[Security-announce] UPDATED VMSA-2013-0009.2 VMware vSphere, ESX and ESXi updates to third party libraries

VMware Security Announcements security-announce at lists.vmware.com
Thu Oct 24 21:40:13 PDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
             VMware Security Advisory

Advisory ID: VMSA-2013-0009.2
Synopsis:    VMware vSphere, ESX and ESXi updates to third party
             libraries
Issue date:  2013-07-31
Updated on:  2013-10-24
CVE number:  --OpenSSL---
             CVE-2013-0169, CVE-2013-0166
             --libxml2 (COS and userworld)---
             CVE-2013-0338
             --GnuTLS (COS)---
             CVE-2013-2116
             ---Kernel (COS)---
             CVE-2013-0268, CVE-2013-0871
- -------------------------------------------------------------------------

1. Summary

   VMware has updated several third party libraries in vCenter Server,
   ESX and ESXi to address multiple security vulnerabilities.


2. Relevant releases

   VMware vCenter 5.0 without Update 3

   VMware ESXi 5.0 without Update 3

   VMware ESXi 4.1 without patch ESXi410-201307001

   VMware ESX 4.1 without patch ESX410-201307001

   VMware ESXi 4.0 without patch ESXi400-201310001

   VMware ESX 4.0 without patch ESX400-201310001

3. Problem Description

   a. vCenter Server and ESX userworld update for OpenSSL library

      The userworld OpenSSL library is updated to version openssl-0.9.8y
      to resolve multiple security issues.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2013-0169 and CVE-2013-0166 to these
      issues.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

        VMware          Product   Running  Replace with/
        Product         Version   on       Apply Patch
        ==============  ========  =======  =================
        vCenter         5.1       Windows  patch pending
        vCenter         5.0       Windows  vCenter 5.0 Update 3
        vCenter         4.1       Windows  patch pending
        vCenter         4.0       Windows  patch pending
       
        ESXi            5.1       ESXi     patch pending
        ESXi            5.0       ESXi     ESXi500-201310101-SG
        ESXi            4.1       ESXi     ESXi410-201307401-SG
        ESXi            4.0       ESXi     patch pending

        ESX             4.1       ESX      ESX410-201307403-SG
        ESX             4.0       ESX      patch pending

   b. Service Console (COS) update for OpenSSL library

      The Service Console updates for OpenSSL library is updated to version
      openssl-0.9.8e-26.el5_9.1 to resolve multiple security issues.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2013-0169 and CVE-2013-0166 to these
      issues.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

        VMware          Product   Running  Replace with/
        Product         Version   on       Apply Patch
        ==============  ========  =======  =================
        ESXi            any       any      not applicable

        ESX             4.1       ESX      ESX410-201307403-SG
        ESX             4.0       ESX      ESX400-201310401-SG
 
   c. ESX Userworld and Service Console (COS) update for libxml2 library

      The ESX Userworld and Service Console libxml2 library is updated to
      version libxml2-2.6.26-2.1.21.el5_9.1 and
      libxml2-python-2.6.26-2.1.21.el5_9.1. to resolve a security issue.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the name CVE-2013-0338 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

        VMware          Product   Running  Replace with/
        Product         Version   on       Apply Patch
        ==============  ========  =======  =================
        ESXi            5.1       ESXi     patch pending
        ESXi            5.0       ESXi     ESXi500-201310101-SG
        ESXi            4.1       ESXi     ESXi410-201307401-SG
        ESXi            4.0       ESXi     ESXi400-201310401-SG
     
        ESX             4.1       ESX      ESX410-201307405-SG
        ESX             4.0       ESX      ESX400-201310402-SG
    
   d. Service Console (COS) update for GnuTLS library

      The ESX service console GnuTLS RPM is updated to version
      gnutls-1.4.1-10.el5_9.1 to resolve a security issue.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the name CVE-2013-2116 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

        VMware          Product   Running  Replace with/
        Product         Version   on       Apply Patch
        ==============  ========  =======  =================
        ESXi            any       ESXi     not applicable

        ESX             4.1       ESX      ESX410-201307404-SG
        ESX             4.0       ESX      ESX400-201310401-SG

   e. ESX third party update for Service Console kernel

      The ESX Service Console Operating System (COS) kernel is updated
      to kernel-2.6.18-348.3.1.el5 which addresses several security
      issues in the COS kernel.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2013-0268 and CVE-2013-0871 to these
      issues.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

        VMware          Product   Running  Replace with/
        Product         Version   on       Apply Patch
        ==============  ========  =======  =================
        ESXi            any      ESXi       not affected

        ESX             4.1       ESX      ESX410-201307401-SG
        ESX             4.0       ESX      ESX400-201310401-SG
 
 4. Solution

  Please review the patch/release notes for your product and version
  and verify the checksum of your downloaded file.

  vCenter Server 5.0 Update 3
  ---------------------------
  The download for vCenter Server includes vSphere Update Manager, vSphere
  Client and vCenter Orchestrator

  Download link:
 
 
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_
vsphere/5_0

  Release Notes:
  vSphere vCenter Server
  https://www.vmware.com/support/pubs/vsphere-esxi-vcenter-server-pubs.html

   ESXi and ESX
   ------------
   http://downloads.vmware.com/go/selfsupport-download

   ESXi 5.0
   --------
   File: update-from-esxi5.0-5.0_update03.zip
   md5sum: 7e6185fa3238a4895613b39e57a2a94b
   sha1sum: aa3929d2c8183aeaecdc238cbbf4d270bd70dd07
   http://kb.vmware.com/kb/2055559

   ESXi 4.1
   --------
   File: ESXi410-201307001.zip
   md5sum: b171ea162cd753782483fa64196e8152
   sha1sum: f2f19db06864a05eb4fdfea57626576f2836e718
   http://kb.vmware.com/kb/2053396

   ESX 4.1
   -------
   File: ESX410-201307001.ZIP
   md5sum: 60f15f96454b953f7747486a6a261e4f
   sha1sum: 8e494b450f539ed65729205333dc3598d6ba87f8
   http://kb.vmware.com/kb/2053393

   ESXi 4.0
   --------
   File: ESXi400-201310001.zip
   md5sum: 3075bce1b19a52b053a5dc18d06d40e0
   sha1sum: 19952da0dd9f81ea299cb8ae6c462f11566b56e0
   http://kb.vmware.com/kb/2059496

   ESX 4.0
   -------
   File: ESX400-201310001.zip
   md5sum: 9d47cf815ed142a17f97002379b5e386
   sha1sum: 91082ec4263333f9b996883cb53dbe9aab7a88b5
   http://kb.vmware.com/kb/2059490
   
5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0166
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0338
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2116
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0871
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0268

- -----------------------------------------------------------------------

6. Change log

   2013-07-31 VMSA-2013-0009
   Initial security advisory in conjunction with the release of
   ESX 4.1 patches on 2013-07-31.

   2013-10-17 VMSA-2013-0009.1
   Updated security advisory in conjunction with the release of vSphere
   5.0 Update 3 on 2013-10-17

   2013-10-24 VMSA-2013-0009.2
   Updated security advisory in conjunction with the release of ESX 4.0
   patches on 2013-10-24
 

- -----------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
   
   This Security Advisory is posted to the following lists:
   
     * security-announce at lists.vmware.com
     * bugtraq at securityfocus.com
     * full-disclosure at lists.grok.org.uk
   
   E-mail:  security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055
   
   VMware Security Advisories
   http://www.vmware.com/security/advisories
   
   VMware security response policy
   http://www.vmware.com/support/policies/security_response.html
   
   General support life cycle policy
   http://www.vmware.com/support/policies/eos.html
   
   VMware Infrastructure support life cycle policy
   http://www.vmware.com/support/policies/eos_vi.html
   
   Copyright 2013 VMware Inc. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFSafYgDEcm8Vbi9kMRAsMiAKDbAu6/Kp8sJlDsZbDmg6Jq7t5j9gCg+X6b
FyUlG1vxepAYkWjU5F/q++4=
=2s1W
-----END PGP SIGNATURE-----




More information about the Security-announce mailing list