Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.1090.4 VMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX 30 March 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ESXi 4.1 ESX 4.1 ESX 4.0 vCenter 5.0 vCenter 4.1 vCenter 4.0 vCenter 2.5 Update Manager 4.1 Update Manager 4.0 Publisher: VMWare Operating System: VMWare ESX Server Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2011-0873 CVE-2011-0871 CVE-2011-0867 CVE-2011-0865 CVE-2011-0864 CVE-2011-0862 CVE-2011-0815 CVE-2011-0814 CVE-2011-0802 CVE-2011-0002 CVE-2010-4476 CVE-2010-4475 CVE-2010-4474 CVE-2010-4473 CVE-2010-4472 CVE-2010-4471 CVE-2010-4470 CVE-2010-4469 CVE-2010-4468 CVE-2010-4467 CVE-2010-4466 CVE-2010-4465 CVE-2010-4463 CVE-2010-4462 CVE-2010-4454 CVE-2010-4452 CVE-2010-4451 CVE-2010-4450 CVE-2010-4448 CVE-2010-4447 CVE-2010-4422 CVE-2010-4180 CVE-2010-3574 CVE-2010-3573 CVE-2010-3572 CVE-2010-3571 CVE-2010-3570 CVE-2010-3569 CVE-2010-3568 CVE-2010-3567 CVE-2010-3566 CVE-2010-3565 CVE-2010-3563 CVE-2010-3562 CVE-2010-3561 CVE-2010-3560 CVE-2010-3559 CVE-2010-3558 CVE-2010-3557 CVE-2010-3556 CVE-2010-3555 CVE-2010-3554 CVE-2010-3553 CVE-2010-3552 CVE-2010-3551 CVE-2010-3550 CVE-2010-3549 CVE-2010-3548 CVE-2010-3541 CVE-2010-3173 CVE-2010-3170 CVE-2010-2054 CVE-2010-1321 CVE-2008-7270 Reference: ASB-2011.0070 ASB-2011.0059 ASB-2011.0047 ASB-2011.0031 ASB-2011.0013 ASB-2010.0229 ASB-2010.0225 ASB-2010.0222.2 ESB-2011.0902 ESB-2011.0668 ESB-2011.0462 ESB-2011.0282 ESB-2011.0194 ESB-2011.0192 ESB-2011.0177 ESB-2011.0167.3 ESB-2011.0069 ESB-2010.1055.2 ESB-2010.0943 ESB-2010.0789.5 ESB-2010.0453 ESB-2010.0451 Revision History: March 30 2012: Updated the Relevant Releases, Problem Description, and Solution sections to document the release of ESX 4.0 patches on 2012-03-29 March 12 2012: JRE update on vCenter Server 2.5 and ESX 3.5 released November 21 2011: vCenter and vSphere 4.0 updates released October 28 2011: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2011-0013.3 Synopsis: VMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX Issue date: 2011-10-27 Updated on: 2012-03-29 CVE numbers: --- openssl --- CVE-2008-7270 CVE-2010-4180 --- libuser --- CVE-2011-0002 --- nss, nspr --- CVE-2010-3170 CVE-2010-3173 --- Oracle (Sun) JRE 1.6.0 --- CVE-2010-1321 CVE-2010-3541 CVE-2010-3548 CVE-2010-3549 CVE-2010-3550 CVE-2010-3551 CVE-2010-3552 CVE-2010-3553 CVE-2010-3554 CVE-2010-3555 CVE-2010-3556 CVE-2010-3557 CVE-2010-3558 CVE-2010-3559 CVE-2010-3560 CVE-2010-3561 CVE-2010-3562 CVE-2010-3563 CVE-2010-3565 CVE-2010-3566 CVE-2010-3567 CVE-2010-3568 CVE-2010-3569 CVE-2010-3570 CVE-2010-3571 CVE-2010-3572 CVE-2010-3573 CVE-2010-3574 CVE-2010-4422 CVE-2010-4447 CVE-2010-4448 CVE-2010-4450 CVE-2010-4451 CVE-2010-4452 CVE-2010-4454 CVE-2010-4462 CVE-2010-4463 CVE-2010-4465 CVE-2010-4466 CVE-2010-4467 CVE-2010-4468 CVE-2010-4469 CVE-2010-4470 CVE-2010-4471 CVE-2010-4472 CVE-2010-4473 CVE-2010-4474 CVE-2010-4475 CVE-2010-4476 --- Oracle (Sun) JRE 1.5.0 --- CVE-2010-4447 CVE-2010-4448 CVE-2010-4450 CVE-2010-4454 CVE-2010-4462 CVE-2010-4465 CVE-2010-4466 CVE-2010-4468 CVE-2010-4469 CVE-2010-4473 CVE-2010-4475 CVE-2010-4476 CVE-2011-0862 CVE-2011-0873 CVE-2011-0815 CVE-2011-0864 CVE-2011-0802 CVE-2011-0814 CVE-2011-0871 CVE-2011-0867 CVE-2011-0865 --- SFCB --- CVE-2010-2054 ----------------------------------------------------------------------- 1. Summary Updates for vCenter Server 4.1, vCenter Update Manager 4.1, vSphere Hypervisor (ESXi) 4.1 and ESX 4.x addresses several security issues. 