Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0677.3 VMware ESXi update to third party library 18 September 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware ESXi Publisher: VMware Operating System: VMWare ESX Server Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2012-0841 CVE-2011-3919 CVE-2011-3905 CVE-2011-2834 CVE-2011-1944 CVE-2011-0216 CVE-2010-4008 Reference: ESB-2011.1208 ESB-2011.0749 ESB-2011.0001 ESB-2010.1066 Revision History: September 18 2012: Updated security advisory in conjunction with the release of vSphere 4.0 U4a. and ESX 4.0 patches. Removed CVE-2010-4494 and CVE-2011-2821 since these CVEs are not relevant to ESXi. September 3 2012: Updated Relevant Releases, Problem Description, and Solution sections to include information regarding updates for ESXi in conjuction with the release of vSphere 4.1 U3 on 2012-08-30. July 13 2012: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2012-0012.2 Synopsis: VMware ESXi update to third party library Issue date: 2012-07-12 Updated on: 2012-09-13 CVE number: CVE-2010-4008, CVE-2011-0216, CVE-2011-1944, CVE-2011-2834, CVE-2011-3905, CVE-2011-3919, CVE-2012-0841 ----------------------------------------------------------------------- 1. Summary VMware ESXi update addresses several security issues. 2. Relevant releases ESXi 5.0 without patch ESXi500-201207101-SG ESXi 4.1 without patch ESXi410-201208101-SG ESXi 4.0 without patch ESXi400-201209401-SG 3. Problem Description a. ESXi update to third party component libxml2 The libxml2 third party library has been updated which addresses multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-4008, CVE-2011-0216, CVE-2011-1944, CVE-2011-2834, CVE-2011-3905, CVE-2011-3919 and CVE-2012-0841 to these issues. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ========== ======== ======== ================= vCenter any Windows not affected hosted * any any not affected ESXi 5.0 any ESXi500-201207101-SG ESXi 4.1 any ESXi410-201208101-SG ESXi 4.0 any ESXi400-201209401-SG ESXi 3.5 any patch pending ESX any any not applicable * hosted products are VMware Workstation, Player, ACE, Fusion. Note: "patch pending" means that the product is affected, but no patch is currently available. The advisory will be updated when a patch is available. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. ESXi ---- http://downloads.vmware.com/go/selfsupport-download ESXi 5.0 -------- Patch: ESXi500-201207001 md5sum: 01196c5c1635756ff177c262cb69a848 sha1sum: 85936f5439100cd5fb55c7add574b5b3b937fe86 http://kb.vmware.com/kb/2020571 ESXi500-201207001 contains ESXi500-201207101-SG ESXi 4.1 -------- File: update-from-esxi4.1-4.1_update03.zip md5sum: b35267e3c96a8ebd2e3acac09538cdf5 sha1sum: 2b2d456e89964528f25c01ae5d84edbd2bbcdefb http://kb.vmware.com/kb/2020373 update-from-esxi4.1-4.1_update03 contains ESXi410-201208101-SG ESXi 4.0 -------- File: ESXi400-201209001 md5sum: 8ea463e3814f147ab0889a733e66b9f0 sha1sum: f9526a0936975fa4b7cbdf588cd4c119d95973c9 http://kb.vmware.com/kb/2019662 ESXi400-201209001 contains ESXi400-201209401-SG 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4008 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0216 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1944 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2834 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3905 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3919 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0841 ----------------------------------------------------------------------- 6. Change log 2012-07-12 VMSA-2012-0012 Initial security advisory in conjunction with the release of a patch for ESXi 5.0 on 2012-07-12. 2012-08-30 VMSA-2012-0012.1 Updated Relevant Releases, Problem Description, and Solution sections to include information regarding updates for ESXi in conjunction with the release of vSphere 4.1 U3 on 2012-08-30. 2012-09-12 VMSA-2012-0012.2 Updated security advisory in conjunction with the release of vSphere 4.0 U4a on 2012-09-12 and ESX 4.0 patches on 2012-09-13. Removed CVE-2010-4494 and CVE-2011-2821 since these CVEs are not relevant to ESXi. ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2012 VMware Inc. All rights reserved. - -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFQUsGvDEcm8Vbi9kMRAk3HAJ4kp0ldVN4rW1+rm6Jr/o1OGxJViwCfc81T Lpv6UfdDkSXuH0E1ochKmrM= =iIDw - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUFf+0u4yVqjM2NGpAQKabBAAhhwqTax59nnTGzEIcApBhlOjp09sPSL2 xJ4S/pk5piRJxOONDPbcfbMGqAJv8UxoG3cBKHBkqAIczWR+wIwpXxrDiQup2a2E tQXS08h32L7Ncm8Rynfkchi0z5Zt4+1VX0gnKDNU/2huNOvV8Bl7DdA5Qt2J7ZBZ b99G4gOGm2R0fdQnAstVMJmLP1cpgLABtZt/N5Br5/mEO0YFu1DyK0jWDdJ636In +eDy756sg5B8XnRMJ1EazfD1hlX0OcbQgArQJ/53VKQJZkiEOu+C2xtjWB7da5gZ +9cCzEfqbmD0s+BVFeuuFZo37SH1eKRL9Gs/H94WP4Fc8ZQdg+/Kwt4ZJLtmCdLn Q/WZVls6jrwA4U/IPDY47ywwnX7LgKVtmASBCORSPjnojpqcT3j6nU7F6mYYbWZ6 ijB+VZRpGhPp47dtRa0t6P6yh4KAGjVL0k9v56O3C+ge2lnp0yyyw5rzuezO7qON KJt/Iw9dNQPls8FBO/HdHWIXVyhE2z/FwnwjkSulZMyWr80lyH66h8AwXGwe5ZkB m6I8V5Rea39kUBrg5l9L7AWM0fWc6p6Xd51CHG2rLx3Zr777A3E+p0BBhxh8Yti4 BAvIwDGjfbMRf9OJKzJUPMM050OjTcU4D95ryKbMdp2X8styKOPaY3T7KdeUN0/x nV2sdtyPiLc= =HuHS -----END PGP SIGNATURE-----