Date: 23 September 2008
References: ESB-2008.0418 AL-2008.0073 ESB-2008.1014 ESB-2009.0147 AA-2009.0079 ESB-2009.0568
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0797 -- [VMware ESX]
Updated ESX packages for OpenSSL, net-snmp, perl
23 September 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ESX 3 prior to 3.0.3
Publisher: VMware
Operating System: VMWare ESX Server
Impact: Execute Arbitrary Code/Commands
Increased Privileges
Access: Remote/Unauthenticated
CVE Names: CVE-2008-2292 CVE-2008-1927 CVE-2008-0960
CVE-2007-5135 CVE-2007-3108
Ref: ESB-2008.0418
AL-2008.0073
Revision History: September 23 2008: Updates for net-snmp and perl
after the release of patches for ESXi 3.5 and
ESX 3.5 on 2008-09-18
September 1 2008: Additional patches released for
net-snmp and Perl for ESX301, ESX302 and ESX303 and
OpenSSL for ESX301, and ESX302
August 27 2008: Corrected version information for patches
August 13 2008: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2008-0013.3
Synopsis: Updated ESX packages for OpenSSL, net-snmp, perl
Issue date: 2008-08-12
Updated on: 2008-09-18
CVE numbers: CVE-2007-3108, CVE-2007-5135, CVE-2008-2292,
CVE-2008-0960, CVE-2008-1927
- - --------------------------------------------------------------------------
1. Summary
Updated ESX packages for OpenSSL, net-snmp, perl
2. Relevant releases
ESX 3.5 without patches ESX350-200808405-SG, ESX350-200808406-SG
ESX 3.0.3 without patches ESX303-200808401-SG ESX303-200808402-SG
ESX 3.0.2 without patches ESX-1005116 ESX-1006031 ESX-1006037
ESX 3.0.1 without patches ESX-1005115 ESX-1006030 ESX-1006355
Note: Extended support (Security and Bug fixes) for ESX 3.0.2 ends
on 10/29/2008 and Extended support for ESX 3.0.2 Update 1
ends on 8/8/2009. Users should plan to upgrade to ESX 3.0.3
and preferably to the newest release available.
Extended Support (Security and Bug fixes) for ESX 3.0.1 has
ended on 2008-07-31. The 3.0.1 patches are released in August
because there was no patch release in July.
3. Problem Description
I Security Issues
a. OpenSSL Binaries Updated
This fix updates the third party OpenSSL library.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2007-3108 and CVE-2007-5135 to the issues
addressed by this update.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows affected, patch pending
hosted * any any for patch info see VMSA-2008-0005
ESXi 3.5 ESXi affected, patch pending
ESX 3.5 ESX for patch info see VMSA-2008-0001
ESX 3.0.3 ESX not affected
ESX 3.0.2 ESX ESX-1005116
ESX 3.0.1 ESX ESX-1005115
ESX 2.5.5 ESX for patch info see VMSA-2008-0001
ESX 2.5.4 ESX for patch info see VMSA-2008-0001
* hosted products are VMware Workstation, Player, ACE, Server, Fusion
II Service Console rpm updates
a. net-snmp Security update
This fix upgrades the service console rpm for net-snmp to version
net-snmp-5.0.9-2.30E.24.
Note: this update is relevant for ESX 3.0.3. The initial advisory
incorrectly stated that this update was present in ESX 3.0.3
when it was released on August 8, 2008.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-2292 and CVE-2008-0960 to the issues
addressed in net-snmp-5.0.9-2.30E.24.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not applicable
hosted * any any not applicable
ESXi 3.5 ESXi not applicable
ESX 3.5 ESX ESX350-200808405-SG
ESX 3.0.3 ESX ESX303-200808401-SG
ESX 3.0.2 ESX ESX-1006031
ESX 3.0.1 ESX ESX-1006030
ESX 2.5.5 ESX not affected
ESX 2.5.4 ESX not affected
* hosted products are VMware Workstation, Player, ACE, Server, Fusion
b. perl Security update
This fix upgrades the service console rpm for perl to version
perl-5.8.0-98.EL3.
Note: this update is relevant for ESX 3.0.3. The initial advisory
incorrectly stated that this update was present in ESX 3.0.3
when it was released on August 8, 2008.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2008-1927 to the issue addressed in
perl-5.8.0-98.EL3.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not applicable
hosted * any any not applicable
ESXi 3.5 ESXi not applicable
ESX 3.5 ESX ESX350-200808406-SG
ESX 3.0.3 ESX ESX303-200808402-SG
ESX 3.0.2 ESX ESX-1006037
ESX 3.0.1 ESX ESX-1006355
ESX 2.5.5 ESX not affected
ESX 2.5.4 ESX not affected
* hosted products are VMware Workstation, Player, ACE, Server, Fusion
4. Solution
Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.
ESX
---
ESX 3.5 patch ESX350-200808405-SG (net-snmp)
http://download3.vmware.com/software/esx/ESX350-200808405-SG.zip
md5sum: df41ff24c3f805958e7f270c5475dc42
http://kb.vmware.com/kb/1005814
ESX 3.5 patch ESX350-200808406-SG (perl)
http://download3.vmware.com/software/esx/ESX350-200808406-SG.zip
md5sum: 6916a5ea5533948ce17e4f4e7f61cd02
http://kb.vmware.com/kb/1005815
ESX 3.0.3 build 104629
ESX Server 3.0.3 CD image
md5sum: c2cda9242c6981c7eba1004e8fc5626d
Upgrade package from ESX Server 2.x to ESX Server 3.0.3
md5sum: 0ad8fa4707915139d8b2343afebeb92b
Upgrade package from earlier releases of ESX Server 3 to ESX Server
3.0.3
md5sum: ff7f3dc12d34b474b231212bdf314113
release notes:
http://www.vmware.com/support/vi3/doc/releasenotes_esx303.html
ESX 3.0.3 (net-snmp)
http://download3.vmware.com/software/vi/ESX303-200808401-SG.zip
md5sum: 93b8281b4e491e0c564c94a1419136cd
http://kb.vmware.com/kb/1006032
ESX 3.0.3 (perl)
http://download3.vmware.com/software/vi/ESX303-200808402-SG.zip
md5sum: a6734a3438da0492b3cad6c0bb462da4
http://kb.vmware.com/kb/1006033
ESX 3.0.2 (OpenSSL)
http://download3.vmware.com/software/vi/ESX-1005116.tgz
md5sum: 96fbbf2baf0744d7f23bfa1730be258d
http://kb.vmware.com/kb/1005116
ESX 3.0.2 (net-snmp)
http://download3.vmware.com/software/vi/ESX-1006031.tgz
md5sum: affd9ec9feaa7b42e0828c9634a40d56
http://kb.vmware.com/kb/1006031
ESX 3.0.2 (perl)
http://download3.vmware.com/software/vi/ESX-1006037.tgz
md5sum: 8c18cf1a06e359d5014efa04c3ca3787
http://kb.vmware.com/kb/1006037
ESX 3.0.1 (OpenSSL)
http://download3.vmware.com/software/vi/ESX-1005115.tgz
md5sum: ebaa361c959836156b707e824095dc99
http://kb.vmware.com/kb/1005115
ESX 3.0.1 (net-snmp)
http://download3.vmware.com/software/vi/ESX-1006030.tgz
md5sum: 3a52550ca6c958fc09af8ca4484aa6c9
http://kb.vmware.com/kb/1006030
ESX 3.0.1 (perl)
http://download3.vmware.com/software/vi/ESX-1006355.tgz
md5sum: 866846fa1f96cef45608a0e16e1ef979
http://kb.vmware.com/kb/1006355
5. References
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3108
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2292
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0960
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1927
- - ------------------------------------------------------------------------
6. Change log
2008-08-12 VMSA-2008-0013
Initial release following release of ESX 3.0.3.
2008-08-26 VMSA-2008-0013.1
Corrected version information for the net-snmp and perl Service Console
rpms that are present in ESX 3.0.3 released on August 8. Previous
communication incorrectly stated that these rpms had been updated.
Updates for these rpms will be provided in an upcoming patch release.
2008-08-29 VMSA-2008-0013.2
Updated version information after the release of patches with updates
for net-snmp and Perl for ESX301, ESX302 and ESX303 on August 28.
Added version information after the release of patches with an update
for OpenSSL for ESX301, and ESX302 on August 28.
2008-09-18 VMSA-2008-0013.3
Added updated information for net-snmp and perl after the release of
patches for ESXi 3.5 and ESX 3.5 on 2008-09-18.
- - ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Center
http://www.vmware.com/security
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2008 VMware Inc. All rights reserved.
- -----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFI0yYGS2KysvBH1xkRAm5sAJ9kZ1w4kcIrjLXJP7hzVUICUSL+iACfUqdx
0dj0xWTpo8p3PHE38la4U/0=
=U5OM
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSNiLhih9+71yA2DNAQIHLQP/dwPz6SjMdN+fX1g3bX+fdlRTnDtT3znw
ssO+H2jPnjbN3Bkr8aGMl4Xb9kSwIQDM4qJs/sqF/p//hj2kq7bqkB7nWh7S9Xpj
TQSDTCLqkOPrty2xQzPn3cKJP19Pw0KkdhESOrYxvemxSkSM1bjISPjGGnfkbmkH
2h84oeecTzU=
=ktO7
-----END PGP SIGNATURE-----
|