VMware Player 15.0.1 Patch: Everything You Need to Know About the New Features and Enhancements

VMSA-2018-0027 2018-11-09Initial security advisory in conjunction with the release of ESXi 6.0, 6.5, 6.7 patches and VMware Workstation 14.1.4, 15.0.1 and Fusion 10.1.4, 11.0.1 on 2018-11-09.

VMware Player 15.0.1 Patch

AFFECTED PRODUCTSFL MGUARD RS4004 TX/DTX: All version prior to 8.8.3FL MGUARD RS4004 TX/DTX VPN: All version prior to 8.8.3mGuard rs4000 4TX/3G/TX VPN: All version prior to 8.8.3mGuard rs4000 4TX/TX VPN: All version prior to 8.8.3TC MGUARD RS4000 3G VPN: All version prior to 8.8.3TC MGUARD RS4000 4G ATT VPN: All version prior to 8.8.3TC MGUARD RS4000 4G VPN: All version prior to 8.8.3TC MGUARD RS4000 4G VZW VPN: All version prior to 8.8.3QID Detection Logic:This QID checks for the Vulnerable version of Omron NJ/NX-series Machine Automation Controllers using passive scanningConsequenceFor mGuard devices with integrated switch on the LAN side, single switch ports can be disabled by device configuration. After a reboot these ports get functional independent from their configuration setting: Missing Initialization of Resource (CWE-909).SolutionCustomers are advised to refer to CERT MITIGATIONS section VDE-2020-046 for affected packages and patching details.Patches VDE-2020-046CVE-2023-20856QID: 730722VMware vRealize Operations (vROps) CSRF Bypass Vulnerability (VMSA-2023-0002)SeveritySerious3In DevelopmentQualys ID730722Vendor ReferenceVMSA-2023-0002CVE ReferenceCVE-2023-20856CVSS ScoresBase 8.8 / Temporal 7.7DescriptionvRealize Operations (vROps) contains a CSRF bypass vulnerability. A malicious user could execute actions on the platform on behalf of the authenticated victim user. Affected Versions:VMware vRealize Operations (vROps) 8.6.x prior to build 21139695. QID Detection logic (Unauthenticated):This QID sends the GET request to ui/login.action and checks for vulnerable version.ConsequenceSuccessful exploitation of the vulnerability may allow a remote attacker to execute actions on the platform on behalf of the authenticated victim user. SolutionVendor has released patch, customers are advised to upgrade to build 21139695. For more information please refer to VMSA-2023-0002Patches VMSA-2023-0002CVE-2023-20856QID: 377961VMware vRealize Operations (vROps) CSRF Bypass Vulnerability (VMSA-2023-0002)SeveritySerious3In DevelopmentQualys ID377961Vendor ReferenceVMSA-2023-0002CVE ReferenceCVE-2023-20856CVSS ScoresBase 8.8 / Temporal 7.7DescriptionvRealize Operations (vROps) contains a CSRF bypass vulnerability. A malicious user could execute actions on the platform on behalf of the authenticated victim user. Affected Versions:VMware vRealize Operations (vROps) 8.6.x prior to build 21139695. QID Detection Logic:(Authenticated)It reads /opt/vmware/etc/appliance-manifest.xml file to check the vulnerable version of the product.ConsequenceSuccessful exploitation of the vulnerability may allow a remote attacker to execute actions on the platform on behalf of the authenticated victim user. SolutionVendor has released patch, customers are advised to upgrade to build 21139695. For more information please refer to VMSA-2023-0002Patches VMSA-2023-0002CVE-2022-3602+QID: 591335Hitachi Energy PCU400 Reliance on Uncontrolled Component Multiple Vulnerabilities (ICSA-23-019-01, 8DBD 000137)SeveritySerious3Under InvestigationQualys ID591335Vendor ReferenceICSA-23-019-01CVE