-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2011-0012 Synopsis: VMware ESXi and ESX updates to third party libraries and ESX Service Console Issue date: 2011-10-12 Updated on: 2011-10-12 (initial release of advisory) CVE numbers: --- COS Kernel --- CVE-2010-1083, CVE-2010-2492, CVE-2010-2798, CVE-2010-2938, CVE-2010-2942, CVE-2010-2943, CVE-2010-3015, CVE-2010-3066, CVE-2010-3067, CVE-2010-3078, CVE-2010-3086, CVE-2010-3296, CVE-2010-3432, CVE-2010-3442, CVE-2010-3477, CVE-2010-3699, CVE-2010-3858, CVE-2010-3859, CVE-2010-3865, CVE-2010-3876, CVE-2010-3877, CVE-2010-3880, CVE-2010-3904, CVE-2010-4072, CVE-2010-4073, CVE-2010-4075, CVE-2010-4080, CVE-2010-4081, CVE-2010-4083, CVE-2010-4157, CVE-2010-4158, CVE-2010-4161, CVE-2010-4238, CVE-2010-4242, CVE-2010-4243, CVE-2010-4247, CVE-2010-4248, CVE-2010-4249, CVE-2010-4251, CVE-2010-4255, CVE-2010-4263, CVE-2010-4343, CVE-2010-4346, CVE-2010-4526, CVE-2010-4655, CVE-2011-0521, CVE-2011-0710, CVE-2011-1010, CVE-2011-1090, CVE-2011-1478 --- COS krb5 --- CVE-2010-1323, CVE-2011-0281, CVE-2011-0282 --- glibc library --- CVE-2010-0296, CVE-2011-0536, CVE-2011-1071, CVE-2011-1095, CVE-2011-1658, CVE-2011-1659 --- mtp2sas --- CVE-2011-1494, CVE-2011-1495 - ------------------------------------------------------------------------ 1. Summary VMware ESXi and ESX updates to third party libraries and ESX Service Console address several security issues. 2. Relevant releases ESXi 4.0 without patch ESXi400-201110401-SG. ESX 4.0 without patches ESX400-201110401-SG, ESX400-201110403-SG, ESX400-201110409-SG 3. Problem Description a. ESX third party update for Service Console kernel This update takes the console OS kernel package to kernel-2.6.18-238.9.1 which resolves multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-1083, CVE-2010-2492, CVE-2010-2798, CVE-2010-2938, CVE-2010-2942, CVE-2010-2943, CVE-2010-3015, CVE-2010-3066, CVE-2010-3067, CVE-2010-3078, CVE-2010-3086, CVE-2010-3296, CVE-2010-3432, CVE-2010-3442, CVE-2010-3477, CVE-2010-3699, CVE-2010-3858, CVE-2010-3859, CVE-2010-3865, CVE-2010-3876, CVE-2010-3877, CVE-2010-3880, CVE-2010-3904, CVE-2010-4072, CVE-2010-4073, CVE-2010-4075, CVE-2010-4080, CVE-2010-4081, CVE-2010-4083, CVE-2010-4157, CVE-2010-4158, CVE-2010-4161, CVE-2010-4238, CVE-2010-4242, CVE-2010-4243, CVE-2010-4247, CVE-2010-4248, CVE-2010-4249, CVE-2010-4251, CVE-2010-4255, CVE-2010-4263, CVE-2010-4343, CVE-2010-4346, CVE-2010-4526, CVE-2010-4655, CVE-2011-0521, CVE-2011-0710, CVE-2011-1010, CVE-2011-1090 and CVE-2011-1478 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 5.0 ESX not affected ESX 4.1 ESX patch pending ESX 4.0 ESX ESX400-201110401-SG ESX 3.5 ESX not applicable ESX 3.0.3 ESX not applicable * hosted products are VMware Workstation, Player, ACE, Fusion. b. ESX third party update for Service Console krb5 RPMs This patch updates the krb5-libs and krb5-workstation RPMs of the console OS to version 1.6.1-55.el5_6.1, which resolves multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-1323, CVE-2011-0281, and CVE-2011-0282 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 5.0 ESX not affected ESX 4.1 ESX patch pending ESX 4.0 ESX ESX400-201110403-SG ESX 3.5 ESX not applicable ESX 3.0.3 ESX not applicable * hosted products are VMware Workstation, Player, ACE, Fusion. c. ESXi and ESX update to third party component glibc The glibc third-party library is updated to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0296, CVE-2011-0536, CVE-2011-1071, CVE-2011-1095, CVE-2011-1658, and CVE-2011-1659 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected hosted * any any not affected ESXi 4.1 ESXi patch pending ESXi 4.0 ESXi ESXi400-201110401-SG ESXi 3.5 ESXi patch pending ESX 5.0 ESX patch pending ESX 4.1 ESX patch pending ESX 4.0 ESX ESX400-201110401-SG ESX 3.5 ESX patch pending ESX 3.0.3 ESX no patch planned * hosted products are VMware Workstation, Player, ACE, Fusion. d. ESX update to third party drivers mptsas, mpt2sas, and mptspi The mptsas, mpt2sas, and mptspi drivers are updated which addresses multiple security issues in the mpt2sas driver. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-1494 and CVE-2011-1495 to these issues. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected hosted * any any not affected ESXi any ESXi not applicable ESX 5.0 ESX not applicable ESX 4.1 ESX patch pending ESX 4.0 ESX ESX400-201110409-SG ESX 3.5 ESX patch pending ESX 3.0.3 ESX no patch planned 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. ESXi 4.0 -------- ESXi400-201110001 https://hostupdate.vmware.com/software/VUM/OFFLINE/release-315-20111006-920 880/ESXi400-201110001.zip md5sum: fd47b5e2b7ea1db79a2e0793d4c9d9d3 sha1sum: 759d4fa6da6eb49f41def68e3bd66e80c9a7032b http://kb.vmware.com/kb/1036397 ESXi400-201110001 contains ESXi400-201110401-SG ESX 4.0 ------- ESX400-201110001 https://hostupdate.vmware.com/software/VUM/OFFLINE/release-314-20111006-398 488/ESX400-201110001.zip md5sum: 0ce9cc285ea5c27142c9fdf273443d78 sha1sum: fdb5482b2bf1e9c97f2814255676e3de74512399 http://kb.vmware.com/kb/1036391 ESX400-201110001 contains ESX400-201110401-SG, ESX400-201110403-SG and ESX400-201110409-SG. 5. References CVE numbers --- COS Kernel --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1083 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2492 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2798 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2938 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2942 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2943 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3015 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3066 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3067 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3078 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3086 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3296 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3432 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3442 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3477 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3699 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3858 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3859 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3865 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3876 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3877 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3880 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3904 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4072 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4073 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4075 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4080 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4081 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4083 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4157 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4158 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4161 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4238 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4242 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4243 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4247 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4248 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4249 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4251 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4255 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4263 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4343 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4346 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4526 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4655 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0521 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0710 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1010 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1090 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1478 --- COS krb5 --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1323 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0281 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0282 --- glibc library --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0296 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0536 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1071 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1658 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1659 --- mtp2sas --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1494 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1495 - ------------------------------------------------------------------------ 6. Change log 2011-10-12 VMSA-2011-0012 Initial security advisory in conjunction with the release of patches for ESX 4.0 and ESXi 4.0 on 2011-10-12. - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2011 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFOlnr7DEcm8Vbi9kMRAhxzAKCod5h2RiEE5Di4RFB6G+pNlaUbyACeMkLh Vi7veN+spsUO2+HHXdh9EMU= =il4Z -----END PGP SIGNATURE-----