Home page logo
/

bugtraq logo Bugtraq mailing list archives

VMSA-2012-0013 VMware vSphere and vCOps updates to third party libraries
From: VMware Security Team <security () vmware com>
Date: Fri, 31 Aug 2012 00:04:24 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
                      VMware Security Advisory

Advisory ID:  VMSA-2012-0013
Synopsis:     VMware vSphere and vCOps updates to third party libraries
Issue date:   2012-08-30
Updated on:   2012-08-30 (initial advisory)
CVE numbers:  --- JRE ---
                 See references
             --- OpenSSL (userworld) ---
             CVE-2010-4180, CVE-2010-4252, CVE-2011-0014,
             CVE-2011-4108, CVE-2011-4109, CVE-2011-4576,
             CVE-2011-4577, CVE-2011-4619, CVE-2012-0050
             --- OpenSSL (service console) ---
             CVE-2012-2110
             --- kernel (service console) ---
             CVE-2011-1833, CVE-2011-2484, CVE-2011-2496,
             CVE-2011-3188, CVE-2011-3209, CVE-2011-3363,
             CVE-2011-4110, CVE-2011-1020, CVE-2011-4132,
             CVE-2011-4324, CVE-2011-4325, CVE-2012-0207,
             CVE-2011-2699, CVE-2012-1583
             --- Perl (service console) ---
             CVE-2010-2761, CVE-2010-4410, CVE-2011-3597
             --- libxm2 (service console) ---
             CVE-2012-0841
             --- glibc (service console) ---
             CVE-2009-5029, CVE-2009-5064, CVE-2010-0830,
             CVE-2011-1089, CVE-2011-4609, CVE-2012-0864
             --- GnuTLS (service console) ---
             CVE-2011-4128, CVE-2012-1569, CVE-2012-1573
             --- popt and rpm (service console) ---
             CVE-2012-0060, CVE-2012-0061, CVE-2012-0815
             --- Apache struts ---
             CVE-2012-0393
- -----------------------------------------------------------------------
1. Summary

  VMware has updated several third party libraries in vSphere and vcOps
  to address multiple security vulnerabilities.

2. Relevant releases

  VMware vCenter 4.1 without Update 3

  VMware vCenter Update Manager 4.1 without Update 3

  VMware ESX without patches ESX410-201208101-SG, ESX410-201208102-SG,
        ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG,
        ESX410-201208106-SG, ESX410-201208107-SG

  VMware ESXi without patch ESXi410-201208101-SG

  VMware vCOps 5.0.2 or earlier

3. Problem Description

  a. vCenter and ESX update to JRE 1.6.0 Update 31

     The Oracle (Sun) JRE is updated to version 1.6.0_31, which
     addresses multiple security issues. Oracle has documented the
     CVE identifiers that are addressed by this update in the Oracle
     Java SE Critical Patch Update Advisory of February 2012.

     Column 4 of the following table lists the action required to
     remediate the vulnerability in each release, if a solution is
     available.

       VMware          Product   Running   Replace with/
       Product         Version   on        Apply Patch
       =============   =======   =======   =================
       vCenter         5.0       Windows   patch pending
       vCenter         4.1       Windows   vCenter 4.1 Update 3
       vCenter         4.0       Windows   not applicable **
       VirtualCenter   2.5       Windows   not applicable **

       Update Manager 5.0       Windows    patch pending
       Update Manager 4.1       Windows    not applicable **
       Update Manager 4.0       Windows    not applicable **

       hosted *        any       any       not affected

       ESXi            any       ESXi      not applicable

       ESX             4.1       ESX       ESX410-201208101-SG
       ESX             4.0       ESX       not applicable **
       ESX             3.5       ESX       not applicable **

       * hosted products are VMware Workstation, Player, ACE, Fusion.

      ** this product uses the Oracle (Sun) JRE 1.5.0 family

  b. vCenter Update Manager update to JRE 1.5.0 Update 36

     The Oracle (Sun) JRE is updated to 1.5.0_36 to address multiple
     security issues.  Oracle has documented the CVE identifiers that
     are addressed in JRE 1.5.0_36 in the Oracle Java SE Critical
     Patch Update Advisory for June 2012.

     Column 4 of the following table lists the action required to
     remediate the vulnerability in each release, if a solution is
     available.

