The VMware Security Engineering, Communications, and Response group (vSECR) has investigated the impact CVE-2018-8897 may have on VMware products.

Evaluation Summary:

• CVE-2018-8897 has been classified as a potential local privilege escalation in the Important severity range. Please review our VMware Security Response Policies for information on severity classifications.
• CVE-2018-8897 has the potential of affecting VMware Virtual Appliances by way of the linux-based operating system that they ship on top of.
• Products that ship as an installable windows or linux binary are not directly affected, but patches may be required from the respective operating system vendor that these products are installed on.
• VMware hypervisors are not affected by this issue.

Unaffected Products

vSECR has completed evaluation of the following products and determined that under supported configurations they are not affected as there is no available path to execute arbitrary code without administrative privileges.

Note: Automated vulnerability scanners may report that these products are vulnerable to CVE-2018-8897 even though the issue is not exploitable. These products will still be updating their respective kernels in scheduled maintenance releases as a precautionary measure.
 

Products	Version	Evaluation	Workaround
VMware App Defense Appliance	Any	Unaffected	N/A
VMware ESXi	Any	Unaffected	N/A
VMware Horizon DaaS Platform	Any	Unaffected	N/A
VMware Horizon Mirage	Any	Unaffected	N/A
VMware HCX	Any	Unaffected	N/A
VMware Integrated Openstack	Any	Unaffected	N/A
VMware IoT Pulse	Any	Unaffected	N/A
VMware Mirage	Any	Unaffected	N/A
VMware NSX for vSphere	Any	Unaffected	N/A
VMware NSX-T	Any	Unaffected	N/A
VMware Skyline Appliance	Any	Unaffected	N/A
VMware Unified Access Gateway	Any	Unaffected	N/A
VMware vCenter Server	5.5	Unaffected	N/A
VMware vCloud Availability for vCloud Director	Any	Unaffected	N/A
VMware vCloud Director Extender	Any	Unaffected	N/A
VMware vRealize Business for Cloud	Any	Unaffected	N/A
VMware vRealize Log Insight	Any	Unaffected	N/A
VMware vRealize Network Insight	Any	Unaffected	N/A
VMware vRealize Operations	Any	Unaffected	N/A
VMware vRealize Orchestrator	Any	Unaffected	N/A
VMware vSphere Replication	Any	Unaffected	N/A
VMware Workbench	Any	Unaffected	N/A

Potentially Affected Products

vSECR has evaluated the following products and determined that they may be affected by CVE-2018-8897. Workarounds have been investigated and are noted by the product entry if available. Remediation will be made available in upcoming releases, please check the product release notes for more information.
 

Product	Version	Evaluation	Workaround
VMware vCloud Usage Meter	Any	Potentially Affected	KB 52467
VMware Identity Manager	Any	Potentially Affected	KB 52284
VMware vCenter Server	6.7	Potentially Affected	KB 52312
VMware vCenter Server	6.5	Potentially Affected	KB 52312
VMware vCenter Server	6.0	Potentially Affected	KB 52312
VMware Data Protection	Any	Potentially Affected	None
VMware vSphere Integrated Containers	Any	Potentially Affected	None
VMware vRealize Automation	Any	Potentially Affected	KB 52377 and KB 52497

Please sign up at our Security-Announce mailing list to receive new and updated VMware Security Advisories and click Subscribe to Article in the Actions box to be alerted when new information is added to this document. If a specific version number is not listed, then that entry refers to all supported versions of the appliance.