Date: 18 September 2012
References: ESB-2010.1066 ESB-2011.0001 ESB-2011.0749 ESB-2011.1208
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0677.3
VMware ESXi update to third party library
18 September 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware ESXi
Publisher: VMware
Operating System: VMWare ESX Server
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2012-0841 CVE-2011-3919 CVE-2011-3905
CVE-2011-2834 CVE-2011-1944 CVE-2011-0216
CVE-2010-4008
Reference: ESB-2011.1208
ESB-2011.0749
ESB-2011.0001
ESB-2010.1066
Revision History: September 18 2012: Updated security advisory in conjunction
with the release of vSphere 4.0 U4a. and
ESX 4.0 patches. Removed CVE-2010-4494 and
CVE-2011-2821 since these CVEs are not
relevant to ESXi.
September 3 2012: Updated Relevant Releases, Problem
Description, and Solution sections to
include information regarding updates for
ESXi in conjuction with the release of
vSphere 4.1 U3 on 2012-08-30.
July 13 2012: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - -----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2012-0012.2
Synopsis: VMware ESXi update to third party library
Issue date: 2012-07-12
Updated on: 2012-09-13
CVE number: CVE-2010-4008, CVE-2011-0216, CVE-2011-1944,
CVE-2011-2834, CVE-2011-3905, CVE-2011-3919,
CVE-2012-0841
-----------------------------------------------------------------------
1. Summary
VMware ESXi update addresses several security issues.
2. Relevant releases
ESXi 5.0 without patch ESXi500-201207101-SG
ESXi 4.1 without patch ESXi410-201208101-SG
ESXi 4.0 without patch ESXi400-201209401-SG
3. Problem Description
a. ESXi update to third party component libxml2
The libxml2 third party library has been updated which addresses
multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2010-4008, CVE-2011-0216, CVE-2011-1944,
CVE-2011-2834, CVE-2011-3905, CVE-2011-3919 and CVE-2012-0841 to
these issues.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
========== ======== ======== =================
vCenter any Windows not affected
hosted * any any not affected
ESXi 5.0 any ESXi500-201207101-SG
ESXi 4.1 any ESXi410-201208101-SG
ESXi 4.0 any ESXi400-201209401-SG
ESXi 3.5 any patch pending
ESX any any not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
Note: "patch pending" means that the product is affected, but no
patch is currently available. The advisory will be updated
when a patch is available.
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
ESXi
----
http://downloads.vmware.com/go/selfsupport-download
ESXi 5.0
--------
Patch: ESXi500-201207001
md5sum: 01196c5c1635756ff177c262cb69a848
sha1sum: 85936f5439100cd5fb55c7add574b5b3b937fe86
http://kb.vmware.com/kb/2020571
ESXi500-201207001 contains ESXi500-201207101-SG
ESXi 4.1
--------
File: update-from-esxi4.1-4.1_update03.zip
md5sum: b35267e3c96a8ebd2e3acac09538cdf5
sha1sum: 2b2d456e89964528f25c01ae5d84edbd2bbcdefb
http://kb.vmware.com/kb/2020373
update-from-esxi4.1-4.1_update03 contains ESXi410-201208101-SG
ESXi 4.0
--------
File: ESXi400-201209001
md5sum: 8ea463e3814f147ab0889a733e66b9f0
sha1sum: f9526a0936975fa4b7cbdf588cd4c119d95973c9
http://kb.vmware.com/kb/2019662
ESXi400-201209001 contains ESXi400-201209401-SG
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4008
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0216
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1944
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2834
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3905
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3919
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0841
-----------------------------------------------------------------------
6. Change log
2012-07-12 VMSA-2012-0012
Initial security advisory in conjunction with the release of a patch
for ESXi 5.0 on 2012-07-12.
2012-08-30 VMSA-2012-0012.1
Updated Relevant Releases, Problem Description, and Solution
sections to include information regarding updates for ESXi in
conjunction with the release of vSphere 4.1 U3 on 2012-08-30.
2012-09-12 VMSA-2012-0012.2
Updated security advisory in conjunction with the release of
vSphere 4.0 U4a on 2012-09-12 and ESX 4.0 patches on 2012-09-13.
Removed CVE-2010-4494 and CVE-2011-2821 since these CVEs are not
relevant to ESXi.
-----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2012 VMware Inc. All rights reserved.
- -----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFQUsGvDEcm8Vbi9kMRAk3HAJ4kp0ldVN4rW1+rm6Jr/o1OGxJViwCfc81T
Lpv6UfdDkSXuH0E1ochKmrM=
=iIDw
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUFf+0u4yVqjM2NGpAQKabBAAhhwqTax59nnTGzEIcApBhlOjp09sPSL2
xJ4S/pk5piRJxOONDPbcfbMGqAJv8UxoG3cBKHBkqAIczWR+wIwpXxrDiQup2a2E
tQXS08h32L7Ncm8Rynfkchi0z5Zt4+1VX0gnKDNU/2huNOvV8Bl7DdA5Qt2J7ZBZ
b99G4gOGm2R0fdQnAstVMJmLP1cpgLABtZt/N5Br5/mEO0YFu1DyK0jWDdJ636In
+eDy756sg5B8XnRMJ1EazfD1hlX0OcbQgArQJ/53VKQJZkiEOu+C2xtjWB7da5gZ
+9cCzEfqbmD0s+BVFeuuFZo37SH1eKRL9Gs/H94WP4Fc8ZQdg+/Kwt4ZJLtmCdLn
Q/WZVls6jrwA4U/IPDY47ywwnX7LgKVtmASBCORSPjnojpqcT3j6nU7F6mYYbWZ6
ijB+VZRpGhPp47dtRa0t6P6yh4KAGjVL0k9v56O3C+ge2lnp0yyyw5rzuezO7qON
KJt/Iw9dNQPls8FBO/HdHWIXVyhE2z/FwnwjkSulZMyWr80lyH66h8AwXGwe5ZkB
m6I8V5Rea39kUBrg5l9L7AWM0fWc6p6Xd51CHG2rLx3Zr777A3E+p0BBhxh8Yti4
BAvIwDGjfbMRf9OJKzJUPMM050OjTcU4D95ryKbMdp2X8styKOPaY3T7KdeUN0/x
nV2sdtyPiLc=
=HuHS
-----END PGP SIGNATURE-----
|