Andrew Honig

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.12.6 **Description** The issue allows local users to gain privileges or cause a denial of service, resulting in a system crash, via a VAPIC synchronization operation involving a page-end address. **Recommendations** For versions prior to 3.12.6, update to version 3.12.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** VMware Workstation versions prior to 5.5.9 build 126128 VMware Workstation versions 6.x prior to 6.5.1 VMware Player versions prior to 1.0.9 build 126128 VMware Player versions 2.x prior to 2.5.1 VMware ACE versions prior to 1.0.8 build 125922 VMware ACE versions 2.x prior to 2.5.1 VMware Server versions 1.x prior to 1.0.8 build 126538 VMware Server versions 2.0.x prior to 2.0.1 build 156745 VMware Fusion versions prior to 2.0.1 VMware ESXi version 3.5 VMware ESX versions 3.0.2, 3.0.3, 3.5 **Description** The issue allows guest OS users to cause a denial of service, resulting in a host OS crash, via unknown vectors. **Recommendations** For VMware Workstation versions prior to 5.5.9 build 126128, update to version 5.5.9 build 126128 or later. For VMware Workstation versions 6.x prior to 6.5.1, update to version 6.5.1 or later. For VMware Player versions prior to 1.0.9 build 126128, update to version 1.0.9 build 126128 or later. For VMware Player versions 2.x prior to 2.5.1, update to version 2.5.1 or later. For VMware ACE versions prior to 1.0.8 build 125922, update to version 1.0.8 build 125922 or later. For VMware ACE versions 2.x prior to 2.5.1, update to version 2.5.1 or later. For VMware Server versions 1.x prior to 1.0.8 build 126538, update to version 1.0.8 build 126538 or later. For VMware Server versions 2.0.x prior to 2.0.1 build 156745, update to version 2.0.1 build 156745 or later. For VMware Fusion versions prior to 2.0.1, update to version 2.0.1 or later. For VMware ESXi version 3.5, update to a later version. For VMware ESX versions 3.0.2, 3.0.3, 3.5, update to a later version.

**Name of the Vulnerable Software and Affected Versions** VMware Workstation versions 6.0.0 through 6.0.2 VMware Player versions 2.0.0 through 2.0.2 VMware ACE versions 2.0.0 through 2.0.0 **Description** The issue allows attackers to cause a denial of service, resulting in a host OS crash, via crafted VMCI calls that trigger memory exhaustion and memory corruption. **Recommendations** For VMware Workstation versions 6.0.0 through 6.0.2, update to version 6.0.3 or later. For VMware Player versions 2.0.0 through 2.0.2, update to version 2.0.3 or later. For VMware ACE versions 2.0.0 through 2.0.0, update to version 2.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.8.4 systemtap-runtime-debuginfo (affected versions not specified) systemtap-sdt-devel (affected versions not specified) systemtap (affected versions not specified) libvmtools0 (affected versions not specified) systemtap-client (affected versions not specified) systemtap-client-debuginfo (affected versions not specified) kernel-vanilla-base-debuginfo (affected versions not specified) systemtap-server-debuginfo (affected versions not specified) libvmtools0-debuginfo (affected versions not specified) systemtap-runtime (affected versions not specified) kernel-vanilla-base (affected versions not specified) systemtap-server (affected versions not specified) systemtap-debuginfo (affected versions not specified) systemtap-debugsource (affected versions not specified) libvmtools-devel (affected versions not specified) **Description** The issue involves multiple vulnerabilities in various packages of the openSUSE and Debian GNU/Linux operating systems, which can lead to disruption of confidentiality, integrity, and availability of protected information. Exploitation of these vulnerabilities can be carried out remotely or locally, depending on the specific package affected. In the case of the Linux kernel, a vulnerability in the `kvm set msr common` function in `arch/x86/kvm/x86.c` allows guest OS users to cause a denial of service, including buffer overflow and host OS memory corruption, or possibly have unspecified other impact via a crafted application. **Recommendations** For Linux kernel versions prior to 3.8.4, update to a version 3.8.4 or later to resolve the issue. For systemtap-runtime-debuginfo, systemtap-sdt-devel, systemtap, libvmtools0, systemtap-client, systemtap-client-debuginfo, kernel-vanilla-base-debuginfo, systemtap-server-debuginfo, libvmtools0-debuginfo, systemtap-runtime, kernel-vanilla-base, systemtap-server, systemtap-debuginfo, systemtap-debugsource, and libvmtools-devel, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** openSUSE systemtap-runtime-debuginfo (affected versions not specified) openSUSE