VMSA-2019-0019:VMware ESXi, Workstation and Fusion updates address a denial-of-service vulnerability

VMware Tanzu Application Service

0 more products

23564

22 October 2019

22 October 2019

CLOSED

MEDIUM

6.3

CVE-2019-5536

VMware Security Advisories

Advisory IDVMSA-2019-0019
Advisory SeverityModerate
CVSSv3 Range6.3
SynopsisVMware ESXi, Workstation and Fusion updates address a denial-of-service vulnerability (CVE-2019-5536)
Issue Date2019-10-24
Updated On2019-10-24 (Initial Advisory)
CVE(s)CVE-2019-5536
 
1. Impacted Products
  • VMware vSphere ESXi (ESXi)
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
 
2. Introduction
VMware ESXi, Workstation and Fusion contain a denial-of-service vulnerability. Patches and workarounds are available to remediate this vulnerability in affected VMware products.
 
3. VMware ESXi, Workstation and Fusion shader denial-of-service vulnerability (CVE-2019-5536)

Description:

VMware ESXi, Workstation and Fusion contain a denial-of-service vulnerability in the shader functionality. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.3.

 

Known Attack Vectors:

Successful exploitation of this issue may allow attackers with normal user privileges to create a denial-of-service condition on their own VM.

 

Resolution:

To remediate CVE-2019-5536, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

 

Workarounds:

The workaround for this issue involves disabling the 3D-acceleration feature. Please see the 'Workarounds' column of the 'Resolution Matrix' found below.

 

Additional Documentations:

None.

 

Notes:

Exploitation of this issue require an attacker to have access to a virtual machine with 3D graphics enabled. It is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.

 

Acknowledgements:

VMware would like to thank Piotr Bania of Cisco Talos for reporting this issue to us.

 

Response Matrix:

ProductVersionRunning OnCVE IdentifierCVSSV3SeverityFixed VersionWorkaroundsAdditional Documents
ESXi
6.7
AnyCVE-2019-55366.3
Moderate
ESXi670-201908101-SG
see VMSA-2018-0025
None
ESXi6.5AnyCVE-2019-55366.3ModerateESXi650-201910401-SGsee VMSA-2018-0025None
ESXi6.0AnyCVE-2019-5536N/AN/ANot affectedN/AN/A
Workstation15.xAnyCVE-2019-55366.3Moderate15.5.0see VMSA-2018-0025None
Fusion11.xOS X
CVE-2019-55366.3Moderate11.5.0see VMSA-2018-0025None

5. Change log
 

2019-10-24: VMSA-2019-0019 

Initial security advisory in conjunction with the release of ESXi 6.5 patch on 2019-10-24.

 

6. Contact

 

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

  [email protected]

  [email protected]

  [email protected]

 

E-mail: [email protected]

PGP key at:

https://kb.vmware.com/kb/1055

 

VMware Security Advisories

https://www.vmware.com/security/advisories

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2019 VMware Inc. All rights reserved.