2. Relevant releases vCenter Server 4.1 without Update 2 vCenter Server 4.0 without Update 4 vCenter Update Manager 4.1 without Update 2 vCenter Update Manager 4.0 without Update 4 ESXi 4.1 without patch ESX410-201110201-SG ESX 4.1 without patches ESX410-201110201-SG, ESX410-201110204-SG, ESX410-201110206-SG, and ESX410-201110214-SG ESX 4.0 without patches ESX400-201111201-SG, ESX400-201203401-SG, and ESX400-201203406-SG 3. Problem Description a. ESX third party update for Service Console openssl RPM The Service Console openssl RPM is updated to openssl-0.9.8e.12.el5_5.7 resolving two security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-7270 and CVE-2010-4180 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ========= ======== ======= ================= vCenter any Windows not affected hosted* any any not affected ESXi any any not affected ESX 4.1 ESX ESX410-201110204-SG ESX 4.0 ESX ESX400-201203401-SG ESX 3.5 ESX not applicable ESX 3.0.3 ESX not applicable * hosted products are VMware Workstation, Player, ACE, Fusion. b. ESX third party update for Service Console libuser RPM The Service Console libuser RPM is updated to version 0.54.7-2.1.el5_5.2 to resolve a security issue. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2011-0002 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ========= ======== ======= ================= vCenter any Windows not affected hosted* any any not affected ESXi any ESXi not affected ESX 4.1 ESX ESX410-201110206-SG ESX 4.0 ESX ESX400-201203406-SG ESX 3.5 ESX not applicable ESX 3.0.3 ESX not applicable * hosted products are VMware Workstation, Player, ACE, Fusion. c. ESX third party update for Service Console nss and nspr RPMs The Service Console Network Security Services (NSS) and Netscape Portable Runtime (NSPR) libraries are updated to nspr-4.8.6-1 and nss-3.12.8-4 resolving multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-3170 and CVE-2010-3173 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ========= ======== ======= ================= vCenter any Windows not affected hosted* any any not affected ESXi any ESXi not affected ESX 4.1 ESX ESX410-201110214-SG ESX 4.0 ESX see VMSA-2012-0001 ESX 3.5 ESX not applicable ESX 3.0.3 ESX not applicable * hosted products are VMware Workstation, Player, ACE, Fusion. d. vCenter Server and ESX, Oracle (Sun) JRE update 1.6.0_24 Oracle (Sun) JRE is updated to version 1.6.0_24, which addresses multiple security issues that existed in earlier releases of Oracle (Sun) JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.6.0_24: CVE-2010-4422, CVE-2010-4447, CVE-2010-4448, CVE-2010-4450, CVE-2010-4451, CVE-2010-4452, CVE-2010-4454, CVE-2010-4462, CVE-2010-4463, CVE-2010-4465, CVE-2010-4466, CVE-2010-4467, CVE-2010-4468, CVE-2010-4469, CVE-2010-4470, CVE-2010-4471, CVE-2010-4472, CVE-2010-4473, CVE-2010-4474, CVE-2010-4475 and CVE-2010-4476. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.6.0_22: CVE-2010-1321, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3552, CVE-2010-3553, CVE-2010-3554, CVE-2010-3555, CVE-2010-3556, CVE-2010-3557, CVE-2010-3558, CVE-2010-3559, CVE-2010-3560, CVE-2010-3561, CVE-2010-3562, CVE-2010-3563, CVE-2010-3565, CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569, CVE-2010-3570, CVE-2010-3571, CVE-2010-3572, CVE-2010-3573 and CVE-2010-3574. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter 5.0 Windows not affected vCenter 4.1 Windows Update 2 vCenter 4.0 Windows not applicable ** VirtualCenter 2.5 Windows not applicable ** Update Manager 5.0 Windows not affected Update Manager 4.1 Windows not applicable ** Update Manager 4.0 Windows not applicable ** hosted * any any not affected ESXi any ESXi not affected ESX 4.1 ESX ESX410-201110201-SG ESX 4.0 ESX not applicable ** ESX 3.5 ESX not applicable ** ESX 3.0.3 ESX not applicable ** * hosted products are VMware Workstation, Player, ACE, Fusion. ** this product uses the Oracle (Sun) JRE 1.5.0 family e. vCenter Update Manager Oracle (Sun) JRE update 1.5.0_30 Oracle (Sun) JRE is updated to version 1.5.0_30, which addresses multiple security issues that existed in earlier releases of Oracle (Sun) JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Oracle (Sun) JRE 1.5.0_30: CVE-2011-0862, CVE-2011-0873, CVE-2011-0815, CVE-2011-0864, CVE-2011-0802, CVE-2011-0814, CVE-2011-0871, CVE-2011-0867 and CVE-2011-0865. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Oracle (Sun) JRE 1.5.0_28: CVE-2010-4447, CVE-2010-4448, CVE-2010-4450, CVE-2010-4454, CVE-2010-4462, CVE-2010-4465, CVE-2010-4466, CVE-2010-4468, CVE-2010-4469, CVE-2010-4473, CVE-2010-4475, CVE-2010-4476. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter 5.0 Windows not applicable ** vCenter 4.1 Windows not applicable ** vCenter 4.0 Windows Update 4 VirtualCenter 2.5 Windows see VMSA-2012-0003 Update Manager 5.0 Windows not applicable ** Update Manager 4.1 Windows Update 2 Update Manager 4.0 Windows Update 4 hosted * any any not affected ESXi any ESXi not affected ESX 4.1 ESX not applicable ** ESX 4.0 ESX ESX400-201111201-SG ESX 3.5 ESX see VMSA-2012-0003 ESX 3.0.3 ESX affected, no patch planned * hosted products are VMware Workstation, Player, ACE, Fusion. ** this product uses the Oracle (Sun) JRE 1.6.0 family f. Integer overflow in VMware third party component sfcb This release resolves an integer overflow issue present in the third party library SFCB when the httpMaxContentLength has been changed from its default value to 0 in in /etc/sfcb/sfcb.cfg. The integer overflow could allow remote attackers to cause a denial of service (heap memory corruption) or possibly execute arbitrary code via a large integer in the Content-Length HTTP header. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-2054 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ========= ======== ======= ================= vCenter any Windows not affected hosted* any any not affected ESXi 5.0 ESXi not affected ESXi 4.1 ESXi ESXi410-201110201-SG ESXi 4.0 ESXi not affected ESXi 3.5 ESXi not affected ESX 4.1 ESX ESX410-201110201-SG ESX 4.0 ESX not affected ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected * hosted products are VMware Workstation, Player, ACE, Fusion. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware vCenter Server 4.1 ---------------------------------------------- vCenter Server 4.1 Update 2 The download for vCenter Server includes VMware Update Manager. Download link: http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1 Release Notes: http://downloads.vmware.com/support/pubs/vs_pages/vsp_pubs_esx41_vc41.html https://www.vmware.com/support/pubs/vum_pubs.html File: VMware-VIMSetup-all-4.1.0-493063.iso md5sum: d132326846a85bfc9ebbc53defeee6e1 sha1sum: 192c3e5d2a10bbe53c025cc7eedb3133a23e0541 File: VMware-VIMSetup-all-4.1.0-493063.zip md5sum: 7fd7b09e501bd8fde52649b395491222 sha1sum: 46dd00e7c594ac672a5d7c3c27d15be2f5a5f1f1 File: VMware-viclient-all-4.1.0-491557.exe md5sum: dafd31619ae66da65115ac3900697e3a sha1sum: 98be4d349c9a655621c068d105593be4a8e542ef VMware vCenter Server 4.0 ---------------------------------------------- vCenter Server 4.0 Update 4 The download for vCenter Server includes VMware Update Manager. Download link: http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_0 Release Notes: http://downloads.vmware.com/support/pubs/vs_pages/vsp_pubs_esx40_vc40.html https://www.vmware.com/support/pubs/vum_pubs.html File: VMware-VIMSetup-all-4.0.0-502539.iso md5sum: b418ff3d394f91b418271b6b93dfd6bd sha1sum: 56c2ec60f8b8a734a8312d9e38d5d70cd20c0927 File: VMware-VIMSetup-all-4.0.0-502539.zip md5sum: 2acfadde1ec0cd6d37063d87246d6942 sha1sum: ea1f3a3cb178f23fc2cf49bfc1450d10e5f699f8 VMware ESXi 4.1 --------------- VMware ESXi 4.1 Update 2 Download link: http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1 Release Notes: https://www.vmware.com/support/pubs/vs_pages/vsp_pubs_esxi41_i_vc41.html File: VMware-VMvisor-Installer-4.1.0.update02-502767.x86_64.iso md5sum: 0aa78790a336c5fc6ba3d9807c98bfea sha1sum: 7eebd34ab5bdc81401ae20dcf59a8f8ae22086ce File: upgrade-from-esxi4.0-to-4.1-update02-502767.zip