systemtap-sdt-devel (affected versions not specified) openSUSE systemtap (affected versions not specified) openSUSE libvmtools0 (affected versions not specified) openSUSE systemtap-client (affected versions not specified) openSUSE systemtap-client-debuginfo (affected versions not specified) openSUSE kernel-vanilla-base-debuginfo (affected versions not specified) openSUSE systemtap-server-debuginfo (affected versions not specified) openSUSE libvmtools0-debuginfo (affected versions not specified) openSUSE systemtap-runtime (affected versions not specified) openSUSE kernel-vanilla-base (affected versions not specified) openSUSE systemtap-server (affected versions not specified) Linux kernel versions prior to 3.8.4 **Description** The issue involves multiple vulnerabilities in various packages of the openSUSE operating system and the Linux kernel, which can lead to disruption of protected information availability. These vulnerabilities can be exploited remotely or locally, depending on the package. The Linux kernel vulnerability, in particular, allows guest OS users to cause a denial of service or possibly have other unspecified impacts through a crafted application. **Recommendations** For openSUSE systemtap-runtime-debuginfo, consider disabling the vulnerable components until a patch is available. For openSUSE systemtap-sdt-devel, restrict access to the vulnerable module to minimize the risk of exploitation. For openSUSE systemtap, avoid using the vulnerable functions until the issue is resolved. For openSUSE libvmtools0, consider disabling the `libvmtools0` module as a temporary workaround. For openSUSE systemtap-client, restrict access to the vulnerable client to minimize the risk of exploitation. For openSUSE systemtap-client-debuginfo, consider disabling the vulnerable debug information until a patch is available. For openSUSE kernel-vanilla-base-debuginfo, update to a version later than 3.8.4 to resolve the issue. For openSUSE systemtap-server-debuginfo, restrict access to the vulnerable server to minimize the risk of exploitation. For openSUSE libvmtools0-debuginfo, consider disabling the vulnerable debug information until a patch is available. For openSUSE systemtap-runtime, consider disabling the vulnerable runtime until a patch is available. For openSUSE kernel-vanilla-base, update to a version later than 3.8.4 to resolve the issue. For openSUSE systemtap-server, restrict access to the vulnerable server to minimize the risk of exploitation. For Linux kernel versions prior to 3.8.4, update to version 3.8.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** openSUSE versions prior to the fixed version Linux kernel versions through 3.8.4 systemtap versions (affected versions not specified) systemtap-runtime versions (affected versions not specified) systemtap-runtime-debuginfo versions (affected versions not specified) systemtap-server versions (affected versions not specified) systemtap-server-debuginfo versions (affected versions not specified) systemtap-client versions (affected versions not specified) systemtap-client-debuginfo versions (affected versions not specified) systemtap-sdt-devel versions (affected versions not specified) libvmtools0 versions (affected versions not specified) libvmtools0-debuginfo versions (affected versions not specified) kernel-vanilla-base versions (affected versions not specified) kernel-vanilla-base-debuginfo versions (affected versions not specified) systemtap-debuginfo versions (affected versions not specified) systemtap-debugsource versions (affected versions not specified) libvmtools-devel versions (affected versions not specified) **Description** The issue involves multiple vulnerabilities in various packages of the openSUSE operating system and the Linux kernel, which can lead to disruption of protected information availability. These vulnerabilities can be exploited remotely or locally, depending on the specific package and version. The `ioapic read indirect` function in the Linux kernel does not properly handle certain combinations of invalid IOAPIC REG SELECT and IOAPIC REG WINDOW operations, allowing guest OS users to obtain sensitive information from host OS memory or cause a denial of service. **Recommendations** For Linux kernel versions through 3.8.4, update to a version later than 3.8.4 to resolve the issue. For systemtap and its related packages, there is no information about a newer version that contains a fix for this vulnerability. For kernel-vanilla-base and its related packages, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to vulnerable packages and modules to minimize the risk of exploitation. Avoid using vulnerable functions and parameters in affected API endpoints until the issue is resolved.