VMware Security Advisory: VMSA-2013-0009.3

The third and final advisory released, relates to issues with SSL and the userworld.

 

Synopsis: VMware vSphere, ESX and ESXi updates to third party libraries
Issue date: 2013-07-31
Updated on: 2014-01-16
CVE number: –OpenSSL—
CVE-2013-0169, CVE-2013-0166
–libxml2 (COS and userworld)—
CVE-2013-0338
–GnuTLS (COS)—
CVE-2013-2116
—Kernel (COS)—
CVE-2013-0268, CVE-2013-0871

1. Summary

VMware has updated several third party libraries in vCenter Server, ESX and ESXi to address multiple security vulnerabilities.

2. Relevant releases

VMware vCenter 5.1 without Update 2
VMware vCenter 5.0 without Update 3
VMware ESXi 5.1 without patch ESXi510-201401101
VMware ESXi 5.0 without Update 3
VMware ESXi 4.1 without patch ESXi410-201307001
VMware ESX 4.1 without patch ESX410-201307001
VMware ESX 4.0 without patch ESX400-201310001

3. Problem Description
a. vCenter Server and ESX userworld update for OpenSSL library
The userworld OpenSSL library is updated to version openssl-0.9.8y to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-0169 and CVE-2013-0166 to these issues.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version Running on Replace with/Apply Patch
vCenter 5.1 Windows vCenter 5.1 Update 2
vCenter 5.0 Windows vCenter 5.0 Update 3
vCenter 4.1 Windows Windows  patch pending
vCenter 4.0 Windows Windows  patch pending
ESXi 5.1 ESXi ESXi510-201401101-SG
ESXi 5.0 ESXi ESXi500-201310101-SG
ESXi 4.1 ESXi ESXi410-201307401-SG
ESXi 4.0 ESXi patch pending
ESX 4.1 ESX ESX410-201307403-SG
ESX 4.0 ESX patch pending

b. Service Console (COS) update for OpenSSL library

The Service Console updates for OpenSSL library is updated to version openssl-0.9.8e-26.el5_9.1 to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-0169 and CVE-2013-0166 to these issues.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version Running On Replace with/Apply Patch
ESXI any any not applicable
ESX 4.1 ESX ESX410-201307403-SG
ESX 4.0 ESX ESX400-201310401-SG

c. ESX Userworld and Service Console (COS) update for libxml2 library
The ESX Userworld and Service Console libxml2 library is updated to version libxml2-2.6.26-2.1.21.el5_9.1 and libxml2-python-2.6.26-2.1.21.el5_9.1. to resolve a security issue.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-0338 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product VMware Version Running on Replace with/Apply Patch
ESXi 5.1 ESXi ESXi510-201401101-SG
ESXi 5.0 ESXi ESXi500-201310101-SG
ESXi 4.1 ESXi ESXi410-201307401-SG
ESXi 4.0 ESXi patch pending
ESX 4.1 ESX ESX410-201307405-SG
ESX 4.0 ESX ESX400-201310402-SG

d. Service Console (COS) update for GnuTLS library
The ESX service console GnuTLS RPM is updated to version gnutls-1.4.1-10.el5_9.1 to resolve a security issue.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2116 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version Running On Replace With/Apply Patch
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201307404-SG
ESX 4.0 ESX ESX400-201310401-SG

e. ESX third party update for Service Console kernel
The ESX Service Console Operating System (COS) kernel is updated to kernel-2.6.18-348.3.1.el5 which addresses several security issues in the COS kernel.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-0268 and CVE-2013-0871 to these issues.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version Running On Replace with/Apply Patch
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201307401-SG
ESX 4.0 ESX ESX400-201310401-SG

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

vCenter Server 5.1 Update 2
The download for vCenter Server includes vSphere Update Manager,  vSphere Client and vCenter Orchestrator
Download link:
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/5_1 vsphere/5_1
Release Notes:
vSphere vCenter Server
https://www.vmware.com/support/pubs/vsphere-esxi-vcenter-server-pubs.html

vCenter Server 5.0 Update 3
The download for vCenter Server includes vSphere Update Manager,  vSphere Client and vCenter Orchestrator
Download link:
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/5_0

Release Notes:
vSphere vCenter Server
https://www.vmware.com/support/pubs/vsphere-esxi-vcenter-server-pubs.html

ESXi and ESX
http://downloads.vmware.com/go/selfsupport-download

ESXi 5.1
File: update-from-esxi5.1-5.1_update02.zip
md5sum: 462cb98dc011804d3bad85f54f6b8133
sha1sum: 0352bf0adc78ceead74c7ace256ed87705e64703
http://kb.vmware.com/kb/2062314
update-from-esxi5.1-5.1_update02 contains ESXi510-201401101-SG

ESXi 5.0
File: update-from-esxi5.0-5.0_update03.zip
md5sum: 18a294b0a3baf74925989febcd9d0877
sha1sum: d0dccad7eb769fc0efb9c04428f065c933e91a17
ttp://kb.vmware.com/kb/2055559

ESXi 4.1
File: ESXi410-201307001.zip
md5sum: b171ea162cd753782483fa64196e8152
sha1sum: f2f19db06864a05eb4fdfea57626576f2836e718
http://kb.vmware.com/kb/2053396

ESX 4.1
File: ESX410-201307001.ZIP
md5sum: 60f15f96454b953f7747486a6a261e4f
sha1sum: 8e494b450f539ed65729205333dc3598d6ba87f8
http://kb.vmware.com/kb/2053393

ESX 4.0
File: ESX400-201310001.zip
md5sum: 9d47cf815ed142a17f97002379b5e386
sha1sum: 91082ec4263333f9b996883cb53dbe9aab7a88b5
http://kb.vmware.com/kb/2059490

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0338
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2116
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0871
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0268

6. Change log

2013-07-31 VMSA-2013-0009
Initial security advisory in conjunction with the release of ESX 4.1 patches on 2013-07-31.
2013-10-24 VMSA-2012-0009.1
Updated security advisory in conjunction with the release of vSphere 5.0 Update 3 on 2013-10-17
2013-10-24 VMSA-2012-0009.2
Updated security advisory in conjunction with the release of ESX 4.0 patches on 2013-10-24
2014-01-16 VMSA-2014-0009.3
Updated security advisory in conjunction with the release of vSphere 5.1 Update 2 2014-01-16

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html