VMware ACE 2.5.2 Release Notes
These release notes cover the following topics:
VMware ACE Version 2.5.2 | 31 March 2009 | Build 156735
Document Last Updated: April 13, 2009
Top of Page
Features from the prior releases of VMware ACE are described in the following Release Notes documents:
Top of Page
The known issues are grouped as follows:
In addition to these ACE-specific known issues, VMware ACE includes the known issues
listed in the Workstation 6.5.2 release notes.
Localization and Internationalization
The host name for the machine on which ACE Management Server is installed must contain only ASCII characters.
If you want to use ACE Management Server in an Active Directory multi-domain setup of Japanese systems and use groups and users
of the parent domain, you must specify the parent domain when configuring ACE Management Server, as follows: On the Access
Control tab of the ACE Management Server Configuration Setup application, enter the parent domain host name in the LDAP Server
Host Name field. Enter the parent domain name in the Query User Domain field. If you use the child domain name, you get
a Domain Not Found error.
On Japanese and simplified Chinese Windows Vista hosts, you cannot install an ACE package that contains a Japanese Windows Vista
guest operating system if the virtual machine name contains Japanese characters.
If you select to use multiple folders for creating DVDs or CDs when creating an ACE package, you must use alphanumeric characters
(English letters and numbers) when specifying the disc label.
For all Windows operating systems except Windows Vista, ACE instance customization parameters — such as user name,
organization, computer name, and paths to initialization scripts — must use characters from the local character set only.
For example, you can use Japanese characters for the computer name only on a Japanese host. In addition, if you use placeholders
for instance customization parameters, the host and guest operating system must use the same locale. These restrictions do not
apply to Windows Vista guests because Windows Vista uses a UTF-8 encoded XML file to store the Microsoft sysprep parameters. Earlier
versions of Windows use the sysprep.inf file, and the Microsoft Windows mini-setup process reads that file in the local encoding only.
On Japanese systems, if you use instance customization and the path to the virtual machine contains a Japanese character that has
an 0x5c byte as part of the codepoint, instance customization fails. For a list of such characters, go to
On Japanese hosts, if you use the vmware-acetool command-line program, you must use only ASCII characters in the password
for the recovery key and administrator mode.
When using a hotfix policy, if you select to use email to submit the hotfix request, you can use only characters from the
local character set for the administrator email and email subject. For example, you can use Japanese characters for these
fields only on a Japanese host.
If you use the ACE Management Server with an MS-SQL database, the database must be installed on a host whose locale matches
the language being used to create the ACE instances. For example, if you use Workstation on a Japanese host to create ACE
packages that you want to deploy to Japanese systems, the database host must also be on a Japanese system.
If you install ACE Management Server on a Linux host and use Active Directory integration, you cannot use credentials that
include multibyte characters. That is, you must log in to Active Directory with a name and password that do not include multibyte
If you add creator IDs to the aceMaster.dat file, you must use ASCII characters or characters that do not conflict with the
encoding tag (.encoding = xxx) in the first line of the file. Creator IDs control which ACE instances
run on that host.
If you use the zone editor to create a new zone in an ACE network access policy, you cannot use non-ASCII characters in
any of the addresses: network, DNS server, gateway server, DHCP, WINS, and domain.
If you create a host network access policy that has a rule based on a machine name with Japanese characters in it, the rule
is followed only when you deploy the ACE instance on Japanese hosts. For example, if you create a rule to block access to a
machine by using the Japanese machine name in the rule and then deploy the ACE instance to an English host, access to that
Japanese machine is not blocked.
Instance Customization on Windows Vista fails for standalone Vista virtual machines when domain join is enabled and the
Windows Login setting for the user name is not an administrator.
Workarounds: Disable Windows Vista UAC or set the Windows Login user name to administrator. Any other local
administrator account does not work.
You are unable to add users from a child domain when a managed ACE instance is configured with Windows 2000 ACE Management Server.
You receive an error while running a Pocket ACE on a Windows Vista host that does not have VMware Player installed. When you
install an ACE package as an administrator, VMware Player is installed. However, when you install an ACE package as a
non-administrator, VMware Player must have already been installed for the Pocket ACE to work properly.
Help desk login disabled if accessed through AMS virtual appliance
From the ACE Management Server virtual appliance configuration page, if you try to access Help Desk after clicking ACE Login, the following error messages appear and the Login button is disabled:
Workaround: Access the help desk directly using the ACE Management Server view by entering https://<AMS_IP>:<AMS_PORT> in the browser.
- On IE 7.x: opener.patent.frames.wc_topBar is null or not an object
- On Firefox: Permission denied to get property Windows.wc_topBar
Virtual machine in root directory with virtual disk in a subdirectory does not work properly for snapshots
If a Windows virtual machine is in root directory with virtual disk in a subdirectory, after taking a snapshot, the virtual machine cannot be powered on, cloned, cannot edit the settings, and other operations related to added virtual disk fail.
