Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.1553.5
VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release
address multiple security issue in third party components
31 March 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware vCenter
VMware ESX
VMware vMA
Publisher: VMware
Operating System: VMWare ESX Server
Windows
Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Access Privileged Data -- Existing Account
Overwrite Arbitrary Files -- Existing Account
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Read-only Data Access -- Existing Account
Access Confidential Data -- Existing Account
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2009-2848 CVE-2009-2847 CVE-2009-2730
CVE-2009-2724 CVE-2009-2723 CVE-2009-2722
CVE-2009-2721 CVE-2009-2720 CVE-2009-2719
CVE-2009-2718 CVE-2009-2716 CVE-2009-2698
CVE-2009-2692 CVE-2009-2676 CVE-2009-2675
CVE-2009-2673 CVE-2009-2672 CVE-2009-2671
CVE-2009-2670 CVE-2009-2625 CVE-2009-2417
CVE-2009-2416 CVE-2009-2414 CVE-2009-2407
CVE-2009-2406 CVE-2009-1895 CVE-2009-1633
CVE-2009-1630 CVE-2009-1439 CVE-2009-1389
CVE-2009-1388 CVE-2009-1385 CVE-2009-1337
CVE-2009-1336 CVE-2009-1252 CVE-2009-1192
CVE-2009-1107 CVE-2009-1106 CVE-2009-1105
CVE-2009-1104 CVE-2009-1103 CVE-2009-1102
CVE-2009-1101 CVE-2009-1100 CVE-2009-1099
CVE-2009-1098 CVE-2009-1097 CVE-2009-1096
CVE-2009-1095 CVE-2009-1094 CVE-2009-1093
CVE-2009-1072 CVE-2009-0834 CVE-2009-0787
CVE-2009-0783 CVE-2009-0781 CVE-2009-0778
CVE-2009-0748 CVE-2009-0747 CVE-2009-0746
CVE-2009-0745 CVE-2009-0696 CVE-2009-0676
CVE-2009-0675 CVE-2009-0580 CVE-2009-0322
CVE-2009-0269 CVE-2009-0159 CVE-2009-0033
CVE-2009-0028 CVE-2008-5700 CVE-2008-5515
CVE-2008-5031 CVE-2008-4864 CVE-2008-4307
CVE-2008-3528 CVE-2008-3144 CVE-2008-3143
CVE-2008-3142 CVE-2008-2370 CVE-2008-2315
CVE-2008-1947 CVE-2008-1887 CVE-2008-1721
CVE-2008-1232 CVE-2008-0002 CVE-2007-6286
CVE-2007-5966 CVE-2007-5461 CVE-2007-5342
CVE-2007-5333 CVE-2007-4965 CVE-2007-2052
Reference: ASB-2009.1054
ESB-2009.1467
ESB-2009.1430
ESB-2009.1215
ESB-2009.1190
ESB-2009.1186
ESB-2009.1165
ESB-2009.1141
ESB-2009.0559
ESB-2009.0530
ESB-2009.0527
ESB-2009.0359
ESB-2009.0211
ESB-2009.0167
ESB-2009.0113
ESB-2009.0031
AA-2008.0225
AA-2008.0085
ESB-2008.0829
ESB-2008.0774
ESB-2008.0772
ESB-2008.0623
ESB-2008.0575
ESB-2008.0406
ESB-2008.0189
ESB-2008.0145
ESB-2008.0015
AA-2007.0092
ESB-2007.1044
ESB-2007.0995
Revision History: March 31 2010: Updated security advisory after release of ESX 3.5 patch for WebAccess
February 17 2010: Updated security advisory after release of ESXi and ESX 3.5 patches on 2010-02-16
February 1 2010: Updated security advisory after release of Virtual Center 2.5 Update 6 on 2010-01-29
December 16 2009: The information of the ESX 4.0 Update 1 download in this advisory has been updated
November 23 2009: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - -----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2009-0016.5
Synopsis: VMware vCenter and ESX update release and vMA patch
release address multiple security issues in third
party components.
