Virtual insanity ahead of Node.js updates

VMware has patched a critical vulnerability (CVE-2018-6983) in its Workstation and Fusion virtualization software packages that create a means for hackers to execute hostile code on host machines.

The latest versions of VMware Workstation Pro / Player (Workstation) and VMware Fusion Pro Fusion (Fusion) both need updating to defend against the vulnerability, which VMWare warns is “critical”.

VMware Workstation and Fusion contain an integer overflow vulnerability in the virtual network devices. This issue may allow a guest to execute code on the host.

An advisory from US CERT backs up this dire assessment, reading: “An attacker could exploit this vulnerability to take control of an affected system.”

The vulnerability was discovered by Tianwen Tang of Qihoo 360Vulcan Team and disclosed at the TianfuCup 2018, a cybersecurity contest and summit held in China earlier this week.

Users are advised to update to VMware Workstation 14.1.5, 15.0.2 and Fusion 10.1.5, 11.0.2. The various updates were all released on Thursday (November 22).

In other patching news, users of the Node.js programming environment should brace for updates due to land next Tuesday (November 27).

The updates for all supported release lines will pack fixes specific to Node.js, as well as the updates to its OpenSSL component.

The Node.js updates will defend against a denial of service (DoS) vulnerability as well as four data confidentiality and integrity flaws, the highest severity one of which is rated as “high”.

Node.js’s pre-alert advisory – which is understandably short of the specifics – is here.