Information Security all in one place!

VMware Security Advisory: VMware ESXi and ESX updates to third party library and ESX Service Console

 

 VMware ESXi and ESX updates to third party library and ESX Service Console address several security issues.

Relevant Packages:

ESXi 4.1 without patch ESXi410-201201401-SG

ESX 4.1 without patches ESX410-201201401-SG, ESX410-201201402-SG,
ESX410-201201404-SG, ESX410-201201405-SG,
ESX410-201201406-SG, ESX410-201201407-SG

Description and Resolution:

Problem Description

English: A candidate icon for Portal:Computer ...

a. ESX third party update for Service Console kernel

The ESX Service Console Operating System (COS) kernel is updated to
kernel-2.6.18-274.3.1.el5 to fix multiple security issues in the
COS kernel.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2011-0726, CVE-2011-1078, CVE-2011-1079,
CVE-2011-1080, CVE-2011-1093, CVE-2011-1163, CVE-2011-1166,
CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-1494,
CVE-2011-1495, CVE-2011-1577, CVE-2011-1763, CVE-2010-4649,
CVE-2011-0695, CVE-2011-0711, CVE-2011-1044, CVE-2011-1182,
CVE-2011-1573, CVE-2011-1576, CVE-2011-1593, CVE-2011-1745,
CVE-2011-1746, CVE-2011-1776, CVE-2011-1936, CVE-2011-2022,
CVE-2011-2213, CVE-2011-2492, CVE-2011-1780, CVE-2011-2525,
CVE-2011-2689, CVE-2011-2482, CVE-2011-2491, CVE-2011-2495,
CVE-2011-2517, CVE-2011-2519, CVE-2011-2901 to these issues.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware         Product   Running  Replace with/
Product        Version   on       Apply Patch
=============  ========  =======  =================
vCenter        any       Windows  not affected

hosted *       any       any      not affected

ESXi           any       ESXi     not affected

ESX            4.1       ESX      ESX410-201201401-SG
ESX            4.0       ESX      patch pending
ESX            3.5       ESX      not applicable

* hosted products are VMware Workstation, Player, ACE, Fusion.

b. ESX third party update for Service Console cURL RPM

The ESX Service Console (COS) curl RPM is updated to cURL-7.15.5.9
resolving a security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2011-2192 to this issue.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware         Product   Running  Replace with/
Product        Version   on       Apply Patch
=============  ========  =======  =================
vCenter        any       Windows  not affected

hosted *       any       any      not affected

ESXi           any       ESXi     not affected

ESX            4.1       ESX      ESX410-201201402-SG
ESX            4.0       ESX      patch pending
ESX            3.5       ESX      not applicable

* hosted products are VMware Workstation, Player, ACE, Fusion.

c. ESX third party update for Service Console nspr and nss RPMs

The ESX Service Console (COS) nspr and nss RPMs are updated to
nspr-4.8.8-1.el5_7 and nss-3.12.10-4.el5_7 respectively resolving
a security issues.

A Certificate Authority (CA) issued fraudulent SSL certificates and
Netscape Portable Runtime (NSPR) and Network Security Services (NSS)
contain the built-in tokens of this fraudulent Certificate
Authority. This update renders all SSL certificates signed by the
fraudulent CA as untrusted for all uses.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware         Product   Running  Replace with/
Product        Version   on       Apply Patch
=============  ========  =======  =================
vCenter        any       Windows  not affected

hosted *       any       any      not affected

ESXi           any       ESXi     not affected

ESX            4.1       ESX      ESX410-201201404-SG
ESX            4.0       ESX      patch pending
ESX            3.5       ESX      not applicable

* hosted products are VMware Workstation, Player, ACE, Fusion.

d. ESX third party update for Service Console rpm RPMs

The ESX Service Console Operating System (COS) rpm packages are
updated to popt-1.10.2.3-22.el5_7.2, rpm-4.4.2.3-22.el5_7.2,
rpm-libs-4.4.2.3-22.el5_7.2 and rpm-python-4.4.2.3-22.el5_7.2
which fixes multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2010-2059 and CVE-2011-3378 to these issues.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware         Product   Running  Replace with/
Product        Version   on       Apply Patch
=============  ========  =======  =================
vCenter        any       Windows  not affected

hosted *       any       any      not affected

ESXi           any       ESXi     not affected

ESX            4.1       ESX      ESX410-201201406-SG
ESX            4.0       ESX      patch pending
ESX            3.5       ESX      not applicable

* hosted products are VMware Workstation, Player, ACE, Fusion.

e. ESX third party update for Service Console samba RPMs

The ESX Service Console Operating System (COS) samba packages are
updated to samba-client-3.0.33-3.29.el5_7.4,
samba-common-3.0.33-3.29.el5_7.4 and
libsmbclient-3.0.33-3.29.el5_7.4 which fixes multiple security
issues in the Samba client.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2010-0547, CVE-2010-0787, CVE-2011-1678,
CVE-2011-2522 and CVE-2011-2694 to these issues.

Note that ESX does not include the Samba Web Administration Tool
(SWAT) and therefore ESX COS is not affected by CVE-2011-2522 and
CVE-2011-2694.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware         Product   Running  Replace with/
Product        Version   on       Apply Patch
=============  ========  =======  =================
vCenter        any       Windows  not affected

hosted *       any       any      not affected

ESXi           any       ESXi     not affected

ESX            4.1       ESX      ESX410-201201407-SG
ESX            4.0       ESX      patch pending
ESX            3.5       ESX      not applicable

* hosted products are VMware Workstation, Player, ACE, Fusion.

f. ESX third party update for Service Console python package

The ESX Service Console (COS) python package is updated to
2.4.3-44 which fixes multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2009-3720, CVE-2010-3493, CVE-2011-1015 and
CVE-2011-1521 to these issues.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware         Product   Running  Replace with/
Product        Version   on       Apply Patch
=============  ========  =======  =================
vCenter        any       Windows  not affected

hosted *       any       any      not affected

ESXi           any       ESXi     not affected

ESX            4.1       ESX      ESX410-201201405-SG
ESX            4.0       ESX      patch pending
ESX            3.5       ESX      not applicable

* hosted products are VMware Workstation, Player, ACE, Fusion.

g. ESXi update to third party component python

The python third party library is updated to python 2.5.6 which
fixes multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2009-3560, CVE-2009-3720, CVE-2010-1634,
CVE-2010-2089, and CVE-2011-1521 to these issues.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware         Product   Running  Replace with/
Product        Version   on       Apply Patch
=============  ========  =======  =================
vCenter        any       Windows  not affected

hosted *       any       any      not affected

ESXi           5.0       ESXi     patch pending
ESXi           4.1       ESXi     ESXi410-201201401-SG
ESXi           4.0       ESXi     patch pending
ESXi           3.5       ESXi     patch pending

ESX            4.1       ESX      not affected
ESX            4.0       ESX      not affected
ESX            3.5       ESX      not affected

* hosted products are VMware Workstation, Player, ACE, Fusion.

4. Solution

Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.

VMware ESXi 4.1
—————
ESXi410-201201401
http://downloads.vmware.com/go/selfsupport-download
ESXi410-201201401 contains ESXi410-201201401-SG

http://kb.vmware.com/kb/2009143

 

VMware ESX 4.1
————–
ESX410-201201001
http://downloads.vmware.com/go/selfsupport-download
md5sum: 16DF9ACD3E74BCABC2494BC23AD0927F      sha1sum: 1066AE1436E1A75BA3D541AB65296CFB9AB7A5CC
http://kb.vmware.com/kb/2009142

ESX410-201201001 contains ESX410-201201401-SG, ESX410-201201402-SG,
ESX410-201201404-SG, ESX410-201201405-SG, ESX410-201201406-SG and
ESX410-201201407-SG

Advertisements

One response

  1. Pingback: VMware: VirtualCenter Update and ESX 3.5 patch update JRE « NetSecurityIT.com – NSIT

Let's hear what you have to say.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s