CVE-2017-4904

8.8HIGH

Key Information:

Vendor
Vmware
Status
Esxi
Workstation Pro / Player
Fusion Pro / Fusion
Vendor
CVE Published:
7 June 2017

Summary

The XHCI controller in VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without patch ESXi600-201703401-SG, 6.0 U2 without patch ESXi600-201703403-SG, 6.0 U1 without patch ESXi600-201703402-SG, and 5.5 without patch ESXi550-201703401-SG; Workstation Pro / Player 12.x prior to 12.5.5; and Fusion Pro / Fusion 8.x prior to 8.5.6 has uninitialized memory usage. This issue may allow a guest to execute code on the host. The issue is reduced to a Denial of Service of the guest on ESXi 5.5.

Affected Version(s)

ESXi 6.5 without patch ESXi650-201703410-SG

ESXi 6.0 U3 without patch ESXi600-201703401-SG

ESXi 6.0 U2 without patch ESXi600-201703403-SG

References

http://www.securityfocus.com/bid/97165
vdb-entryx_refsource_BID
http://www.vmware.com/security/advisories/VMSA-2017-0006....
x_refsource_CONFIRM
http://www.securitytracker.com/id/1038148
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.