Search the VMware Knowledge Base (KB)
View by Article ID

VMware Response to CVE-2017-1000364, CVE-2017-1000366, CVE-2017-1000367, and CVE-2017-1000376: ‘The Stack Clash’ privilege escalation vulnerabilities (2150675)

  • 1 Ratings

Purpose

The VMware Security Engineering, Communications, and Response group (vSECR) has investigated the impact these vulnerabilities may have on VMware products. VMware has determined that the vulnerabilities do not pose a critical risk to potentially affected products. For more information on severity definitions, see the VMware Security Response Policy. These issues have been classified as Important severity.

Resolution

vSphere ESXi Hypervisor

ESXi is not affected by CVE-2017-1000364, CVE-2017-1000366, CVE-2017-1000367, or CVE-2017-1000376.

Windows based products

Windows based products, including all versions of vCenter Server running on Windows, are not affected by CVE-2017-1000364, CVE-2017-1000366, CVE-2017-1000367, or CVE-2017-1000376.

VMware products that run on Linux

VMware products that run on Linux (excluding virtual appliances) may be affected by CVE-2017-1000364, CVE-2017-1000366, CVE-2017-1000367, or CVE-2017-1000376 if the base operating system has not been appropriately patched. VMware recommends that customers contact their operating system vendor for resolution.

VMware Virtual Appliances

vSECR has determined that some virtual appliances are potentially affected by either CVE-2017-1000364, CVE-2017-1000366, CVE-2017-1000367, or CVE-2017-1000376. VMware is currently working on remediation for these products to remove the possibility of exploitation. Fixes will be documented in upcoming product release notes as they become available.

Unaffected Products

The following products are not affected by CVE-2017-1000364, CVE-2017-1000365, or CVE-2017-1000367 even though they may ship with vulnerable packages. vSECR has evaluated these products and determined that exploitation is not possible because there is no valid attack vector to exploit the vulnerability. Automated vulnerability scanners may report that these products are vulnerable to CVE-2017-1000364, CVE-2017-1000366, CVE-2017-1000367, or CVE-2017-1000376 even though the issue is not exploitable. These products will still be updating their respective kernels in scheduled maintenance releases as a precautionary measure. If a specific version number is not listed next to a product entry, then that entry refers to all versions of that product.
  • VMware Hybrid Cloud Manager
  • VMware Infrastructure Navigator
  • VMware NSX for vSphere
  • VMware Unified Access Gateway
  • VMware vCenter Server Appliance 5.5 and 6.0
  • VMware vRealize Log Insight
  • VMware vRealize Orchestrator
  • VMware vSphere Replication

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 1 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 1 Ratings
Actions
KB: