None identified.
Mitigation: Do not import virtual machines from untrusted sources.
VMware Virtual Machine Remote Device Denial of Service
A device (for example CD-ROM or keyboard) that is available to a virtual machine while physically connected to a system that does not run the virtual machine is referred to as a remote device. Traffic coming from remote virtual devices is incorrectly handled. This might allow an attacker who is capable of manipulating the traffic from a remote virtual device to crash the virtual machine.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-3289 to this issue.
The following workarounds and mitigating controls might be available to remove the potential for exploiting the issue and to reduce the exposure that the issue poses.
Workaround: None identified.
Mitigation:
- Users need administrative privileges on the virtual machine in order to attach remote devices.
- Do not attach untrusted remote devices to a virtual machine.
