VMware released software fixes to address security issues.
Kostya Kortchinsky of the Google Security Team reported several memory manipulation issues affecting VMware Workstation, VMware Player, and the VMware Horizon View Client for Windows, according to a VMware advisory.
“VMware Workstation and Horizon Client TPView.ddl and TPInt.dll incorrectly handle memory allocation,” the company said in its advisory. “On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon Client.”
The release of Workstation versions 11.1.1 and 10.0.6, Player versions 7.1.1 and 6.0.6, and Horizon Client for Windows versions 3.4.0, 3.2.1 and 5.4.2 take care of the vulnerabilities.
VMware has also patched a denial-of-service (DoS) vulnerability affecting Workstation, Player, and Fusion. The vulnerability, caused by an input validation issue on an RPC command, can end up exploited to cause a DoS condition on the guest operating system (32-bit), or on the host operating system (64-bit).
Peter Kamensky from Russia-based Digital Security reported that flaw.
The DoS issue doesn’t affect Workstation 11.x and Player 7.x, and Fusion only ends up affected when running on OS X, VMware said. The vulnerability patched with the release of VMware 10.0.5, Player 6.0.6, and Fusion versions 7.0.1 and 6.0.6.
The following CVE identifiers cover the vulnerabilities: CVE-2012-0897, CVE-2015-2336, CVE-2015-2337, CVE-2015-2338, CVE-2015-2339, CVE-2015-2340, and CVE-2015-2341.