md5sum: 459d9142a885854ef0fa6edd8d6a5677 sha1sum: 75978b6f0fc3b0ccc63babe6a65cfde6ec420d33 File: upgrade-from-ESXi3.5-to-4.1_update02.502767.zip md5sum: 3047fac78a4aaa05cf9528d62fad9d73 sha1sum: dc99b6ff352ace77d5513b4c6d8a2cb7e766a09f File: VMware-tools-linux-8.3.12-493255.iso md5sum: 63028f2bf605d26798ac24525a0e6208 sha1sum: 95ca96eec7817da9d6e0c326ac44d8b050328932 File: VMware-viclient-all-4.1.0-491557.exe md5sum: dafd31619ae66da65115ac3900697e3a sha1sum: 98be4d349c9a655621c068d105593be4a8e542ef VMware ESXi 4.1 Update 2 contains ESXi410-201110201-SG. VMware ESX 4.1 -------------- VMware ESX 4.1 Update 2 Download link: http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1 Release Notes: http://downloads.vmware.com/support/pubs/vs_pages/vsp_pubs_esx41_vc41.html File: ESX-4.1.0-update02-502767.iso md5sum: 9a2b524446cbd756f0f1c7d8d88077f8 sha1sum: 2824c0628c341357a180b3ab20eb2b7ef1bee61c File: pre-upgrade-from-esx4.0-to-4.1-502767.zip md5sum: 9060ad94d9d3bad7d4fa3e4af69a41cf sha1sum: 9b96ba630377946c42a8ce96f0b5745c56ca46b4 File: upgrade-from-esx4.0-to-4.1-update02-502767.zip md5sum: 4b60f36ee89db8cb7e1243aa02cdb549 sha1sum: 6b9168a1b01379dce7db9d79fd280509e16d013f File: VMware-tools-linux-8.3.12-493255.iso md5sum: 63028f2bf605d26798ac24525a0e6208 sha1sum: 95ca96eec7817da9d6e0c326ac44d8b050328932 File: VMware-viclient-all-4.1.0-491557.exe md5sum: dafd31619ae66da65115ac3900697e3a sha1sum: 98be4d349c9a655621c068d105593be4a8e542ef VMware ESX 4.1 Update 2 contains ESX410-201110204-SG, ESX410-201110206-SG, ESX410-201110201-SG and ESX410-201110214-SG. VMware ESX 4.0 -------------- File: ESX400-201203001.zip Build: 660575 md5sum: 02B7E883E8B438B83BF5E53A1BE71AD3 sha1sum: 34734A8EDBA225A332731205EE2D6575AD9E1C88 http://kb.vmware.com/kb/2011767 ESX400-201203401 contains ESX400-201203401-SG and ESX400-201203406-SG VMware ESX 4.0 Update 4 Release Notes: http://downloads.vmware.com/support/pubs/vs_pages/vsp_pubs_esx40_vc40.html File: ESX-4.0.0-update04-504850.iso md5sum: 1954179addb35e2bee137e91244f954b sha1sum: ade401e1f4063d60543c8cefcc7440273dd646f0 File: update-from-esx4.0-4.0_update04.zip md5sum: 697374569a12c55c4473247f4e55a887 sha1sum: 7daedf6736f9a771baa1f58d441b99bc9c87eedd VMware ESX 4.0 Update 4 contains ESX400-201111201-SG. 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7270 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1321 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2054 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3170 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3173 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3541 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3548 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3549 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3550 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3551 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3552 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3553 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3554 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3555 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3556 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3557 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3558 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3559 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3560 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3561 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3562 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3563 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3565 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3566 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3567 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3568 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3569 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3570 