       VMware         Product   Running  Replace with/
       Product        Version   on       Apply Patch
       =============  ========  =======  =================
       vCenter        5.0       Windows  not applicable **
       vCenter        4.1       Windows  not applicable **
       vCenter        4.0       Windows  patch pending
       VirtualCenter  2.5       Windows  patch pending

       Update Manager 5.0       Windows  not applicable **
       Update Manager 4.1       Windows  Update Manager Update 3
       Update Manager 4.0       Windows  patch pending

       hosted *       any       any      not affected

       ESXi           any       ESXi     not affected

       ESX            4.1       ESX      not applicable **
       ESX            4.0       ESX      patch pending
       ESX            3.5       ESX      patch pending

       * hosted products are VMware Workstation, Player, ACE, Fusion.

       ** this product uses the Oracle (Sun) JRE 1.6.0 family

  c. Update to ESX/ESXi userworld OpenSSL library

     The ESX/ESXi userworld OpenSSL library is updated from version
     0.9.8p to version 0.9.8t to resolve multiple security issues.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the names CVE-2010-4180, CVE-2010-4252,
     CVE-2011-0014, CVE-2011-4108, CVE-2011-4109, CVE-2011-4576,
     CVE-2011-4577, CVE-2011-4619, and CVE-2012-0050 to these issues.

     Column 4 of the following table lists the action required to
     remediate the vulnerability in each release, if a solution is
     available.

       VMware          Product   Running  Replace with/
       Product         Version   on       Apply Patch
       ==============  ========  =======  =================
       ESXi            5.0       ESXi     patch pending
       ESXi            4.1       ESXi     ESXi410-201208101-SG
       ESXi            4.0       ESXi     patch pending
       ESXi            3.5       ESXi     patch pending

       ESX             4.1       ESX      ESX410-201208101-SG
       ESX             4.0       ESX      patch pending
       ESX             3.5       ESX      patch pending

  d. Update to ESX service console OpenSSL RPM

     The service console OpenSSL RPM is updated to version
     0.9.8e-22.el5_8.3 to resolve a security issue.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the name CVE-2012-2110 to this issue.

     Column 4 of the following table lists the action required to
     remediate the vulnerability in each release, if a solution is
     available.

       VMware          Product   Running  Replace with/
       Product         Version   on       Apply Patch
       ==============  ========  =======  =================
       ESXi            any       ESXi     not applicable

       ESX             4.1       ESX      ESX410-201208103-SG
       ESX             4.0       ESX      patch pending
       ESX             3.5       ESX      not applicable

  e. Update to ESX service console kernel

     The ESX service console kernel is updated to resolve multiple
     security issues.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the names CVE-2011-1833, CVE-2011-2484,
     CVE-2011-2496, CVE-2011-3188, CVE-2011-3209, CVE-2011-3363,
     CVE-2011-4110, CVE-2011-1020, CVE-2011-4132, CVE-2011-4324,
     CVE-2011-4325, CVE-2012-0207, CVE-2011-2699, and CVE-2012-1583
     to these issues.

     Column 4 of the following table lists the action required to
     remediate the vulnerability in each release, if a solution is
     available.

       VMware          Product   Running  Replace with/
       Product         Version   on       Apply Patch
       ==============  ========  =======  =================
       ESXi            any       ESXi     not applicable

       ESX             4.1       ESX      ESX410-201208101-SG
       ESX             4.0       ESX      patch pending
       ESX             3.5       ESX      not applicable

  f. Update to ESX service console Perl RPM

     The ESX service console Perl RPM is updated to
     perl-5.8.8.32.1.8999.vmw to resolve multiple security issues.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the names CVE-2010-2761, CVE-2010-4410, and
     CVE-2011-3597 to these issues.

     Column 4 of the following table lists the action required to
     remediate the vulnerability in each release, if a solution is
     available.

       VMware          Product   Running  Replace with/
       Product         Version   on       Apply Patch
       ==============  ========  =======  =================
       ESXi            any       ESXi     not applicable

       ESX             4.1       ESX      ESX410-201208107-SG
       ESX             4.0       ESX      patch pending
       ESX             3.5       ESX      not applicable

  g. Update to ESX service console libxml2 RPMs

     The ESX service console libmxl2 RPMs are updated to
     libxml2-2.6.26-2.1.15.el5_8.2 and
     libxml2-python-2.6.26-2.1.15.el5_8.2 to resolve a security
     issue.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the name CVE-2012-0841 to this issue.

     Column 4 of the following table lists the action required to
     remediate the vulnerability in each release, if a solution is
     available.

       VMware          Product   Running  Replace with/
       Product         Version   on       Apply Patch
       ==============  ========  =======  =================
       ESXi            any       ESXi     not applicable

       ESX             4.1       ESX      ESX410-201208102-SG
       ESX             4.0       ESX      patch pending
       ESX             3.5       ESX      not applicable

  h. Update to ESX service console glibc RPM

     The ESX service console glibc RPM is updated to version
     glibc-2.5-81.el5_8.1 to resolve multiple security issues.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the names CVE-2009-5029, CVE-2009-5064,
     CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, and CVE-2012-0864
     to these issue.

     Column 4 of the following table lists the action required to
     remediate the vulnerability in each release, if a solution is
     available.

       VMware          Product   Running  Replace with/
       Product         Version   on       Apply Patch
       ==============  ========  =======  =================
       ESXi            any       ESXi     not applicable

       ESX             4.1       ESX      ESX410-201208104-SG
       ESX             4.0       ESX      patch pending
       ESX             3.5       ESX      not applicable

  i. Update to ESX service console GnuTLS RPM

     The ESX service console GnuTLS RPM is updated to version
     1.4.1-7.el5_8.2 to resolve multiple security issues.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the names CVE-2011-4128, CVE-2012-1569, and
     CVE-2012-1573 to these issues.

     Column 4 of the following table lists the action required to
     remediate the vulnerability in each release, if a solution is
     available.

       VMware          Product   Running  Replace with/
       Product         Version   on       Apply Patch
       ==============  ========  =======  =================
       ESXi            any       ESXi     not applicable

       ESX             4.1       ESX      ESX410-201208106-SG
       ESX             4.0       ESX      patch pending
       ESX             3.5       ESX      not applicable

  j. Update to ESX service console popt, rpm, rpm-libs,
     and rpm-python RPMS

     The ESX service console popt, rpm, rpm-libs, and rpm-python RPMS
     are updated to the following versions to resolve multiple
     security issues:
        - popt-1.10.2.3-28.el5_8
        - rpm-4.4.2.3-28.el5_8
        - rpm-libs-4.4.2.3-28.el5_8
        - rpm-python-4.4.2.3-28.el5_8

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the name CVE-2012-0060, CVE-2012-0061, and
     CVE-2012-0815 to these issues.

     Column 4 of the following table lists the action required to
     remediate the vulnerability in each release, if a solution is
     available.

       VMware          Product   Running  Replace with/
       Product         Version   on       Apply Patch
       ==============  ========  =======  =================
       ESXi            any       ESXi     not applicable

       ESX             4.1       ESX      ESX410-201208105-SG
       ESX             4.0       ESX      patch pending
       ESX             3.5       ESX      not applicable

  k. Vulnerability in third party Apache Struts component

     The version of Apache Struts in vCenter Operations has been
     updated to 2.3.4 which addresses an arbitrary file overwrite
     vulnerability. This vulnerability allows an attacker to create
     a denial of service by overwriting arbitrary files without
     authentication. The attacker would need to be on the same network
     as the system where vCOps is installed.

     The Common Vulnerabilities and Exposures project (cve.mitre.org) has
     assigned the name CVE-2012-0393 to this issue.

     Note: Apache struts 2.3.4 addresses the following issues as well:
     CVE-2011-5057, CVE-2012-0391, CVE-2012-0392, CVE-2012-0394. It
     was found that these do not affect vCOps.
VMware would like to thank Alexander Minozhenko from ERPScan for
     reporting this issue to us.

     Column 4 of the following table lists the action required to
     remediate the vulnerability in each release, if a solution is
     available.

       VMware        Product   Running  Replace with/
       Product       Version   on       Apply Patch
       ============  ========  =======  =================
       vCOps         5.0.2     Windows  vCOps 5.0.3
       vCOps         5.0.2     Linux    vCOps 5.0.3
       vCOps         1.0.x     any      affected, update to vCOps 5.0.3

       vCO           4.2       Windows  not affected
       vCO           4.1       Windows  see VMSA-2011-0005 *
       vCO           4.0       Windows  see VMSA-2011-0005 *

       * Update releases for vCO that came out in 2011 and that are
         documented in VMSA-2011-0005, already address the Apache struts
         CVEs listed above.


