VMSA-2009-0007 VMware Hosted products and ESX and ESXi patches resolve security issues
Advisory ID: VMSA-2009-0007
Synopsis: VMware Hosted products and ESX and ESXi patches
resolve security issues
Issue date: 2009-05-28
Updated on: 2009-05-28 (initial release of advisory)
CVE numbers: CVE-2009-1805 CVE-2009-0040 CVE-2008-1382
- ————————————————————————
1. Summary
VMware Hosted products and ESX and ESXi patches resolve a security
issue. Update patch 13 for ESX 2.5.5 updates the libpng Service
Console RPM.
2. Relevant releases
VMware Workstation 6.5.1 and earlier,
VMware Player 2.5.1 and earlier,
VMware ACE 2.5.1 and earlier,
VMware Server 2.0,
VMware Server 1.0.8 and earlier,
VMware Fusion 2.0.1 and earlier.
VMware ESXi 3.5 without patch ESXe350-200904402-T-BG
VMware ESX 3.5 without patch ESX350-200904401-BG
VMware ESX 3.0.3 without patch ESX303-200905401-SG
VMware ESX 3.0.2 without patch ESX-1008420
VMware ESX 2.5.5 without update patch 13
Extended support for ESX 3.0.2 Update 1 ends on 2009-08-08.
Users should plan to upgrade to ESX 3.0.3 and preferably to
the newest release available.
Extended support for ESX 2.5.5 ends on 2010-06-15. Users should plan
to upgrade to ESX 3.0.3 and preferably to the newest release
available.
3. Problem Description
a. VMware Descheduled Time Accounting driver vulnerability may cause a
denial of service in Windows based virtual machines.
The VMware Descheduled Time Accounting Service is an optional,
experimental service that provides improved guest operating system
accounting.
This patch fixes a denial of service vulnerability that could be
triggered in a virtual machine by an unprivileged, locally
logged-on user in the virtual machine.
Link to this page