Issue date: 2009-11-20
Updated on: 2010-03-29
CVE numbers: --- JRE ---
CVE-2009-1093 CVE-2009-1094 CVE-2009-1095
CVE-2009-1096 CVE-2009-1097 CVE-2009-1098
CVE-2009-1099 CVE-2009-1100 CVE-2009-1101
CVE-2009-1102 CVE-2009-1103 CVE-2009-1104
CVE-2009-1105 CVE-2009-1106 CVE-2009-1107
CVE-2009-2625 CVE-2009-2670 CVE-2009-2671
CVE-2009-2672 CVE-2009-2673 CVE-2009-2675
CVE-2009-2676 CVE-2009-2716 CVE-2009-2718
CVE-2009-2719 CVE-2009-2720 CVE-2009-2721
CVE-2009-2722 CVE-2009-2723 CVE-2009-2724
--- Tomcat ---
CVE-2008-5515 CVE-2009-0033 CVE-2009-0580
CVE-2009-0781 CVE-2009-0783 CVE-2008-1232
CVE-2008-1947 CVE-2008-2370 CVE-2007-5333
CVE-2007-5342 CVE-2007-5461 CVE-2007-6286
CVE-2008-0002
--- ntp ---
CVE-2009-1252 CVE-2009-0159
--- kernel ---
CVE-2008-3528 CVE-2008-5700 CVE-2009-0028
CVE-2009-0269 CVE-2009-0322 CVE-2009-0675
CVE-2009-0676 CVE-2009-0778 CVE-2008-4307
CVE-2009-0834 CVE-2009-1337 CVE-2009-0787
CVE-2009-1336 CVE-2009-1439 CVE-2009-1633
CVE-2009-1072 CVE-2009-1630 CVE-2009-1192
CVE-2007-5966 CVE-2009-1385 CVE-2009-1388
CVE-2009-1389 CVE-2009-1895 CVE-2009-2406
CVE-2009-2407 CVE-2009-2692 CVE-2009-2698
CVE-2009-0745 CVE-2009-0746 CVE-2009-0747
CVE-2009-0748 CVE-2009-2847 CVE-2009-2848
--- python ---
CVE-2007-2052 CVE-2007-4965 CVE-2008-1721
CVE-2008-1887 CVE-2008-2315 CVE-2008-3142
CVE-2008-3143 CVE-2008-3144 CVE-2008-4864
CVE-2008-5031
--- bind ---
CVE-2009-0696
--- libxml and libxml2 ---
CVE-2009-2414 CVE-2009-2416
--- curl --
CVE-2009-2417
--- gnutil ---
CVE-2007-2052
- - -----------------------------------------------------------------------
1. Summary
Updated Java JRE packages and Tomcat packages address several
security issues. Updates for the ESX Service Console and vMA include
kernel, ntp, Python, bind libxml, libxml2, curl and gnutil packages.
ntp is also updated for ESXi userworlds.
2. Relevant releases
vCenter Server 4.0 before Update 1
Virtual Center 2.5 before Update 6
ESXi 4.0 without patch ESXi400-200911201-UG
ESXi 3.5 without patch ESXe350-201002401-O-SG
ESX 4.0 without patches ESX400-200911201-UG, ESX400-200911223-UG,
ESX400-200911232-SG, ESX400-200911233-SG,
ESX400-200911234-SG, ESX400-200911235-SG,
ESX400-200911237-SG, ESX400-200911238-SG
ESX 3.5 without patches ESX350-201002407-SG, ESX350-201002402-SG,
ESX350-201002404-SG, ESX350-201003403-SG
ESX 3.0.3 without patches ESX303-201002206-SG ESX303-201002204-SG
ESX303-201002205-SG
vMA 4.0 before patch 02
3. Problem Description
a. JRE Security Update
JRE update to version 1.5.0_20, which addresses multiple security
issues that existed in earlier releases of JRE.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095,
CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099,
CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103,
CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671,
CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676,
CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720,
CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.0 Windows Update 1
VirtualCenter 2.5 Windows see VMSA-2010-0002
VirtualCenter 2.0.2 Windows affected, patch pending
Workstation any any not affected
Player any any not affected
Server 2.0 any affected, patch pending
Server 1.0 any not affected
ACE any any not affected
Fusion any any not affected
ESXi any ESXi not affected
ESX 4.0 ESX ESX400-200911223-UG
ESX 3.5 ESX see VMSA-2010-0002.1
ESX 3.0.3 ESX affected, patch pending
ESX 2.5.5 ESX not affected
vMA 4.0 RHEL5 Patch 2 *
* vMA JRE is updated to version JRE 1.5.0_21
Notes: These vulnerabilities can be exploited remotely only if the
attacker has access to the Service Console network.
Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.
The currently installed version of JRE depends on your patch
deployment history.
b. Update Apache Tomcat version
Update for VirtualCenter and ESX patch update the Tomcat package to
version 6.0.20 (vSphere 4.0) or version 5.5.28 (VirtualCenter 2.5)
which addresses multiple security issues that existed
in the previous version of Apache Tomcat.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
Apache Tomcat 6.0.20 and Tomcat 5.5.28: CVE-2008-5515,
CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
Apache Tomcat 6.0.18: CVE-2008-1232, CVE-2008-1947, CVE-2008-2370.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
Apache Tomcat 6.0.16: CVE-2007-5333, CVE-2007-5342, CVE-2007-5461,
CVE-2007-6286, CVE-2008-0002.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
======== ======== ======= =======================
vCenter 4.0 Windows Update 1
VirtualCenter 2.5 Windows Update 6
VirtualCenter 2.0.2 Windows affected, patch pending
Workstation any any not affected
Player any any not affected
ACE any Windows not affected
Server 2.x any affected, patch pending
Server 1.x any not affected
Fusion any Mac OS/X not affected
ESXi any ESXi not affected
ESX 4.0 ESX ESX400-200911223-UG
ESX 3.5 ESX ESX350-201003403-SG
ESX 3.0.3 ESX affected, patch pending
ESX 2.5.5 ESX not affected
vMA 4.0 RHEL5 not affected
Notes: These vulnerabilities can be exploited remotely only if the
attacker has access to the Service Console network.
Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.
The currently installed version of Tomcat depends on your
patch deployment history.
c. Third party library update for ntp.
The Network Time Protocol (NTP) is used to synchronize a computer's
time with a referenced time source.
ESXi 3.5 and ESXi 4.0 have a ntp client that is affected by the
following security issue. Note that the same security issue is
present in the ESX Service Console as described in section d. of
this advisory.
A buffer overflow flaw was discovered in the ntpd daemon's NTPv4
authentication code. If ntpd was configured to use public key
cryptography for NTP packet authentication, a remote attacker could
use this flaw to send a specially-crafted request packet that could
crash ntpd or, potentially, execute arbitrary code with the
privileges of the "ntp" user.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2009-1252 to this issue.
The NTP security issue identified by CVE-2009-0159 is not relevant
for ESXi 3.5 and ESXi 4.0.
The following table lists what action remediates the vulnerability
in this component (column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi 4.0 ESXi ESXi400-200911201-UG
ESXi 3.5 ESXi ESXe350-201002401-O-SG
ESX 4.0 ESX not affected
ESX 3.5 ESX not affected
ESX 3.0.3 ESX not affected
ESX 2.5.5 ESX not affected
vMA 4.0 RHEL5 not affected
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
d. Service Console update for ntp
Service Console package ntp updated to version ntp-4.2.2pl-9el5_3.2
The Network Time Protocol (NTP) is used to synchronize a computer's
time with a referenced time source.
The Service Console present in ESX is affected by the following
security issues.
A buffer overflow flaw was discovered in the ntpd daemon's NTPv4
authentication code. If ntpd was configured to use public key
cryptography for NTP packet authentication, a remote attacker could
use this flaw to send a specially-crafted request packet that could
crash ntpd or, potentially, execute arbitrary code with the
privileges of the "ntp" user.
NTP authentication is not enabled by default on the Service Console.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2009-1252 to this issue.
A buffer overflow flaw was found in the ntpq diagnostic command. A
malicious, remote server could send a specially-crafted reply to an
ntpq request that could crash ntpq or, potentially, execute
arbitrary code with the privileges of the user running the ntpq
command.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2009-0159 to this issue.
