Home page logo
/

bugtraq logo Bugtraq mailing list archives

VMSA-2009-0014 VMware ESX patches for DHCP, Service Console kernel, and JRE resolve multiple security issues
From: VMware Security Team <security () vmware com>
Date: Fri, 16 Oct 2009 09:54:44 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
                  VMware Security Advisory

Advisory ID:       VMSA-2009-0014
Synopsis:          VMware ESX patches for DHCP, Service Console kernel,
                  and JRE resolve multiple security issues
Issue date:        2009-10-16
Updated on:        2009-10-16 (initial release of advisory)
CVE numbers:       CVE-2009-0692 CVE-2009-1893 CVE-2009-0692
                  CVE-2008-4210 CVE-2008-3275 CVE-2008-5356
                  CVE-2008-0598 CVE-2008-2136 CVE-2008-2812
                  CVE-2007-6063 CVE-2008-3525 CVE-2008-2086
                  CVE-2008-5347 CVE-2008-5348 CVE-2008-5349
                  CVE-2008-5350 CVE-2008-5351 CVE-2008-5352
                  CVE-2008-5353 CVE-2008-5354 CVE-2008-5357
                  CVE-2008-5358 CVE-2008-5359 CVE-2008-5360
                  CVE-2008-5339 CVE-2008-5342 CVE-2008-5344
                  CVE-2008-5345 CVE-2008-5346 CVE-2008-5340
                  CVE-2008-5341 CVE-2008-5343 CVE-2008-5355
                  CVE-2009-1093 CVE-2009-1094 CVE-2009-1095
                  CVE-2009-1096 CVE-2009-1097 CVE-2009-1098
                  CVE-2009-1099 CVE-2009-1100 CVE-2009-1101
                  CVE-2009-1102 CVE-2009-1103 CVE-2009-1104
                  CVE-2009-1105 CVE-2009-1106 CVE-2009-1107
- -----------------------------------------------------------------------

1. Summary

  Updated DHCP and Kernel packages for ESX 3.5 and ESX 3.0.3 and
  updated Java JRE packages for ESX 3.5 address several security
  issues.

2. Relevant releases

  ESX 3.5 without patches ESX350-200910406-SG, ESX350-200910401-SG,
                          ESX350-200910403-SG
  ESX 3.0.3 without patch ESX303-200910402-SG

3. Problem Description

a. Service Console update for DHCP and third party library update
   for DHCP client.

   DHCP is an Internet-standard protocol by which a computer can be
   connected to a local network, ask to be given configuration
   information, and receive from a server enough information to
   configure itself as a member of that network.

   A stack-based buffer overflow in the script_write_params method in
   ISC DHCP dhclient allows remote DHCP servers to execute arbitrary
   code via a crafted subnet-mask option.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)
   has assigned the name CVE-2009-0692 to this issue.

   An insecure temporary file use flaw was discovered in the DHCP
   daemon's init script ("/etc/init.d/dhcpd"). A local attacker could
   use this flaw to overwrite an arbitrary file with the output of the
   "dhcpd -t" command via a symbolic link attack, if a system
   administrator executed the DHCP init script with the "configtest",
   "restart", or "reload" option.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)
   has assigned the name CVE-2009-1893 to this issue.

   The following table lists what action remediates the vulnerability
   in the Service Console (column 4) if a solution is available.

   VMware         Product   Running  Replace with/
   Product        Version   on       Apply Patch
   =============  ========  =======  =================
   vCenter        any       Windows  not affected

   hosted *       any       any      not affected

   ESXi           any       ESXi     not affected

   ESX            4.0       ESX      not affected
   ESX            3.5       ESX      ESX350-200910406-SG
   ESX            3.0.3     ESX      ESX303-200910402-SG
   ESX            2.5.5     ESX      not affected

   ESX 3.5 and later have a DHCP client component outside of the
   Service Console. The following table lists what action remediates
   the vulnerability in this component (column 4) if a solution is
   available.

   VMware         Product   Running  Replace with/
   Product        Version   on       Apply Patch
   =============  ========  =======  =================
   vCenter        any       Windows  not affected

   hosted *       any       any      not affected

   ESXi           4.0       ESXi     affected, patch pending
   ESXi           3.5       ESXi     not affected

   ESX            4.0       ESX      affected, patch pending
   ESX            3.5       ESX      ESX350-200910401-SG
   ESX            3.0.3     ESX      not affected
   ESX            2.5.5     ESX      not affected

 * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

b. Updated Service Console package kernel

   Service Console package kernel update to version
   kernel-2.4.21-58.EL.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the names CVE-2008-4210, CVE-2008-3275, CVE-2008-0598,
   CVE-2008-2136, CVE-2008-2812, CVE-2007-6063, CVE-2008-3525 to the
   security issues fixed in kernel-2.4.21-58.EL

   The following table lists what action remediates the vulnerability
   (column 4) if a solution is available.

