Important:
- This section will be updated with additional virtual appliances as investigations continue.
- When Operating System-Specific Mitigations are made available for vCenter Server Appliance itself these will be in addition to the Hypervisor-Assisted Guest Mitigation which were added in the vCenter Sever versions described in VMSA-2018-0004.
- Operating System-Specific Mitigations will include both Virtual Machine Hardware updates and guest OS fixes. Manually updating Virtual Machine Hardware in VMware Virtual Appliances is not supported.
Affected Virtual Appliances:
vSECR has evaluated the following appliances and determined that they may be affected by CVE-2017-5753, CVE-2017-5715, or CVE-2017-5754.
Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories and click ‘subscribe to article’ on the right side of this page to be alerted when new information is added to this document. If a specific version number is not listed, then that entry refers to all supported versions of the appliance.
Mitigations and workarounds for the following affected virtual appliances are now documented in VMSA-2018-0007.
- VMware vCloud Usage Meter
- VMware Identity Manager
- VMware vCenter Server 6.5
- VMware vCenter Server 6.0
- VMware vSphere Data Protection
- VMware vSphere Integrated Containers
- VMware vRealize Automation
Unaffected Virtual Appliances:
vSECR has completed evaluation of the following appliances and determined that under supported configurations they are not affected because there is no available path to execute arbitrary code without administrative privileges. This assumes that the underlying hypervisor(s) have been patched according to
VMSA-2018-0002 to mitigate CVE-2017-5753, and CVE-2017-5715. If a specific version number is not listed, then the entry refers to all supported versions of the appliance.
- VMware AppDefense Appliance
- VMware Horizon DaaS Platform
- VMware Horizon Mirage
- VMware HCX
- VMware Integrated OpenStack
- VMware IoT Pulse
- VMware Mirage
- VMware NSX for vSphere
- VMware NSX-T
- VMware Skyline Appliance
- VMware Unified Access Gateway
- VMware vCenter Server 5.5
- VMware vCloud Availability for vCloud Director
- VMware vCloud Director Extender
- VMware vRealize Business for Cloud
- VMware vRealize Log Insight
- VMware vRealize Network Insight
- VMware vRealize Operations
- VMware vRealize Orchestrator
- VMware vSphere Replication
- VMware Workbench
Note: Automated vulnerability scanners may report that these appliances are vulnerable to CVE-2017-5753, CVE-2017-5715, or CVE-2017-5754 even though the issue is not exploitable. These products will still be updating their respective kernels in scheduled maintenance releases as a precautionary measure.
Changelog:
01/18/18: Added VMware AppDefense, VMware vCloud Extender, VMware Horizon Mirage, VMware vRealize Business for Cloud, VMware Workbench, VMware HCX, VMware IoT Pulse, and VMware vSphere Data Protection. Updated VMware vRealize Automation with workaround.
01/22/18: Added VMware vCloud Usage Meter to list of affected products with workaround.
01/25/18: Added workaround for vRealize Automation 6.2.x.
02/08/18: Mitigation and workaround information has moved to
VMSA-2018-0007 in conjunction with the release of vSphere Integrated Containers mitigations. Please sign up to the
Security-Announce mailing list to receive new and updated VMware Security Advisories.
04/09/19: Updated KB with information that the Operating System-Specific Mitigations described in KB55807 are cumulative and will also mitigate the issues described in this article