[Security-announce] UPDATED VMSA-2010-0004.3 ESX Service Console and vMA third party updates

VMware Security Announcements security-announce at lists.vmware.com
Tue Aug 31 22:34:31 PDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2010-0004.3
Synopsis:          ESX Service Console and vMA third party updates
Issue date:        2010-03-03
Updated on:        2010-08-31
CVE numbers:       CVE-2009-2905 CVE-2008-4552 CVE-2008-4316
                   CVE-2009-1377 CVE-2009-1378 CVE-2009-1379
                   CVE-2009-1386 CVE-2009-1387 CVE-2009-0590
                   CVE-2009-4022 CVE-2009-3560 CVE-2009-3720
                   CVE-2009-2904 CVE-2009-3563 CVE-2009-2695
                   CVE-2009-2849 CVE-2009-2695 CVE-2009-2908
                   CVE-2009-3228 CVE-2009-3286 CVE-2009-3547
                   CVE-2009-3613 CVE-2009-3612 CVE-2009-3620
                   CVE-2009-3621 CVE-2009-3726 CVE-2008-3916
                   CVE-2009-1189 CVE-2009-0115

- ------------------------------------------------------------------------

1. Summary

   ESX Service Console updates for newt, nfs-utils, expat, ntp and
   glib2 packages.

   vMA updates for newt, nfs-util, glib2, kpartx, libvolume-id,
   device-mapper-multipath, fipscheck, dbus, dbus-libs, ed, openssl,
   bind, expat, openssh, ntp and kernel packages.

2. Relevant releases

   VMware ESX 4.0.0 without patches ESX400-201002404-SG,
   ESX400-201002407-SG, ESX400-201002406-SG, ESX400-201005403-SG,
   ESX400-201005404-SG

   VMware ESX 3.5 without patches ESX350-201006407-SG,
   ESX350-201008406-SG

   VMware vMA 4.0 before patch 3

3. Problem Description

 a. vMA and Service Console update for newt to 0.52.2-12.el5_4.1

    Newt is a programming library for color text mode, widget based
    user interfaces. Newt can be used to add stacked windows, entry
    widgets, checkboxes, radio buttons, labels, plain text fields,
    scrollbars, etc., to text mode user interfaces.

    A heap-based buffer overflow flaw was found in the way newt
    processes content that is to be displayed in a text dialog box.
    A local attacker could issue a specially-crafted text dialog box
    display request (direct or via a custom application), leading to a
    denial of service (application crash) or, potentially, arbitrary
    code execution with the privileges of the user running the
    application using the newt library.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2009-2905 to this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.0       ESX      ESX400-201002406-SG
    ESX            3.5       ESX      not affected
    ESX            3.0.3     ESX      not affected
    ESX            2.5.5     ESX      not affected

    vMA            4.0       RHEL5    Patch 3

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 b. vMA and Service Console update for vMA package nfs-utils to
    1.0.9-42.el5

    The nfs-utils package provides a daemon for the kernel NFS server
    and related tools.

    It was discovered that nfs-utils did not use tcp_wrappers
    correctly.  Certain hosts access rules defined in "/etc/hosts.allow"
    and "/etc/hosts.deny" may not have been honored, possibly allowing
    remote attackers to bypass intended access restrictions.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2008-4552 to this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.0       ESX      ESX400-201002407-SG
    ESX            3.5       ESX      not affected
    ESX            3.0.3     ESX      not affected
    ESX            2.5.5     ESX      not affected

    vMA            4.0       RHEL5    Patch 3

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 c. vMA and Service Console package glib2 updated to 2.12.3-4.el5_3.1

    GLib is the low-level core library that forms the basis for
    projects such as GTK+ and GNOME. It provides data structure
    handling for C, portability wrappers, and interfaces for such
    runtime functionality as an event loop, threads, dynamic loading,
    and an object system.

    Multiple integer overflows in glib/gbase64.c in GLib before 2.20
    allow context-dependent attackers to execute arbitrary code via a
    long string that is converted either from or to a base64
    representation.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2008-4316 to this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.0       ESX      ESX400-201002404-SG
    ESX            3.5       ESX      not affected
    ESX            3.0.3     ESX      not affected
    ESX            2.5.5     ESX      not affected

    vMA            4.0       RHEL5    Patch 3

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 d. vMA and Service Console update for openssl to 0.9.8e-12.el5

    SSL is a toolkit implementing SSL v2/v3 and TLS protocols with full-
    strength cryptography world-wide.