If a virtual machine is in a root directory, keep all its virtual disks in the same directory or move the virtual machine to a non-root directory.
If you upgrade ACE Management Server and it was installed in a non-default directory, be sure to choose the same directory during
the upgrade that you used for the previous installation. This ensures that your previous settings are used.
Before you upgrade an ACE Management Server from 2.0.x to 2.5.x, if you are not using Active Directory for authentication, do the
following on your 2.0.x ACE-enabled virtual machines: If the ACE-enabled virtual machine uses a password or activation keys, set
the access controls to None. Upgrade the ACE Management Server. Re-enter the password or keys for the virtual machine and publish
the policy. If you do not do this, the virtual machine returns an error message that the credentials are invalid.
A managed ACE instance using Active Directory or user password authentication cannot be powered on or cloned after the recovery
key has been enabled dynamically on the server.
Workarounds: To power on the virtual machine, disable the recovery key and publish the policies. After the recovery
key is disabled, the user can power on the ACE instance again. To clone the virtual machine, if you are using password
authentication, first disable the user password and then clone the ACE instance to a virtual machine. There is no workaround if the
ACE instance is using Active Directory.
If you are not using Active Directory for authentication, before you clone an ACE-enabled virtual machine that uses a password or
activation keys, set the access controls to None. Re-enter
the password or keys for both virtual machines after the clone is created. If you do not do this, the cloned
virtual machine returns an error message that the credentials are invalid.
If you enable Administrator mode on an ACE instance and attempt to change the Shared Folders preference from Enabled Until
Next Power Off or Suspend to another setting, the change is not saved.
On Linux guests, the virtual printer feature does not work. This feature would allow users to print to any printer
available to the host computer without installing additional drivers in the virtual machine.
If you use the virtual printer feature on 64-bit Windows Vista hosts and you find that you cannot print to some printers listed
as available, you might need to install a 32-bit version of the printer driver on the host. For example, if you lose a print
job or get the error message Thunking Spooler APIS from 32 to 64 Process has stopped working, use this workaround.
IP addresses in Instance View and Help Desk are sorted alphabetically, not numerically.
Top of Page
The following issues are resolved in VMware ACE 2.5.2:
New: Host code execution vulnerability from a guest operating system
A critical vulnerability in the virtual machine display function might allow a guest operating system to run code on the host. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-1244 to this issue.
Windows-based host privilege escalation in hcmon.sys
A vulnerability in an ioctl function in hcmon.sys might be used
to escalate privileges on a Windows-based host. The Common Vulnerabilities and Exposures project has assigned the name CVE-2009-1146 to this issue.
New releases of hosted products address a denial-of-service problem described in CVE-2008-3761, which can only be exploited by a privileged Windows account.
A remote denial-of-service vulnerability in authd for Windows-based hosts
A vulnerability in vmware-authd.exe could cause a denial-of-service condition on Windows hosts. The Common Vulnerabilities and Exposures project has assigned the name CVE-2009-0177 to this issue.
A VMCI privilege escalation on Windows-based hosts or Windows-based guests
Virtual Machine Communication Interface (VMCI) is an infrastructure that provides fast and efficient communication between a virtual machine and the host operating system and between two or more virtual machines on the same host. A vulnerability in vmci.sys might allow privilege escalation on Windows-based machines. This might occur on Windows-based hosts or inside Windows-based guest operating systems. Current versions of ESX Server do not support the VMCI interface and hence they are not affected by this vulnerability. To correct this vulnerability on Windows-based hosts, see Virtual Machine Communication Interface (VMCI) privilege escalation on Windows-based Workstation, Player, ACE and Server (KB 1009826).
The Common Vulnerabilities and Exposures project has assigned the name CVE-2009-1147 to this issue.
VMnc codec heap overflow vulnerabilities
The VMnc codec assists in record and replay sessions. Record and replay records the dynamic virtual machine state over a period of time. Two heap overflow vulnerabilities might allow a remote attacker to execute arbitrary code on VMware hosted products. For
an attack to be successful, the user must visit a malicious Web page or open a malicious video file.
The Common Vulnerabilities and Exposures project has assigned the names CVE-2009-0909 and CVE-2009-0910 to these issues.
- ACE Shared folders vulnerability
The shared folders feature of the VMware Host Guest File System (HGFS) allows users to transfer data between a guest operating system and the non-virtualized host operating system that contains it. A vulnerability in ACE shared folders might allow a previously disabled and not removed shared folder in the guest to be enabled by a non-ACE administrator.
The Common Vulnerabilities and Exposures project has
assigned the name CVE-2009-0908 to this issue.
Creating ACE package fails on Windows virtual machines
Creating ACE package fails with the error Tools is out of date, on virtual machines running Windows NT, Windows 9x and Windows Millennium Edition. This issue is resolved in this release.
In addition to these ACE-specific resolved issues, VMware ACE includes the resolved issues listed in the Workstation 6.5.2 release notes.
Top of Page