VMware

VMware works hard to build virtual infrastructure products that our customers trust in the most critical operations of their enterprises. We recognize that unless our products meet the highest standards for security, customers will not be able to deploy them with confidence. This VMware Security Response Policy documents our commitments for resolving possible vulnerabilities in our products so that our customers can be assured that any such issues will be corrected in a timely fashion.

View our Security Response Summary Table.

How to inform VMware of a vulnerability

VMware encourages users who become aware of a security vulnerability in a VMware product to contact VMware with details of the vulnerability. VMware has established an email address that should be used for vulnerability notifications. Please send descriptions of any vulnerabilities found to Security. Please include details on the software and hardware configuration of your system so that we can duplicate the issue being reported. We also encourage customers to use our web-based support request system to alert us to vulnerabilities.

VMware hopes that users encountering a new vulnerability will contact us privately as it is in the best interests of our customers that VMware have an opportunity to investigate and confirm a suspected vulnerability before it becomes public knowledge.

In the case of vulnerabilities found in third-party software components used in VMware products, please also notify VMware as described above.

Classes of vulnerabilities in VMware products

Priority 1
  • Vulnerabilities that elevate local user or process privileges on the host system
  • Vulnerabilities that provide remote access to the host system, including buffer overflows that permit the execution of arbitrary code on the host
  • Vulnerabilities that manipulate local host system files and file permissions relating to VMware application and virtual machine files
  • Vulnerabilities that cause the host system to crash or become indefinitely unavailable
Priority 2
  • Vulnerabilities that permit host system login/authentication denial of service or brute forcing
  • Vulnerabilities that cause unintended consumption of host memory, disk space or other system resources
  • Vulnerabilities that cause the local guest system to crash or become indefinitely unavailable
  • Vulnerabilities that elevate local user or process privileges on the guest system
Priority 3
  • Vulnerabilities that permit guest system login/authentication denial of service or brute forcing
  • Vulnerabilities that cause unintended consumption of guest memory, disk space or other system resources
  • Vulnerabilities that expose host or guest virtual machine configuration information, or cause other private information exposure
  • Vulnerabilities in the VMware remote client software, including cryptographic weaknesses, man-in-the-middle attacks and other vulnerabilities requiring the use of 'malicious' VMware servers

VMware's response to publicly reported vulnerabilities

Security vulnerability sources monitored

VMware monitors multiple public repositories of software security vulnerabilities to identify newly discovered vulnerabilities that may affect one of our products. Sources we monitor include:

Response actions

VMware's response to a published security vulnerability will consist of the actions listed below.

Acknowledgement and initial analysis

VMware's first response will be a posting to the VMware Knowledge Base (located at http://www.vmware.com/kb) confirming that VMware is aware of the reported vulnerability. The Knowledge Base article posted will include references to the public sources reporting the vulnerability. Whenever possible, this Knowledge Base posting will include steps users can take to protect their VMware system from the vulnerability. If a corrective action is not provided, the Knowledge Base article will state the expected timeframe for delivery of a fix from VMware.

If the vulnerability was initially reported through a web site or mailing list, VMware will post a message on that mailing list or web site referring users to the Knowledge Base article acknowledgement. VMware will digitally sign all postings to external mailing lists and web sites to ensure authenticity.

If VMware finds the reported vulnerability to not exist, a response to that effect will be posted to the VMware Knowledge Base and the originating mailing lists or web sites.

Fix or corrective action

VMware's next response will be release of a fix for the reported vulnerability. The fix may take these one or more of these forms:

  • A new major release of the affected VMware product
  • A new minor release (a "point" release) of the affected VMware product
  • A patch that can be installed on top of the affected VMware product
  • Instructions to download and install an update or patch for a third-party software component that is part of the VMware product installation
  • A corrective procedure or workaround that instructs users in adjusting the VMware product configuration to mitigate the vulnerability

VMware customer notification

When a fix or corrective action becomes available, VMware will notify its customers by the following means:

  • All VMware customers of record using the affected product will be notified by email. The email will be sent to all registered VMware license administrators and support administrators even if they have opted not to receive email from VMware in their VMware account profile settings. This notification policy is in accordance with the VMware privacy policy.
  • Details of the fix or corrective action will be posted to the VMware Knowledge Base. Similar information will be posted to the reporting web sites or mailing lists.

Product versions that VMware will fix

A VMware product version has three numbers in the format x.y.z. The number in the x position identifies a major release. The number in the y position identifies a minor release or product update. The z position indicates a minor revision for maintenance releases.

VMware will provide security vulnerability fixes or corrective actions for the latest versions of supported major releases of a product. (See the VMware support policy for an explanation of the product releases that VMware supports.) An exception is made for VMware ESX 3.5 where VMware will provide fixes for any minor product versions released in the previous six months. For example, if the latest shipping release of a product is identified with version number 5.2.0, VMware will provide a corrective action or patch for the 5.2.0 release or a fix in a minor release with a 5.2.1 or 5.3.0 version number. In the case of VMware ESX 3.5, if a 5.1.0 version had been released five months earlier, VMware will also release a corrective action for that release or a 5.1.1 patch version. If an earlier version numbered 4.5.0 is still supported by VMware, VMware will provide a corrective action or patch for the 4.5.0 release or a fix in a minor release with a 4.5.1 version number.

Response commitments

VMware's committed response time depends on the priority level of the reported vulnerability.

Priority 1

VMware will begin work on a fix or corrective action immediately. VMware will provide the fix or corrective action to customers in the shortest commercially reasonable time.

Priority 2

VMware will deliver a fix or corrective action with the next planned minor release of the product.

Priority 3

VMware will deliver a fix or corrective action with the next planned major release of the product.

Third-party components

For vulnerabilities found in software components provided with VMware products that VMware obtains from third parties, VMware will provide an acknowledgement and initial analysis as with the other classes of vulnerabilities. For those third-party components that VMware includes with no source code modifications, VMware will provide a fix when one is made available from the third-party provider.

Customer access to software releases with security fixes

VMware customers with active support and subscription service for a product are entitled to any new patches or releases (major or minor) that include security fixes. VMware Workstation customers not under active support and subscription contracts are entitled to receive minor releases and patches for 18 months after their purchase date.

View our Security Response Summary Table.

VMware Account

View orders, register products, create and update license files.