VMware Security Advisory:- VMSA-2011-0012

The first of three newly released advisories, This is a new one relating to the service console and some updates to thrid party libraries.

Synopsis: VMware ESXi and ESX updates to third party libraries and ESX Service Console
Issue date: 2011-10-12
Updated on: 2011-10-12 (initial release of advisory)
CVE numbers <— COS Kernel —

CVE-2010-1083, CVE-2010-2492, CVE-2010-2798, CVE-2010-2938, CVE-2010-2942, CVE-2010-2943, CVE-2010-3015, CVE-2010-3066, CVE-2010-3067, CVE-2010-3078, CVE-2010-3086, CVE-2010-3296,
CVE-2010-3432, CVE-2010-3442, CVE-2010-3477, CVE-2010-3699, CVE-2010-3858, CVE-2010-3859, CVE-2010-3865, CVE-2010-3876, CVE-2010-3877, CVE-2010-3880, CVE-2010-3904, CVE-2010-4072,
CVE-2010-4073, CVE-2010-4075, CVE-2010-4080, CVE-2010-4081, CVE-2010-4083, CVE-2010-4157, CVE-2010-4158, CVE-2010-4161, CVE-2010-4238, CVE-2010-4242, CVE-2010-4243, CVE-2010-4247,
CVE-2010-4248, CVE-2010-4249, CVE-2010-4251, CVE-2010-4255, CVE-2010-4263, CVE-2010-4343, CVE-2010-4346, CVE-2010-4526, CVE-2010-4655, CVE-2011-0521, CVE-2011-0710, CVE-2011-1010,
CVE-2011-1090, CVE-2011-1478

— COS krb5 —

CVE-2010-1323, CVE-2011-0281, CVE-2011-0282

— glibc library —

CVE-2010-0296, CVE-2011-0536, CVE-2011-1071CVE-2011-1095, CVE-2011-1658, CVE-2011-1659

— mtp2sas —

CVE-2011-1494, CVE-2011-149

1. Summary

VMware ESXi and ESX updates to third party libraries and ESX Service Console address several security issues.

2. Relevant releases

ESXi 4.0 without patch ESXi400-201110401-SG.

ESX 4.0 without patches ESX400-201110401-SG, ESX400-201110403-SG, ESX400-201110409-SG

3. Problem Description

a. ESX third party update for Service Console kernel This update takes the console OS kernel package to kernel-2.6.18-238.9.1 which resolves multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-1083, CVE-2010-2492, CVE-2010-2798, CVE-2010-2938, CVE-2010-2942, CVE-2010-2943, CVE-2010-3015, CVE-2010-3066, CVE-2010-3067, CVE-2010-3078, CVE-2010-3086, CVE-2010-3296, CVE-2010-3432, CVE-2010-3442, CVE-2010-3477, CVE-2010-3699, CVE-2010-3858, CVE-2010-3859, CVE-2010-3865, CVE-2010-3876, CVE-2010-3877, CVE-2010-3880, CVE-2010-3904, CVE-2010-4072, CVE-2010-4073, CVE-2010-4075, CVE-2010-4080, CVE-2010-4081, CVE-2010-4083, CVE-2010-4157, CVE-2010-4158, CVE-2010-4161, CVE-2010-4238, CVE-2010-4242, CVE-2010-4243, CVE-2010-4247, CVE-2010-4248, CVE-2010-4249, CVE-2010-4251, CVE-2010-4255, CVE-2010-4263, CVE-2010-4343, CVE-2010-4346, CVE-2010-4526, CVE-2010-4655, CVE-2011-0521, CVE-2011-0710, CVE-2011-1010, CVE-2011-1090 and CVE-2011-1478 to these issues.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version Running on Replace with/Apply Patch
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 5.0 ESX not affected
ESX 4.1 ESX patch pending
ESX 4.0 ESX ESX400-201110401-SG
ESX 3.5 ESX not applicable
ESX 3.0.3 ESX not applicable

* hosted products are VMware Workstation, Player, ACE, Fusion.

b. ESX third party update for Service Console krb5 RPMs This patch updates the krb5-libs and krb5-workstation RPMs of the console OS to version 1.6.1-55.el5_6.1, which resolves multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-1323, CVE-2011-0281, and CVE-2011-0282 to these issues.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version Running on Replace with/Apply Patch
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 5.0 ESX not affected
ESX 4.1 ESX patch pending
ESX 4.0 ESX ESX400-201110403-SG
ESX 3.5 ESX not applicable
ESX 3.0.3 ESX not applicable

* hosted products are VMware Workstation, Player, ACE, Fusion.

c. ESXi and ESX update to third party component glibc The glibc third-party library is updated to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0296, CVE-2011-0536, CVE-2011-1071, CVE-2011-1095, CVE-2011-1658, and CVE-2011-1659 to these issues.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version Running on Replace with/Apply Patch
vCenter any Windows not affected
hosted * any any not affected
ESXi 4.1 ESXi patch pending
ESXi 4.0 ESXi ESXi400-201110401-SG
ESXi 3.5 ESXi patch pending
ESX 5.0 ESX patch pending
ESX 4.1 ESX patch pending
ESX 4.0 ESX ESX400-201110401-SG
ESX 3.5 ESX Patch pending
ESX 3.0.3 ESX no patch planned

* hosted products are VMware Workstation, Player, ACE, Fusion.

d. ESX update to third party drivers mptsas, mpt2sas, and mptspi The mptsas, mpt2sas, and mptspi drivers are updated which addresses multiple security issues in the mpt2sas driver.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-1494 and CVE-2011-1495 to these issues.

VMware Product Product Version Running on Replace with/Apply Patch
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not applicable
ESX 5.0 ESX not applicable
ESX 4.1 ESX patch pending
ESX 4.0 ESX ESX400-201110409-SG
ESX 3.5 ESX Patch pending
ESX 3.0.3 ESX no patch planned

4. Solution

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

ESXi 4.0

ESXi400-201110001
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-315-20111006-920880/ESXi400-201110001.zip
md5sum: fd47b5e2b7ea1db79a2e0793d4c9d9d3
sha1sum: 759d4fa6da6eb49f41def68e3bd66e80c9a7032b
http://kb.vmware.com/kb/1036397
ESXi400-201110001 contains ESXi400-201110401-SG

ESX 4.0

ESX400-201110001
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-314-20111006-398488/ESX400-201110001.zip

md5sum: 0ce9cc285ea5c27142c9fdf273443d78
sha1sum: fdb5482b2bf1e9c97f2814255676e3de74512399
http://kb.vmware.com/kb/1036391
ESX400-201110001 contains ESX400-201110401-SG, ESX400-201110403-SG and ESX400-201110409-SG.

5. References

CVE numbers

— COS Kernel —

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1083
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2938
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2942
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2943
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3015
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3066
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3067
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3078
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3086
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3296
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3432
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3442
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3477
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3699
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3858
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3859
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3865
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3876
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3877
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3880
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3904
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4072
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4073
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4075
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4083
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4157
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4158
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4161
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4238
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4242
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4243
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4247
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4248
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4249
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4251
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4255
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4263
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4343
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4346
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4526
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4655
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0521
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0710
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1010
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1090
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1478

— COS krb5 —

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1323
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0281
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0282

— glibc library —

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0296
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0536
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1071
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1658
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1659

— mtp2sas —

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1494
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1495

6. Change log

2011-10-12 VMSA-2011-0012
Initial security advisory in conjunction with the release of patches for ESX 4.0 and ESXi 4.0 on 2011-10-12.

7. Contact

E-mail list for product security notifications and announcements:

http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

* security-announce at lists.vmware.com

* bugtraq at securityfocus.com

* full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html

Copyright 2011 VMware Inc. All rights reserved.