The following table lists what action remediates the vulnerability
in the Service Console (column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.0 ESX ESX400-200911238-SG
ESX 3.5 ESX affected, patch pending **
ESX 3.0.3 ESX affected, patch pending **
ESX 2.5.5 ESX affected, patch pending **
vMA 4.0 RHEL5 Patch 2
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
** The service consoles of ESX 2.5.5, ESX 3.0.3 and ESX 3.5 are not
affected by CVE-2009-1252. The security issue identified by
CVE-2009-0159 has a low impact on the service console of ESX 2.5.5,
ESX 3.0.3 and ESX 3.5.
e. Updated Service Console package kernel
Updated Service Console package kernel addresses the security
issues listed below.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-3528, CVE-2008-5700, CVE-2009-0028,
CVE-2009-0269, CVE-2009-0322, CVE-2009-0675, CVE-2009-0676,
CVE-2009-0778 to the security issues fixed in kernel
2.6.18-128.1.6.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-4307, CVE-2009-0834, CVE-2009-1337,
CVE-2009-0787, CVE-2009-1336 to the security issues fixed in
kernel 2.6.18-128.1.10.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2009-1439, CVE-2009-1633, CVE-2009-1072,
CVE-2009-1630, CVE-2009-1192 to the security issues fixed in
kernel 2.6.18-128.1.14.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2007-5966, CVE-2009-1385, CVE-2009-1388,
CVE-2009-1389, CVE-2009-1895, CVE-2009-2406, CVE-2009-2407 to the
security issues fixed in kernel 2.6.18-128.4.1.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2009-2692, CVE-2009-2698 to the
security issues fixed in kernel 2.6.18-128.7.1.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2009-0745, CVE-2009-0746, CVE-2009-0747,
CVE-2009-0748, CVE-2009-2847, CVE-2009-2848 to the security issues
fixed in kernel 2.6.18-164.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not applicable
hosted * any any not applicable
ESXi any ESXi not applicable
ESX 4.0 ESX ESX400-200911201-UG
ESX 3.5 ESX not applicable
ESX 3.0.3 ESX not applicable
ESX 2.5.5 ESX not applicable
vMA 4.0 RHEL5 Patch 2 **
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
** vMA is updated to kernel version 2.6.18-164.
f. Updated Service Console package python
Service Console package Python update to version 2.4.3-24.el5.
When the assert() system call was disabled, an input sanitization
flaw was revealed in the Python string object implementation that
led to a buffer overflow. The missing check for negative size values
meant the Python memory allocator could allocate less memory than
expected. This could result in arbitrary code execution with the
Python interpreter's privileges.
Multiple buffer and integer overflow flaws were found in the Python
Unicode string processing and in the Python Unicode and string
object implementations. An attacker could use these flaws to cause
a denial of service.
Multiple integer overflow flaws were found in the Python imageop
module. If a Python application used the imageop module to
process untrusted images, it could cause the application to
disclose sensitive information, crash or, potentially, execute
arbitrary code with the Python interpreter's privileges.
Multiple integer underflow and overflow flaws were found in the
Python snprintf() wrapper implementation. An attacker could use
these flaws to cause a denial of service (memory corruption).
Multiple integer overflow flaws were found in various Python
modules. An attacker could use these flaws to cause a denial of
service.
An integer signedness error, leading to a buffer overflow, was
found in the Python zlib extension module. If a Python application
requested the negative byte count be flushed for a decompression
stream, it could cause the application to crash or, potentially,
execute arbitrary code with the Python interpreter's privileges.
A flaw was discovered in the strxfrm() function of the Python
locale module. Strings generated by this function were not properly
NULL-terminated, which could possibly cause disclosure of data
stored in the memory of a Python application using this function.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2007-2052 CVE-2007-4965 CVE-2008-1721
CVE-2008-1887 CVE-2008-2315 CVE-2008-3142 CVE-2008-3143
CVE-2008-3144 CVE-2008-4864 CVE-2008-5031 to these issues.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not applicable
hosted * any any not applicable
ESXi any ESXi not applicable
ESX 4.0 ESX ESX400-200911235-SG
ESX 3.5 ESX ESX350-201002402-SG
ESX 3.0.3 ESX ESX303-201002206-SG
ESX 2.5.5 ESX affected, patch pending
vMA 4.0 RHEL5 Patch 2
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
g. Updated Service Console package bind
Service Console package bind updated to version 9.3.6-4.P1.el5
The Berkeley Internet Name Domain (BIND) is an implementation of the
Domain Name System (DNS) protocols. BIND includes a DNS server
(named); a resolver library (routines for applications to use when
interfacing with DNS); and tools for verifying that the DNS server
is operating correctly.