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3571 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3572 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3573 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3574 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4180 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4422 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4448 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4448 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4451 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4452 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4454 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4454 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4462 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4462 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4463 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4465 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4465 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4466 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4466 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4467 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4470 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4471 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4472 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4473 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4473 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4474 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0002 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0802 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0814 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0815 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0862 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0865 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0867 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0871 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0873 ----------------------------------------------------------------------- 6. Change log 2011-10-27 VMSA-2011-0013 Initial security advisory in conjunction with the release of Update 2 for vCenter Server 4.1, vCenter Update Manager 4.1, vSphere Hypervisor (ESXi) 4.1 and ESX 4.1 on 2011-10-27. 2011-11-17 VMSA-2011-0013.1 Update of security advisory after the release of Update 4 for vCenter Server 4.0, vSphere Update Manager 4.0, vSphere Hypervisor (ESXi) 4.0 and ESX 4.0 on 2011-11-17. 2012-03-08 VMSA-2011-0013.2 Added a reference to VMSA-2012-0003 for the JRE update on vCenter Server 2.5 and ESX 3.5 released on 2012-03-08. 2012-03-29 VMSA-2011-0013.3 Updated the Relevant Releases, Problem Description, and Solution sections to document the release of ESX 4.0 patches on 2012-03-29. ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2011 VMware Inc. All rights reserved. - -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk91ERsACgkQDEcm8Vbi9kMgZgCg6APMu81pZWuOvhDJcJo36YCV neEAoPDGR0kQXM2EVyxEGZAc+K+pJvQO =atZy - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBT3VIOu4yVqjM2NGpAQL0WxAAgqtq7vHEN3WCyxpl0B0y4IsJGsIc3cZ9 vxZblTqTRcWeipJ04W+MJOPMkoYsM/a5Rn718eXwhePfI8a9ryTC6rp0VwURpOtj CsZdZrbNk8+wkZzcB9+3zgI5xtmB9ignvpXWQPunumUPxmJvlxBh2dMjTKb+RlEB 2AtCuSJaZ9ERkUYaBErBgwMLvL3TdkUyjkLeIaJl0MsOgpD9nL5haPHBqUpJ/Ari +gY5cFQh4p0pBfFevbBnUVnDIaPCl25nSmnHI14zIDWM1D0hHRUQPk+wHt1P7Bef PnAC7rYHVLena1K0WxRAPeSM+l9mCuLPnYqFajaHdl0s7PRxy82fKAhwilAKls2J s0XqxBQqZo86u2qlshcovcYufM4LMpR+h98CTDnQ3qo6z2eecu/KO+Aw2AVkQcPr nqjR+Vf0eVE/jeEZwuNEuc8jekeTCOTGkNjd6JZjokemZH4MRKFO8d/uVUKzqYIA EcvkCK0ak6uMLMcS0vtMgHaTPyF1Q/mpr6v7rdazOzig5bPvOm6f/muya390qqpf BNOYgKbXywgHbv+ZDJulV4OV6AOdBYnuXTPEpaWRKZD9vT7pPIrR3WZqgu99Pay5 KuC8iOU6Teghl7xB2jofdL0dbk/qssLOWlWykipPftnSa7oJY3T4pJWybpEawBL9 wf/9Qy+MGt8= =lHZ4 -----END PGP SIGNATURE-----