   VMware         Product   Running  Replace with/
   Product        Version   on       Apply Patch
   =============  ========  =======  =================
   vCenter        any       Windows  not applicable

   hosted *       any       any      not applicable

   ESXi           any       ESXi     not applicable

   ESX            4.0       ESX      not applicable
   ESX            3.5       ESX      ESX350-200910401-SG
   ESX            3.0.3     ESX      affected, no update planned
   ESX            2.5.5     ESX      not applicable

   * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

c. JRE Security Update

   JRE update to version 1.5.0_18, which addresses multiple security
   issues that existed in earlier releases of JRE.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the following names to the security issues fixed in
   JRE 1.5.0_17: CVE-2008-2086, CVE-2008-5347, CVE-2008-5348,
   CVE-2008-5349, CVE-2008-5350, CVE-2008-5351, CVE-2008-5352,
   CVE-2008-5353, CVE-2008-5354, CVE-2008-5356, CVE-2008-5357,
   CVE-2008-5358, CVE-2008-5359, CVE-2008-5360, CVE-2008-5339,
   CVE-2008-5342, CVE-2008-5344, CVE-2008-5345, CVE-2008-5346,
   CVE-2008-5340, CVE-2008-5341, CVE-2008-5343, and CVE-2008-5355.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the following names to the security issues fixed in
   JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095,
   CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099,
   CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103,
   CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107.

   The following table lists what action remediates the vulnerability
   (column 4) if a solution is available.

   VMware         Product   Running  Replace with/
   Product        Version   on       Apply Patch
   =============  ========  =======  =================
   vCenter        4.0       Windows  affected, patch pending **
   VirtualCenter  2.5       Windows  affected, patch pending **
   VirtualCenter  2.0.2     Windows  affected, patch pending

   Workstation    any       any      not affected

   Player         any       any      not affected

   Server         2.0       any      affected, patch pending
   Server         1.0       any      not affected

   ACE            any       any      not affected

   Fusion         any       any      not affected

   ESXi           any       ESXi     not affected

   ESX            4.0       ESX      affected, patch pending **
   ESX            3.5       ESX      ESX350-200910403-SG
   ESX            3.0.3     ESX      affected, patch pending
   ESX            2.5.5     ESX      not affected

   ** JRE will be updated to version 1.5.0_20 in the next update release

   Notes: These vulnerabilities can be exploited remotely only if the
          attacker has access to the Service Console network.

          Security best practices provided by VMware recommend that the
          Service Console be isolated from the VM network. Please see
          http://www.vmware.com/resources/techresources/726 for more
          information on VMware security best practices.

          The currently installed version of JRE depends on your patch
          deployment history.

4. Solution

  Please review the patch/release notes for your product and version
  and verify the md5sum of your downloaded file.

  ESX 3.5
  -------
  ESX350-200910406-SG (DHCP Service Console)
  http://download3.vmware.com/software/vi/ESX350-200910406-SG.zip
  md5sum: dab682b1e3897fd43e2e7f90aa1156fc
  sha1sum: 0962718f65d4c2f76657369ada4a61848253174e
  http://kb.vmware.com/kb/1013129

  ESX350-200910401-SG (DHCP third party library, kernel)
  http://download3.vmware.com/software/vi/ESX350-200910401-SG.zip
  md5sum: 73435b0495a61b00bedbead140b2a262
  sha1sum: a957d57cf0df58d8a40759dce62efbf12a6c229c
  http://kb.vmware.com/kb/1013124

  ESX350-200910403-SG (JRE)
  http://download3.vmware.com/software/vi/ESX350-200910403-SG.zip
  md5sum: 0e90be5bd6aa986dc2356563e809a54f
  sha1sum: a5968cf6db78e28d79a4fd0b4df172cadf0f7129
  http://kb.vmware.com/kb/1013126

  ESX 3.0.3
  ---------
  ESX303-200910402-SG (DHCP Service Console)
  http://download3.vmware.com/software/vi/ESX303-200910402-SG.zip
  md5sum: 59a090cf37971e7f13385b9f53cdf3ca
  sha1sum: 3af9cf1b15dc151bce06c89cc0d81e1a7cf9c80e
  http://kb.vmware.com/kb/1014758

5. References

  CVE numbers
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1893
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4210
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3275
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0598
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2136
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2812
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6063
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3525
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2086
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5347
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5348
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5349
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5350
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5351
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5352
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5354
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5356
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5357
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5358
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5359
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5360
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5339
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5342
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5344
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5345
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5346
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5340
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5341
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5343
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5355
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1095
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1099
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1100
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1103
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1104
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1105
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1106
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1107

- ------------------------------------------------------------------------
6. Change log

2009-10-16  VMSA-2009-0014
Initial security advisory after release of ESX 3.5 patch 18 and
ESX 3.0.3 patch 11 on 2009-10-16.

- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

 * security-announce at lists.vmware.com
 * bugtraq at securityfocus.com
 * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2009 VMware Inc.  All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFK2KUiS2KysvBH1xkRAqxIAJ901ZVAIyIK5ShhaI6EC1NZiOuGaACfX8cN
XHpA5AngF0nSctnl1lqf5kY=
=iiC7
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • VMSA-2009-0014 VMware ESX patches for DHCP, Service Console kernel, and JRE resolve multiple security issues VMware Security Team (Oct 16)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault