Advisory ID VMSA-2019-0019
Advisory Severity Moderate
CVSSv3 Range 6.3
Synopsis VMware ESXi, Workstation and Fusion updates address a denial-of-service vulnerability (CVE-2019-5536)
Issue Date 2019-10-24
Updated On 2019-10-24 (Initial Advisory)
CVE(s) CVE-2019-5536
1. Impacted Products
  • VMware vSphere ESXi (ESXi)
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
2. Introduction
VMware ESXi, Workstation and Fusion contain a denial-of-service vulnerability. Patches and workarounds are available to remediate this vulnerability in affected VMware products.
 
3. VMware ESXi, Workstation and Fusion shader denial-of-service vulnerability (CVE-2019-5536)

Description:

VMware ESXi, Workstation and Fusion contain a denial-of-service vulnerability in the shader functionality. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.3.

 

Known Attack Vectors:

Successful exploitation of this issue may allow attackers with normal user privileges to create a denial-of-service condition on their own VM.

 

Resolution:

To remediate CVE-2019-5536, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

 

Workarounds:

The workaround for this issue involves disabling the 3D-acceleration feature. Please see the 'Workarounds' column of the 'Resolution Matrix' found below.

 

Additional Documentations:

None.

 

Notes:

Exploitation of this issue require an attacker to have access to a virtual machine with 3D graphics enabled. It is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.

 

Acknowledgements:

VMware would like to thank Piotr Bania of Cisco Talos for reporting this issue to us.

 

Response Matrix:

Product Version Running On CVE Identifier CVSSV3 Severity Fixed Version Workarounds Additional Documents
ESXi
6.7
Any CVE-2019-5536 6.3
Moderate
ESXi670-201908101-SG
see VMSA-2018-0025
None
ESXi 6.5 Any CVE-2019-5536 6.3 Moderate ESXi650-201910401-SG see VMSA-2018-0025 None
ESXi 6.0 Any CVE-2019-5536 N/A N/A Not affected N/A N/A
Workstation 15.x Any CVE-2019-5536 6.3 Moderate 15.5.0 see VMSA-2018-0025 None
Fusion 11.x OS X
CVE-2019-5536 6.3 Moderate 11.5.0 see VMSA-2018-0025 None

5. Change log
 

2019-10-24: VMSA-2019-0019 

Initial security advisory in conjunction with the release of ESXi 6.5 patch on 2019-10-24.

6. Contact

 

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

  security-announce@lists.vmware.com

  bugtraq@securityfocus.com

  fulldisclosure@seclists.org

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

 

VMware Security Advisories

https://www.vmware.com/security/advisories

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2019 VMware Inc. All rights reserved.

 

Sign up for Security Advisories

Enter your email address: