#VU9358 Out-of-bounds read in VMware Workstation and VMware Horizon - CVE-2017-4937
Vulnerability identifier: #VU9358
Vulnerability risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-125
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
VMware Workstation
Client/Desktop applications /
Virtualization software
VMware Horizon
Server applications /
Virtualization software
Vendor: VMware, Inc
Description
The vulnerability allows an adjacent attacker to cause DoS condtition on the target system.
The weakness exists due to out-of-bounds memory read error in JPEG2000 parser in the TPView.dll. An adjacent attacker can trigger memory corruption and cause the service to crash.
Mitigation
Update Workstation to version 12.5.8.
Update Horizon View Client for Windows to version 4.6.1.
Vulnerable software versions
VMware Workstation: 12.0.0 - 12.5.7
VMware Horizon: 4.0, 4.5.0
External links
https://www.vmware.com/security/advisories/VMSA-2017-0018.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