    Multiple denial of service flaws were discovered in OpenSSL's DTLS
    implementation. A remote attacker could use these flaws to cause a
    DTLS server to use excessive amounts of memory, or crash on an
    invalid memory access or NULL pointer dereference.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the names CVE-2009-1377, CVE-2009-1378,
    CVE-2009-1379, CVE-2009-1386, CVE-2009-1387 to these issues.

    An input validation flaw was found in the handling of the BMPString
    and UniversalString ASN1 string types in OpenSSL's
    ASN1_STRING_print_ex() function. An attacker could use this flaw to
    create a specially-crafted X.509 certificate that could cause
    applications using the affected function to crash when printing
    certificate contents.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2009-0590 to this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.0       ESX      patched, see VMSA-2010-0009
    ESX            3.5       ESX      not affected
    ESX            3.0.3     ESX      not affected
    ESX            2.5.5     ESX      not affected

    vMA            4.0       RHEL5    Patch 3

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 e. vMA and Service Console package bind updated to 9.3.6-4.P1.el5_4.1

    It was discovered that BIND was incorrectly caching responses
    without performing proper DNSSEC validation, when those responses
    were received during the resolution of a recursive client query
    that requested DNSSEC records but indicated that checking should be
    disabled. A remote attacker could use this flaw to bypass the DNSSEC
    validation check and perform a cache poisoning attack if the target
    BIND server was receiving such client queries.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2009-4022 to this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not applicable

    ESX            4.0       ESX      patched, see VMSA-2010-0009
    ESX            3.5       ESX      not affected
    ESX            3.0.3     ESX      not affected
    ESX            2.5.5     ESX      not affected

    vMA            4.0       RHEL5    Patch 3

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 f. vMA and Service Console package expat updated to 1.95.8-8.3.el5_4.2.

    Two buffer over-read flaws were found in the way Expat handled
    malformed UTF-8 sequences when processing XML files. A specially-
    crafted XML file could cause applications using Expat to fail while
    parsing the file.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the names CVE-2009-3560 and CVE-2009-3720 to these
    issues.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not applicable

    ESX            4.0       ESX      ESX400-201005403-SG
    ESX            3.5       ESX      ESX350-201008406-SG
    ESX            3.0.3     ESX      affected, patch pending
    ESX            2.5.5     ESX      affected, patch pending

    vMA            4.0       RHEL5    Patch 3

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 g. vMA and Service Console package openssh update to 4.3p2-36.el5_4.2
 
    A Red Hat specific patch used in the openssh packages as shipped in
    Red Hat Enterprise Linux 5.4 (RHSA-2009:1287) loosened certain
    ownership requirements for directories used as arguments for the
    ChrootDirectory configuration options. A malicious user that also
    has or previously had non-chroot shell access to a system could
    possibly use this flaw to escalate their privileges and run
    commands as any system user.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2009-2904 to this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not applicable

    ESX            4.0       ESX      affected, patch pending
    ESX            3.5       ESX      not affected
    ESX            3.0.3     ESX      not affected
    ESX            2.5.5     ESX      not affected

    vMA            4.0       RHEL5    Patch 3

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 h. vMA and Service Console package ntp updated to
    ntp-4.2.2p1-9.el5_4.1.i386.rpm

    A flaw was discovered in the way ntpd handled certain malformed NTP
    packets. ntpd logged information about all such packets and replied
    with an NTP packet that was treated as malformed when received by
    another ntpd. A remote attacker could use this flaw to create an NTP
    packet reply loop between two ntpd servers through a malformed packet
    with a spoofed source IP address and port, causing ntpd on those
    servers to use excessive amounts of CPU time and fill disk space with
    log messages.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2009-3563 to this issue.   

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not applicable

    ESX            4.0       ESX      ESX400-201005404-SG
    ESX            3.5       ESX      ESX350-201006407-SG
    ESX            3.0.3     ESX      affected, patch pending
    ESX            2.5.5     ESX      affected, patch pending

    vMA            4.0       RHEL5    Patch 3

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 i. vMA update for package kernel to 2.6.18-164.9.1.el5

    Updated vMA package kernel addresses the security issues listed
    below.
 
    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2009-2849 to the security issue fixed in
    kernel 2.6.18-128.2.1

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2009-2695, CVE-2009-2908, CVE-2009-3228,
    CVE-2009-3286, CVE-2009-3547, CVE-2009-3613 to the security issues
    fixed in kernel 2.6.18-128.6.1

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2009-3612, CVE-2009-3620, CVE-2009-3621,
    CVE-2009-3726 to the security issues fixed in kernel
    2.6.18-128.9.1

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.0       ESX      patched, see VMSA-2010-0009
    ESX            3.5       ESX      not affected
    ESX            3.0.3     ESX      not affected
    ESX            2.5.5     ESX      not affected

    vMA            4.0       RHEL5    Patch 3 **

  * hosted products are VMware Workstation, Player, ACE, Fusion.

  ** vMA is updated to kernel version 2.6.18-164.9.1

 j. vMA 4.0 updates for the packages kpartx, libvolume-id,
    device-mapper-multipath, fipscheck, dbus, dbus-libs, and ed

    kpartx updated to 0.4.7-23.el5_3.4, libvolume-id updated to
    095-14.20.el5 device-mapper-multipath package updated to
    0.4.7-23.el5_3.4, fipscheck updated to 1.0.3-1.el5, dbus
    updated to 1.1.2-12.el5, dbus-libs updated to 1.1.2-12.el5,
    and ed package updated to 0.2-39.el5_2.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the names CVE-2008-3916, CVE-2009-1189 and
    CVE-2009-0115 to these issues.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.0       ESX      not affected
    ESX            3.5       ESX      not affected
    ESX            3.0.3     ESX      not affected
    ESX            3.0.2     ESX      not affected
    ESX            2.5.5     ESX      not affected

    vMA            4.0       RHEL5    Patch 3

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

4. Solution

   Please review the patch/release notes for your product and version
   and verify the md5sum of your downloaded file.

   ESX 4.0
   -------
   ESX400-201002001
 
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-192-20100228-732
240/ESX400-201002001.zip
   md5sum: de62cbccaffa4b2b6831617f18c1ccb4
   sha1sum: 4083f191fa4acd6600c9a87e4852f9f5700e91ab
   http://kb.vmware.com/kb/1018403

   Note: ESX400-201002001 contains the following security bulletins
   ESX400-201002404-SG, ESX400-201002407-SG, and ESX400-201002406-SG.

   To install an individual bulletin use esxupdate with the -b option.
   esxupdate --bundle ESX400-201002001.zip -b ESX400-201002404-SG \
   -b ESX400-201002407-SG -b ESX400-201002406-SG update

   ESX400-201005001
   http://bit.ly/aqTCqn
   md5sum: ace37cd8d7c6388edcea2798ba8be939
   sha1sum: 8fe7312fe74a435e824d879d4f1ff33df25cee78
   http://kb.vmware.com/kb/1013127

   Note ESX400-201005001 contains the following security bulletins
   ESX400-201005404-SG (ntp), ESX400-201005405-SG (gzip),
   ESX400-201005408-SG (bind), ESX400-201005401-SG (kernel, openssl),
   ESX400-201005406-SG (krb5, pam_krb5), ESX400-201005402-SG (JRE),
   ESX400-201005403-SG (expat), ESX400-201005409-SG (sudo),
   ESX400-201005407-SG (gcc).

   ESX 3.5
   -------
   ESX350-201006407-SG (ntp)
   http://download3.vmware.com/software/vi/ESX350-201006407-SG.zip
   md5sum: 49995fadd5d14546d8da819fb83b0adf
   http://kb.vmware.com/kb/1020171

   ESX350-201008406-SG (expat)
   http://download3.vmware.com/software/vi/ESX350-201008406-SG.zip
   md5sum: ea06208ad933e195678922360516fa4f
   http://kb.vmware.com/kb/1026131

   vMA 4.0
   -------
   To update VIMA
       1 Log in to VIMA as vi-admin.
       2 type 'sudo /usr/sbin/vima-update update' this will apply all
         currently available updates.  See http://tinyurl.com/yfekgrx
         for more information.

5. References

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2905
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4552
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4316
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1377
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1378
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1379             
     
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1386
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1387
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0590
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2904
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3563
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2695
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2849
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2695
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2908
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3228
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3286
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3547
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3613
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3612
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3620
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3621
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3726
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3916
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1189
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0115

- ------------------------------------------------------------------------
6. Change log

2010-03-03  VMSA-2010-0004
Initial security advisory after release of bulletins for ESX 4.0
on 2010-03-03 and release of vMA Patch 3 on 2010-02-25.
2010-05-27  VMSA-2010-0004.1
Updated after release of patches for ESX 4.0 on 2010-05-27.
2010-06-24  VMSA-2010-0004.2
Updated after release of patches for ESX 3.5 on 2010-06-24.
2010-08-31  VMSA-2010-0004.3
Updated after release of expat patch for ESX 3.5 on 2010-08-31.

- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2010 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFMfeXaS2KysvBH1xkRAgFGAJ41A/AstYH9dEu4yO/q8VTbpVZzFACdEP2/
icIgSqO5C6lziwcSVWHNRjA=
=ke+d
-----END PGP SIGNATURE-----



More information about the Security-announce mailing list