Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
The VMware Security Engineering, Communications, and Response group (vSECR) has investigated the impact CVE-2018-3665 may have on VMware products.
Evaluation Summary: CVE-2018-3665 has been classified as a potential local privilege escalation in the Moderate severity range. Review our VMware Security Response Policies for information on severity classifications.CVE-2018-3665 has the potential of affecting VMware Virtual Appliances by way of the linux-based operating system that they ship on top of if the underlying hypervisor is running on processor architecture older than Sandy Bridge (2011). If the underlying hypervisor is runs on Sandy Bridge (2011) or newer Intel processors the VMware virtual appliance is not affected in default configuration.Products that ship as an installable windows or linux binary are not directly affected, but patches may be required from the respective operating system vendor that these products are installed on.VMware hypervisors are not affected by this issue. Unaffected ProductsvSECR has completed evaluation of the following products and determined that under supported configurations they are not affected as there is no available path to execute arbitrary code without administrative privileges.Note: Automated vulnerability scanners may report that these products are vulnerable to CVE-2018-3665 even though the issue is not exploitable. These products will still be updating their respective kernels in scheduled maintenance releases as a precautionary measure. ProductsVersionEvaluationWorkaroundVMware App Defense ApplianceAnyUnaffectedN/AVMware ESXiAnyUnaffectedN/AVMware Horizon DaaS PlatformAnyUnaffectedN/AVMware Horizon MirageAnyUnaffectedN/AVMware HCXAnyUnaffectedN/AVMware Integrated OpenstackAnyUnaffectedN/AVMware IoT PulseAnyUnaffectedN/AVMware MirageAnyUnaffectedN/AVMware NSX for vSphereAnyUnaffectedN/AVMware NSX-TAnyUnaffectedN/AVMware Skyline ApplianceAnyUnaffectedN/AVMware Unified Access GatewayAnyUnaffectedN/AVMware vCenter Server5.5UnaffectedN/AVMware vCloud Availability for vCloud DirectorAnyUnaffectedN/AVMware vCloud Director ExtenderAnyUnaffectedN/AVMware vRealize Business for CloudAnyUnaffectedN/AVMware vRealize Log InsightAnyUnaffectedN/AVMware vRealize Network InsightAnyUnaffectedN/AVMware vRealize OperationsAnyUnaffectedN/AVMware vRealize OrchestratorAnyUnaffectedN/AVMware vSphere ReplicationAnyUnaffectedN/AVMware WorkbenchAnyUnaffectedN/A Potentially Affected ProductsvSECR has evaluated the following products and determined that they may be affected by CVE-2018-3665 if the underlying hypervisor is running on processor architecture older than Sandy Bridge (2011). If the underlying hypervisor is runs on Sandy Bridge (2011) or newer Intel processors the VMware virtual appliance is not affected in default configuration. Workarounds have been investigated and are noted by the product entry if available. Remediation will be made available in upcoming releases. ProductVersionEvaluationWorkaroundVMware vCloud Usage MeterAnyPotentially AffectedKB 52467VMware Identity ManagerAnyPotentially AffectedKB 52284VMware vCenter Server6.7Potentially AffectedKB 52312VMware vCenter Server6.5Potentially AffectedKB 52312VMware vCenter Server6.0Potentially AffectedKB 52312VMware Data ProtectionAnyPotentially AffectedNoneVMware vSphere Integrated ContainersAnyPotentially AffectedNoneVMware vRealize AutomationAnyPotentially AffectedKB 52377 and KB 52497 Sign up at our Security-Announce mailing list to receive new and updated VMware Security Advisories and click Subscribe to Article in the Actions box to be alerted when new information is added to this document. If a specific version number is not listed, then that entry refers to all supported versions of the appliance.