A flaw was found in the way BIND handles dynamic update message
packets containing the "ANY" record type. A remote attacker could
use this flaw to send a specially-crafted dynamic update packet
that could cause named to exit with an assertion failure.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2009-0696 to this issue.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not applicable
hosted * any any not applicable
ESXi any ESXi not applicable
ESX 4.0 ESX ESX400-200911237-SG
ESX 3.5 ESX ESX350-201002404-SG
ESX 3.0.3 ESX ESX303-201002205-SG
ESX 2.5.5 ESX affected, patch pending
vMA 4.0 RHEL5 Patch 2
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
h. Updated Service Console package libxml2
Service Console package libxml2 updated to version 2.6.26-2.1.2.8.
libxml is a library for parsing and manipulating XML files. A
Document Type Definition (DTD) defines the legal syntax (and also
which elements can be used) for certain types of files, such as XML
files.
A stack overflow flaw was found in the way libxml processes the
root XML document element definition in a DTD. A remote attacker
could provide a specially-crafted XML file, which once opened by a
local, unsuspecting user, would lead to denial of service.
Multiple use-after-free flaws were found in the way libxml parses
the Notation and Enumeration attribute types. A remote attacker
could provide a specially-crafted XML file, which once opened by a
local, unsuspecting user, would lead to denial of service.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2009-2414 and CVE-2009-2416 to these
issues.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not applicable
hosted * any any not applicable
ESXi any ESXi not applicable
ESX 4.0 ESX ESX400-200911234-SG
ESX 3.5 ESX ESX350-201002407-SG
ESX 3.0.3 ESX ESX303-201002204-SG
ESX 2.5.5 ESX affected, patch pending
vMA 4.0 RHEL5 Patch 2
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
i. Updated Service Console package curl
Service Console package curl updated to version 7.15.5-2.1.el5_3.5
A cURL is affected by the previously published "null prefix attack",
caused by incorrect handling of NULL characters in X.509
certificates. If an attacker is able to get a carefully-crafted
certificate signed by a trusted Certificate Authority, the attacker
could use the certificate during a man-in-the-middle attack and
potentially confuse cURL into accepting it by mistake.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2009-2417 to this issue
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not applicable
hosted * any any not applicable
ESXi any ESXi not applicable
ESX 4.0 ESX ESX400-200911232-SG
ESX 3.5 ESX not affected
ESX 3.0.3 ESX not affected
ESX 2.5.5 ESX not affected
vMA 4.0 RHEL5 Patch 2
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
j. Updated Service Console package gnutls
Service Console package gnutil updated to version 1.4.1-3.el5_3.5
A flaw was discovered in the way GnuTLS handles NULL characters in
certain fields of X.509 certificates. If an attacker is able to get
a carefully-crafted certificate signed by a Certificate Authority
trusted by an application using GnuTLS, the attacker could use the
certificate during a man-in-the-middle attack and potentially
confuse the application into accepting it by mistake.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2009-2730 to this issue
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not applicable
hosted * any any not applicable
ESXi any ESXi not applicable
ESX 4.0 ESX ESX400-200911233-SG
ESX 3.5 ESX not affected
ESX 3.0.3 ESX not affected
ESX 2.5.5 ESX not affected
vMA 4.0 RHEL5 Patch 2
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
4. Solution
Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.
VMware vCenter Server 4 Update 1
--------------------------------
Version 4.0 Update 1
Build Number 208156
Release Date 2009/11/19
Type Product Binaries
http://downloads.vmware.com/download/download.do?downloadGroup=VC40U1
VMware vCenter Server 4 and modules
File size: 1.8 GB
File type: .iso
MD5SUM: 057d55b32eb27fe5f3e01bc8d3df3bc5
SHA1SUM: c90134418c2e4d3d6637d8bee44261300ad95ec1
VMware vCenter Server 4 and modules
File size: 1.5 GB
File type: .zip
MD5SUM: f843d9c19795eb3bc5a77f5c545468a8
SHA1SUM: 9a7abd8e70bd983151e2ee40e1b3931525c4480c
VMware vSphere Client and Host Update Utility
File size: 113.8 MB
File type: .exe
MD5SUM: 6cc6b2c958e7e9529c284e48dfae22a9
SHA1SUM: f4c19c63a75d93cffc57b170066358160788c959
VMware vCenter Converter BootCD
File size: 98.8 MB
File type: .zip
MD5SUM: 3df94eb0e93de76b0389132ada2a3799
SHA1SUM: 5d7c04e4f9f8ae25adc8de5963fefd8a4c92464c
VMware vCenter Converter CLI (Linux)
File size: 36.9 MB
File type: .tar.gz
MD5SUM: 3766097563936ba5e03e87e898f6bd48
SHA1SUM: 36d485bdb5eb279296ce8c8523df04bfb12a2cb4
VMware Virtual Center 2.5 Update 6
-----------------------------------
Version 2.5 Update 6
Build Number 227637
Release Date 2010/01/29
Type Product Binaries
http://downloads.vmware.com/download/download.do?downloadGroup=VC250U6
VirtualCenter DVD image - English only version
File size: 854 MB
File type: .iso
md5sum: d83b09ac0533a418d5b7f5493dbd3ed3
sha1sum: 1b969b397a937402b5e9463efc767eff7a980ad0
VirtualCenter as a Zip file - English only version
File size: 625 MB
File type: .zip
md5sum: 760f335ebcd363e0e159b20da923621f
sha1sum: e400bc1008d1e4c44d204a8135293b8ae305f14e
VMware vCenter Converter BootCD
VMware Converter Enterprise BootCD for VirtualCenter
File size: 97 MB
File type: .zip
md5sum: e49e0ff0f2563196cc5d4b5c471cd666
VMware vCenter Converter CLI (Linux)
VMware Converter Enterprise CLI for Linux platform
File size: 37 MB
File type: .tar.gz
md5sum: 30d1f5e58a6cad8dacd988908305bc1c
ESXi 4.0 Update 1
-----------------
ESXi400-200911201-UG
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-155-20091116-013
169/ESXi-4.0.0-update01.zip
md5sum:c6fdd6722d9e5cacb280bdcc2cca0627
sha1sum:de9d4875f86b6493f9da991a8cff37784215db2e
http://kb.vmware.com/kb/1014886
NOTE: The three ESXi patches for Firmware, VMware Tools, and the
VI Client "C" are contained in a single download file.
ESXi 3.5
--------
ESXe350-201002401-O-SG
http://download3.vmware.com/software/vi/ESXe350-201002401-O-SG.zip
md5sum: 0c8d4d1c0e3c2aed9f785cf081225d83
http://kb.vmware.com/kb/1015047 (Vi Client)
http://kb.vmware.com/kb/1016665 (VM Tools)
http://kb.vmware.com/kb/1017685 (Firmware)
ESX 4.0
-------
ESX400-200911223-UG (Update 1a)
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-166-20091202-254
879/ESX-4.0.0-update01a.zip
md5sum: 99c1fcafbf0ca105ce73840d686e9914
sha1sum: aa8a23416271bc28b6b8f6bdbe00045e36314ebb
http://kb.vmware.com/kb/1014842
To install an individual bulletin use esxupdate with the -b option.
esxupdate --bundle=ESX-4.0.0-update01.zip -b ESX400-200911223-UG
-b ESX400-200911238-SG -b ESX400-200911201-UG -b ESX400-200911235-SG
-b ESX400-200911237-SG -b ESX400-200911234-SG -b ESX400-200911232-SG
-b ESX400-200911233-SG update
ESX 3.5
-------
ESX350-201002407-SG (libxml2)
http://download3.vmware.com/software/vi/ESX350-201002407-SG.zip
md5sum: 73d53ef1da1da0104a7c0380b44a7b05
http://kb.vmware.com/kb/1017679
ESX350-201002402-SG (python)
http://download3.vmware.com/software/vi/ESX350-201002402-SG.zip
md5sum: fafa5cefbfdb06dfb576831ff3d9c1ae
http://kb.vmware.com/kb/1017663
ESX350-201002404-SG (bind)
http://download3.vmware.com/software/vi/ESX350-201002404-SG.zip
md5sum: 211f9a447a649d2c3f909208b89037af
http://kb.vmware.com/kb/1017665
ESX350-201003403-SG (Tomcat)
http://download3.vmware.com/software/vi/ESX350-201003403-SG.zip
md5sum: cdddef476c06eeb28c10c5dac3730dca
http://kb.vmware.com/kb/1018702
ESX 3.0.3
---------
ESX303-201002204-SG (libxml2)
http://download3.vmware.com/software/vi/ESX303-201002204-UG.zip
md5sum: 84f5a74f629241b616b2c8f2d7e2bfe6
http://kb.vmware.com/kb/1018031
ESX303-201002206-SG (python)
http://download3.vmware.com/software/vi/ESX303-201002206-UG.zip
md5sum: 33a2bb95a988015273e2d6970e242583
http://kb.vmware.com/kb/1018033
ESX303-201002205-SG (bind)
http://download3.vmware.com/software/vi/ESX303-201002205-UG.zip
md5sum: 27c255d70d5e71048deb73008ffdf98e
http://kb.vmware.com/kb/1018032
5. References
http://kb.vmware.com/kb/1016070
CVE numbers
--- JRE ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1099
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1100
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1104
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1105
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1106
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1107
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2670
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2671
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2672
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2673
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2675
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2676
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2716
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2718
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2719
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2721
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2722
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2723
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2724
--- Tomcat ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0002
--- ntp ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1252
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0159
--- kernel ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3528
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5700
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0028
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0269
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0322
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0675
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0676
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0778
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4307
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0834
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1439
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1633
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1072
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1630
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5966
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1385
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1388
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1895
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2406
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2407
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2698
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0745
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0746
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0747
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0748
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2847
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2848
--- python ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2052
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4965
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1721
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1887
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3142
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3143
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3144
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5031
--- bind ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0696
--- libxml and libxml2 ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2414
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2416
--- curl --
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2417
--- gnutil ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2052
- - ------------------------------------------------------------------------
6. Change log
2009-11-20 VMSA-2009-0016
Initial security advisory after release of vCenter 4.0 Update 1 and
ESX 4.0 Update 1 on 2009-11-19 and release of vMA Patch 2 on 2009-11-23.
2009-12-15 VMSA-2009-0016.1
The information of the ESX 4.0 Update 1 download in this advisory has
been updated. Upgrading to ESX 4.0 Update 1 can fail or time out and
leave the host in an unusable state if using HP Systems Insight
Management Agent. ESX 4.0 Update 1a (a re-release of ESX 4.0 Update 1)
addresses this issue. Please read KB article (ID 1016070) before
proceeding with the upgrade.
2010-01-29 VMSA-2009-0016.2
Updated security advisory after release of Virtual Center 2.5 Update 6
on 2010-01-29
2010-02-16 VMSA-2010-0016.3
Updated security advisory after release of ESXi and ESX 3.5 patches
on 2010-02-16.
2010-03-08 VMSA-2010-0016.4
Updated after release of ESX 3.0.3 Update 1 on 2010-03-08
2010-03-29 VMSA-2010-0016.5
Updated security advisory after release of ESX 3.5 patch for WebAccess.
- - ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Center
http://www.vmware.com/security
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2009-2010 VMware Inc. All rights reserved.
- -----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFLsYxuS2KysvBH1xkRAo4BAJ99urnXxG83oxB7Lmre90SOpS2I0ACeKGSn
QyLpNCoOJpCa3iXXnN41phI=
=z/2l
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFLspZK/iFOrG6YcBERArZ1AJ4hKw1quVv4NlEcyDHWyhdva3bNiQCgkXN0
H2EIrBmhPDa2KlTQSkeonB0=
=3J9w
-----END PGP SIGNATURE-----