Security Advisory 2017-007

Release Date:

UPDATE Critical Vulnerabilities in VMWare ESXi, Workstation, and Fusion



  • 29/03/2017 --- v1.0: Initial publication
  • 31/03/2017 --- v1.1: Correction regarding VMWare ESXi 5.5


On March 28, 2017, VMWare released an advisory for VMWare ESXi, Workstation, and Fusion products [1]. The advisory addresses critical and moderate security issues.

Critical vulnerabilities may allow a guest system to execute code on the host system (CVE-2017-4902, CVE-2017-4903, and CVE-2017-4904).

The other vulnerability (CVE-2017-4905) may lead to information leak from the guest system.

These vulnerabilities were discovered by two teams (Team Sniper and Qihoo 360) during Pwn2Own event at CanSecWest [2].

Technical Details

The discovered vulnerabilities targeting VMWare products are:

  • CVE-2017-4902 (critical): Heap overflow leading to arbitrary code execution
  • CVE-2017-4903 (critical): Uninitialized stack value leading to arbitrary code execution
  • CVE-2017-4904 (critical): Uninitialized stack value leading to arbitrary code execution
  • CVE-2017-4905 (moderate): Uninitialized memory read leading to information disclosure

Vulnerable Systems

  • VMWare ESXi 5.5 - CVE-2017-4904 (moderate) and CVE-2017-4905 (moderate)
  • VMWare ESXi 6.0 - all vulnerabilities except CVE-2017-4902
  • VMWare ESXi 6.5 - all vulnerabilities
  • VMware Workstation 12.X - all vulnerabilities
  • VMware Fusion 8.x (OS X) - all vulnerabilities

Note: VMware ESXi 6.0 is not affected by CVE-2017-4902. Furthermore, CVE-2017-4904 only leads to denial of service on VMWare ESXi 5.5 (moderate).


Apply upgrades provided by VMWare for all affected products as soon as possible [1].

No other workarounds are available.




We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.