ReferenceCVE-2022-3602, CVE-2022-3786CVSS ScoresBase 7.5 / Temporal 6.5DescriptionAFFECTED PRODUCTSPCU400: Versions 9.3.0 and later up to but not including 9.3.8 QID Detection Logic:This QID checks for the Vulnerable version of Hitachi Energy PCU400 using passive scanning.ConsequenceSuccessful exploitation of these vulnerabilities could result in a denial-of-service condition on both the logging function of the device and its associated server.SolutionCustomers are advised to refer to CERT MITIGATIONS section ICSA-23-019-01 for affected packages and patching details.Patches ICSA-23-019-01CVE-2022-20572QID: 672590EulerOS Security Update for kernel (EulerOS-SA-2023-1347)SeveritySerious3In DevelopmentQualys ID672590Vendor ReferenceEulerOS-SA-2023-1347CVE ReferenceCVE-2022-20572CVSS ScoresBase 6.7 / Temporal 5.8DescriptionEulerOS has released a security update(s) for kernel to fix the vulnerabilities.ConsequenceSuccessful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.SolutionRefer to EulerOS security advisory EulerOS-SA-2023-1347 for updates and patch information.Patches EulerOS 2\\.0 SP8 EulerOS-SA-2023-1347CVE-2021-3979QID: 672611EulerOS Security Update for ceph (EulerOS-SA-2023-1308)SeveritySerious3In DevelopmentQualys ID672611Vendor ReferenceEulerOS-SA-2023-1308CVE ReferenceCVE-2021-3979CVSS ScoresBase 6.5 / Temporal 5.7DescriptionEulerOS has released a security update(s) for ceph to fix the vulnerabilities.ConsequenceSuccessful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.SolutionRefer to EulerOS security advisory EulerOS-SA-2023-1308 for updates and patch information.Patches EulerOS 2\\.0 SP8 EulerOS-SA-2023-1308CVE-2022-3570+QID: 672592EulerOS Security Update for libtiff (EulerOS-SA-2023-1326)SeveritySerious3In DevelopmentQualys ID672592Vendor ReferenceEulerOS-SA-2023-1326CVE ReferenceCVE-2022-3570, CVE-2022-3597, CVE-2022-3598, CVE-2022-3599, CVE-2022-3626, CVE-2022-3627CVSS ScoresBase 6.5 / Temporal 5.7DescriptionEulerOS has released a security update(s) for libtiff to fix the vulnerabilities.ConsequenceSuccessful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.SolutionRefer to EulerOS security advisory EulerOS-SA-2023-1326 for updates and patch information.Patches EulerOS 2\\.0 SP8 EulerOS-SA-2023-1326CVE-2021-4209QID: 672584EulerOS Security Update for gnutls (EulerOS-SA-2023-1316)SeveritySerious3In DevelopmentQualys ID672584Vendor ReferenceEulerOS-SA-2023-1316CVE ReferenceCVE-2021-4209CVSS ScoresBase 6.5 / Temporal 5.7DescriptionEulerOS has released a security update(s) for gnutls to fix the vulnerabilities.ConsequenceSuccessful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.SolutionRefer to EulerOS security advisory EulerOS-SA-2023-1316 for updates and patch information.Patches EulerOS 2\\.0 SP8 EulerOS-SA-2023-1316CVE-2018-14040QID: 905396Common Base Linux Mariner (CBL-Mariner) Security Update for reaper (13232)SeveritySerious3Recently PublishedQualys ID905396Date PublishedFebruary 8, 2023Vendor ReferenceMariner_2.0_13232CVE ReferenceCVE-2018-14040CVSS ScoresBase 6.1 / Temporal 5.6DescriptionCBL-Mariner 2.0 is an internal Linux distribution for cloud infrastructure and edge products and services of Microsoft.CBL-Mariner has NOT released a security update for reaper to fix the vulnerabilities.ConsequenceSuccessful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.SolutionPatch is NOT available for the package. 2ff7e9595c