VMware Security Advisory

VMSA-2020-0026 – ESXi, Workstation, and Fusion Vulnerabilities

VMware has released a new security advisory VMSA-2020-0026: VMware ESXi, Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities (CVE-2020-4004, CVE-2020-4005).

Multiple vulnerabilities in VMware ESXi, Workstation and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. This advisory documents the remediation of one critical issue and one important issue.

The Common Vulnerabilities and Exposures project has assigned the identifiers CVE-2020-4004 to the use-after-free vulnerability in XHCI USB controller and CVE-2020-4005 to the VMX elevation-of-privilege vulnerability.

Read More
VMware Security Advisory

VMSA-2020-0023 – VMware ESXi, Workstation, Fusion and NSX-T Vulnerabilities

VMware has released a new security advisory VMSA-2020-0023: VMware ESXi, Workstation, Fusion, NSX-T, and vCenter Server Appliance updates address multiple security vulnerabilities. VMware Cloud Foundation is also an impacted product.

ESXi OpenSLP remote code execution vulnerability (CVE-2020-3992)

OpenSLP as used in ESXi has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution. If you can’t upgrade to the fixed version, as a workaround you can disable CIM server, documented in VMware KB 76372.

Affected products:

  • ESXi 7.0 – update to ESXi_7.0.1-0.0.16850804
  • ESXi 6.7 – update to ESXi670-202010401-SG
  • ESXi 6.5 – update to ESXi650-202010401-SG
  • VMware Cloud Foundation 4.x – update to 4.1
  • VMware Cloud Foundation 3.x – update to
Read More
VMworld 2020

VMworld 2020 – Which Sessions to Attend?

VMworld 2020 is just around the corner. In this COVID-19 world everything moved online and so does VMworld. Make sure to register to VMworld 2020 and reserve in your calendars the period 29th September to 1st October.

This year, VMware offers two types of access to VMworld:

  • General Pass – includes access to 500+ on-demand VMworld sessions – free of charge
  • Premier Pass – everything General Pass has plus access to roundtables, limited capacity sessions, birds of a feather (informal discussions), hand-on-labs, 1:1 expert consultations  – priced at $299

Few days ago, VMware made available the scheduler, so I will base this article on my selection of VMworld sessions, in no particular order. I have a free General Pass, so I will not touch anything reserved to Premier Pass. 14 sessions spread across 3 days, covering topics as private and public cloud, networking and security, containers, hyper-converged infrastructure, and career.

Read More