4. Solution

  Please review the patch/release notes for your product and
  version and verify the checksum of your downloaded file.

  vCenter Server 4.1 Update 3
  ---------------------------
  The download for vCenter Server includes vSphere Update Manager,
  vSphere Client, and vCenter Orchestrator

  Download link

http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_v
sphere/4_1

  Release Notes
  https://www.vmware.com/support/vsphere4/doc/vsp_vc41_u3_rel_notes.html

  VMware-VIMSetup-all-4.1.0-816786.iso
  md5sum: c1fd9189783e615fec4864ff6b8c86bd
  sha1sum: 38c03ac195939bd23da666b9ee98ef7c9c912a55

  VMware-VIMSetup-all-4.1.0-816786.zip
  md5sum: d20705520fc4b5bccd71b060283e5b59
  sha1sum: ea2a84544cd6cd29447c4ce905111e7dfc62f4cd


  ESXi and ESX
  ------------
  http://downloads.vmware.com/go/selfsupport-download
ESXi 4.1
  --------
  File: update-from-esxi4.1-4.1_update03.zip
  md5sum: b35267e3c96a8ebd2e3acac09538cdf5
  sha1sum: 2b2d456e89964528f25c01ae5d84edbd2bbcdefb
  http://kb.vmware.com/kb/2020373
  update-from-esxi4.1-4.1_update03 contains ESXi410-201208101-SG

  ESX 4.1
  -------
  File: update-from-esx4.1-4.1_update3.zip
  md5sum: a4a45aba880d64210badade8d7c81904
  sha1sum: 4ed1ef2b56fa30deec999916367ab278dc5b1840
  http://kb.vmware.com/kb/2020362
  update-from-esx4.1-4.1_update03 contains ESX410-201208101-SG,
  ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG,
  ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG


  vCOps 5.0.3
  -----------
  Download link

https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_manage
ment/vmware_vcenter_operations/5_0

  Release Notes
  https://www.vmware.com/support/pubs/vcops-pubs.html

5. References

  --- JRE  ---
  Oracle Java SE Critical Patch Update Advisory of February 2012

http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.htm
l

  Oracle Java SE Critical Patch Update Advisory for June 2012

http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.ht
ml

  --- OpenSSL (userworld) ---
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4180
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4252
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0014
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4108
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4109
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4577
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0050

  --- OpenSSL (service console) ---
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110

  --- kernel (service console) ---
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1833
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2484
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2496
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3188
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3209
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3363
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4110
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1020
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4132
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4324
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4325
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0207
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2699
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1583

  --- Perl (service console) ---
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2761
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4410
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3597

  --- libxm2 (service console) ---
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0841

  --- glibc (service console) ---
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5029
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5064
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0830
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1089
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4609
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0864

  --- GnuTLS (service console) ---
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4128
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1569
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1573

  --- popt and rpm (service console) --
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0060
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0061
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0815

  --- Apache struts ---
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0393

- -----------------------------------------------------------------------

6. Change log

  2012-08-30 VMSA-2012-0013
  Initial security advisory in conjunction with the release of
  vSphere 4.1 U3 and vCOps 5.0.3 on 2012-08-30.

- -----------------------------------------------------------------------

7. Contact

  E-mail list for product security notifications and announcements:
  http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

  This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

  E-mail: security at vmware.com
  PGP key at: http://kb.vmware.com/kb/1055

  VMware Security Advisories
  http://www.vmware.com/security/advisories

  VMware security response policy
  http://www.vmware.com/support/policies/security_response.html

  General support life cycle policy
  http://www.vmware.com/support/policies/eos.html

  VMware Infrastructure support life cycle policy
  http://www.vmware.com/support/policies/eos_vi.html

  Copyright 2012 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFQQGHlDEcm8Vbi9kMRAu4cAKCBxiFj8ML/0elTaXSR+9B2fWaq3QCg/v9P
Z6eYnYGUp6RNJ8mawiUCApo=
=FDBR
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • VMSA-2012-0013 VMware vSphere and vCOps updates to third party libraries VMware Security Team (Aug 31)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault