VMware Security Advisory: VMSA-2014-0001

It has been a little quiet on the VMware Security Advisories lately, but today a little bit like buses along come three at once. 

The first is a brand new One and addresses a number or potential vulnerabilities.  two of which are circumvented by good design principles, like placing hosts on a separate protected network.  the final section relates to a common MITM attack vector.

Continue reading “VMware Security Advisory: VMSA-2014-0001”

Another one for which I have been remiss,  this update was release on the 4th October.

Synopsis: VMware hosted products address remote code execution vulnerability
Issue date 2011-10-04
Updated on 2011-10-04 (initial release of advisory)
CVE numbers CVE-2011-3868

1. Summary

Hosted product updates address a remote code execution vulnerability in the way UDF file systems are handled

2. Relevant releases

VMware Workstation 7.1.4 and earlier

VMware Player 3.1.4 and earlier

VMware Fusion 3.1.2 and earlier

3. Problem Description

a. UDF file system import remote code execution A buffer overflow vulnerability is present in the way UDF file systems are handled. This issue could allow for code execution if a user installs from a malicious ISO image that was specially crafted by an attacker.

VMware would like to thank an anonymous contributor working with the SecuriTeam Secure Disclosure program for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name 3868.11-3868 to the issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version Running on Replace with/Apply Patch
vCenter any Windows not affected
Workstation 8.x any not affected
Workstation 7.x any 7.1.5 or later
Player 3.x any 3.1.5 or later
AMS any any not affected
Fusion 4.x Mac OS/X not affected
Fusion 3.1.x Mac OS/X 3.1.3 or later
ESXi any ESXi not affected
ESX any ESX not affected

4. Solution

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

VMware Workstation 7.1.5
http://www.vmware.com/go/downloadworkstation

Release notes:

http://downloads.vmware.com/support/ws71/doc/releasenotes_ws715.html

VMware Workstation for Windows 32-bit and 64-bit with VMware Tools
md5sum: 40a0a39377a6ba804d5e76e59449d51f
sha1sum: 25462e18bf9439876c63948415f7ba7b09baa8e6

VMware Workstation for Linux 32-bit with VMware Tools
md5sum: 9c9b4d7a749f1baa485f26e6f366c070
sha1sum: 31033424656b8eaaa814f3e9c3b5b9c5c53b783b

VMware Workstation for Linux 64-bit with VMware Tools
md5sum: 482b8b2890f75488addfc31418031864
sha1sum: b1f73650f70c94249e5add5d9516d0e45c4ae87d

VMware Player 3.1.5
http://www.vmware.com/go/downloadplayer

Release notes:

https://www.vmware.com/support/player31/doc/releasenotes_player315.html

VMware Player for 32-bit and 64-bit Windows
md5sum: fcc91227963e58efcb63fb791d2fd813
sha1sum: d39d9da694c22530a7fa701e3ded6cccdc3ea390

VMware Player for 32-bit Linux
md5sum: c96867c8093d23065bed7e71e020bb19
sha1sum: 4156bdfb7f679114671b416d178028fdc4d3beb4

VMware Player for 64-bit Linux
md5sum: 1ec954f1baaf6a60e451979b5e88f2d6
sha1sum: a253a486d6c6848620de200ef1837ced903daa1c

VMware Fusion 3.1.3

http://www.vmware.com/go/downloadfusion

Release Notes:
http://downloads.vmware.com/support/fusion3/doc/releasenotes_fusion_313.html
VMware Fusion for Intel-based Macs
md5sum: f35ac5c15354723468257d2a48dc4f76
sha1sum: 3c849a62c45551fddb16eebf298cef7279d622a9

5. References

CVE numbers

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3868

6. Change log

2011-10-04 VMSA-2011-0011
Initial security advisory in conjunction with the release of VMware Workstation 7.1.5 and Player 3.1.5 on 2011-10-04.

7. Contact

E-mail list for product security notifications and announcements:

http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  • Security-announce at lists.vmware.com
  • bugtraq at securityfocus.com
  • full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html

Copyright 2011 VMware Inc. All rights reserved.

3 of 5, and a third time update this relate to 3.5 so no action is needed if you are running 4.0 or 4.1

Synopsis: VMware ESX third party updates for Service Console packages glibc and dhcp
Issue date: 2011-07-28
Updated on: 2012-03-08
CVE numbers: CVE-2010-0296 CVE-2011-0536 CVE-2011-0997 CVE-2011-1071
CVE-2011-1095 CVE-2011-1658 CVE-2011-1659

Continue reading “”

VMware Security Advisory: VMSA-2012-0013.1

This is 8 of 8 and another updated Advisory.

Synopsis: VMware vSphere and vCOps updates to third party libraries
Issue date 2012-08-30
Updated on 2012-09-13
CVE numbers — JRE —
See references
— OpenSSL (userworld) —
CVE-2010-4180, CVE-2010-4252, CVE-2011-0014, CVE-2011-4108, CVE-2011-4109, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, CVE-2012-0050
— OpenSSL (service console) —
CVE-2012-2110
— kernel (service console) —
CVE-2011-1833, CVE-2011-2484, CVE-2011-2496, CVE-2011-3188, CVE-2011-3209, CVE-2011-3363, CVE-2011-4110, CVE-2011-1020, CVE-2011-4132, CVE-2011-4324, CVE-2011-4325, CVE-2012-0207, CVE-2011-2699, CVE-2012-1583
— Perl (service console) —
CVE-2010-2761, CVE-2010-4410, CVE-2011-3597
— libxm2 (service console) —
CVE-2012-0841
— glibc (service console) —
CVE-2009-5029, CVE-2009-5064, CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, CVE-2012-0864
— GnuTLS (service console) —
CVE-2011-4128, CVE-2012-1569, CVE-2012-1573
— popt and rpm (service console) —
CVE-2012-0060, CVE-2012-0061, CVE-2012-0815
— Apache struts —
CVE-2012-0393

1. Summary

VMware has updated several third party libraries in vSphere and vcOps to address multiple security vulnerabilities.

2. Relevant releases

VMware vCenter 4.1 without Update 3
VMware vCenter 4.0 without Update 4a
VMware vCenter Update Manager 4.1 without Update 3
VMware vCenter Update Manager 4.0 without Update 4a
VMware ESX 4.1 without patches ESX410-201208101-SG, ESX410-201208102-SG,
ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG
VMware ESX 4.0 without patches ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG
VMware ESXi 4.1 without patch ESXi410-201208101-SG
VMware vCOps 5.0.2 or earlier

3. Problem Description

a. vCenter and ESX update to JRE 1.6.0 Update 31

The Oracle (Sun) JRE is updated to version 1.6.0_31, which addresses multiple security issues. Oracle has documented the CVE identifiers that are addressed by this update in the Oracle Java SE Critical Patch Update Advisory of February 2012.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version Running on Replace with/Apply Patch
vCenter 5.0 Windows patch pending
vCenter 4.1 Windows vCenter 4.1 Update 3
vCenter 4.0 Windows not applicable **
VirtualCenter 2.5 Windows not applicable **
Update Manager 5.0 Windows patch pending
Update Manager 4.1 Windows not applicable **
Update Manager 4.0 Windows not applicable **
hosted * any any not affected
ESXi any ESXi not applicable
ESX 4.1 ESX ESX410-201208101-SG
ESX 4.0 ESX not applicable **
ESX 3.5 ESX not applicable **

* hosted products are VMware Workstation, Player, ACE, Fusion.

** this product uses the Oracle (Sun) JRE 1.5.0 family

b. vCenter Update Manager update to JRE 1.5.0 Update 36

The Oracle (Sun) JRE is updated to 1.5.0_36 to address multiple security issues. Oracle has documented the CVE identifiers that are addressed in JRE 1.5.0_36 in the Oracle Java SE Critical Patch Update Advisory for June 2012.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version Running on Replace with/Apply Patch
vCenter 5.0 Windows not applicable **
vCenter 4.1 Windows not applicable **
vCenter 4.0 Windows vCenter 4.0 Update 4a
VirtualCenter 2.5 Windows patch pending
Update Manager 5.0 Windows not applicable **
Update Manager 4.1 Windows Update Manager 4.1 Update 3
Update Manager 4.0 Windows Update Manager 4.0 Update 4a
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX not applicable **
ESX 4.0 ESX ESX400-201209401-SG
ESX 3.5 ESX patch pending

* hosted products are VMware Workstation, Player, ACE, Fusion.

** this product uses the Oracle (Sun) JRE 1.6.0 family

c. Update to ESX/ESXi userworld OpenSSL library

The ESX/ESXi userworld OpenSSL library is updated from version 0.9.8p to version 0.9.8t to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-4180, CVE-2010-4252, CVE-2011-0014, CVE-2011-4108, CVE-2011-4109, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, and CVE-2012-0050 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version Running on Replace with/Apply Patch
ESXi 5.0 ESXi patch pending
ESXi 4.1 ESXi ESXi410-201208101-SG
ESXi 4.0 ESXi patch pending
ESXi 3.5 ESXi patch pending
ESX 4.1 ESX ESX410-201208101-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX patch pending

d. Update to ESX service console OpenSSL RPM

The service console OpenSSL RPM is updated to version 0.9.8e-22.el5_8.3 to resolve a security issue.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2110 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version Running on Replace with/Apply Patch
ESXi any ESXi not applicable
ESX 4.1 ESX ESX410-201208103-SG
ESX 4.0 ESX ESX400-201209401-SG
ESX 3.5 ESX not applicable

e. Update to ESX service console kernel

The ESX service console kernel is updated to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-1833, CVE-2011-2484, CVE-2011-2496, CVE-2011-3188, CVE-2011-3209, CVE-2011-3363, CVE-2011-4110, CVE-2011-1020, CVE-2011-4132, CVE-2011-4324, CVE-2011-4325, CVE-2012-0207, CVE-2011-2699, and CVE-2012-1583 to these issues.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version Running on Replace with/Apply Patch
ESXi any ESXi not applicable
ESX 4.1 ESX ESX410-201208101-SG
ESX 4.0 ESX ESX400-201209401-SG *
ESX 3.5 ESX not applicable

* The service console kernel update on ESX 4.0 addresses

CVEs that are labeled important. These are CVE-2012-0207, CVE-2011-2699, and CVE-2012-1583.

f. Update to ESX service console Perl RPM

The ESX service console Perl RPM is updated to perl-5.8.8.32.1.8999.vmw to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-2761, CVE-2010-4410, and CVE-2011-3597 to these issues.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version Running on Replace with/Apply Patch
ESXi any ESXi not applicable
ESX 4.1 ESX ESX410-201208107-SG
ESX 4.0 ESX Patch pending
ESX 3.5 ESX not applicable

g. Update to ESX service console libxml2 RPMs

The ESX service console libmxl2 RPMs are updated to libxml2-2.6.26-2.1.15.el5_8.2 and

libxml2-python-2.6.26-2.1.15.el5_8.2 to resolve a security issue.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-0841 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version Running on Replace with/Apply Patch
ESXi any ESXi not applicable
ESX 4.1 ESX ESX410-201208102-SG
ESX 4.0 ESX ESX400-201209402-SG
ESX 3.5 ESX not applicable **

h. Update to ESX service console glibc RPM

The ESX service console glibc RPM is updated to version glibc-2.5-81.el5_8.1 to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-5029, CVE-2009-5064, CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, and CVE-2012-0864 to these issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version Running on Replace with/Apply Patch
ESXi any ESXi not applicable
ESX 4.1 ESX ESX410-201208104-SG
ESX 4.0 ESX Patch pending
ESX 3.5 ESX not applicable **

i. Update to ESX service console GnuTLS RPM

The ESX service console GnuTLS RPM is updated to version 1.4.1-7.el5_8.2 to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-4128, CVE-2012-1569, and CVE-2012-1573 to these issues.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version Running on Replace with/Apply Patch
ESXi any ESXi not applicable
ESX 4.1 ESX ESX410-201208106-SG
ESX 4.0 ESX ESX400-201209401-SG
ESX 3.5 ESX not applicable

j. Update to ESX service console popt, rpm, rpm-libs, and rpm-python RPMS

The ESX service console popt, rpm, rpm-libs, and rpm-python RPMS are updated to the following versions to resolve multiple security issues:

  • popt-1.10.2.3-28.el5_8
  • rpm-4.4.2.3-28.el5_8
  • rpm-libs-4.4.2.3-28.el5_8
  • rpm-python-4.4.2.3-28.el5_8

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-0060, CVE-2012-0061, and CVE-2012-0815 to these issues.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version Running on Replace with/Apply Patch
ESXi any ESXi not applicable
ESX 4.1 ESX ESX410-201208105-SG
ESX 4.0 ESX ESX400-201209404-SG
ESX 3.5 ESX not applicable

k. Vulnerability in third party Apache Struts component

The version of Apache Struts in vCenter Operations has been updated to 2.3.4 which addresses an arbitrary file overwrite vulnerability. This vulnerability allows an attacker to create a denial of service by overwriting arbitrary files without authentication. The attacker would need to be on the same network as the system where vCOps is installed.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-0393 to this issue.

Note: Apache struts 2.3.4 addresses the following issues as well:

CVE-2011-5057, CVE-2012-0391, CVE-2012-0392, CVE-2012-0394. It was found that these do not affect vCOps.

VMware would like to thank Alexander Minozhenko from ERPScan for reporting this issue to us.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version Running on Replace with/Apply Patch
vCOps 5.0.2 Windows vCOps 5.0.3
vCOps 5.0.2 Linux vCOps 5.0.3
vCOps 1.0.x any affected, update to vCOps 5.0.3
vCO 4.2 Windows not affected
Update Manager 4.1 Windows see VMSA-2011-0005 *
Update Manager 4.0 Windows VMSA-2011-0005 *

* Update releases for vCO that came out in 2011 and that are documented in VMSA-2011-0005, already address the Apache struts CVEs listed above.

4. Solution

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

vCenter Server 4.1 Update 3

The download for vCenter Server includes vSphere Update Manager, vSphere Client, and vCenter Orchestrator

Download link
http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1
Release Notes
https://www.vmware.com/support/vsphere4/doc/vsp_vc41_u3_rel_notes.html
VMware-VIMSetup-all-4.1.0-816786.iso
md5sum: c1fd9189783e615fec4864ff6b8c86bd
sha1sum: 38c03ac195939bd23da666b9ee98ef7c9c912a55
VMware-VIMSetup-all-4.1.0-816786.zip
md5sum: d20705520fc4b5bccd71b060283e5b59
sha1sum: ea2a84544cd6cd29447c4ce905111e7dfc62f4cd

vCenter Server 4.0 Update 4a

The download for vCenter Server includes vSphere Update Manager, vSphere Client, and vCenter Orchestrator

Download link
http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_0
Release Notes
https://www.vmware.com/support/vsphere4/doc/vsp_vc40_u4a_rel_notes.html
VMware-VIMSetup-all-4.0.0-818020.iso
md5sum: aa362485d8a9d4ad9dc4a647aba6701e
sha1sum: c37c1e0983e5b3011a1d27fa58602150427dc466
VMware-VIMSetup-all-4.0.0-818020.zip
md5sum: 531af0519e4c36fafab990447b55198b
sha1sum: 8fb39414d034127de0052adf00e3356cc04593ed

ESXi and ESX

http://downloads.vmware.com/go/selfsupport-download

ESXi 4.1

File: update-from-esxi4.1-4.1_update03.zip
md5sum: b35267e3c96a8ebd2e3acac09538cdf5
sha1sum: 2b2d456e89964528f25c01ae5d84edbd2bbcdefb
http://kb.vmware.com/kb/2020373
update-from-esxi4.1-4.1_update03 contains ESXi410-201208101-SG

ESX 4.1

File: update-from-esx4.1-4.1_update3.zip
md5sum: a4a45aba880d64210badade8d7c81904
sha1sum: 4ed1ef2b56fa30deec999916367ab278dc5b1840
http://kb.vmware.com/kb/2020362
update-from-esx4.1-4.1_update03 contains ESX410-201208101-SG,
ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG,
ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG

ESX 4.0

File: ESX400-201209001
md5sum: 7faa79ea8d458e994db308933424a0ee
sha1sum: 8f798a233cc28b203c3c8e0d44a1287af6c1ceb8
http://kb.vmware.com/kb/2019661
ESX400-201209001 contains ESX400-201209401-SG,
ESX400-201209402-SG, ESX400-201209404-SG

vCOps 5.0.3

Download link
https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_manage
Release Notes
https://www.vmware.com/support/pubs/vcops-pubs.html

5. References

— JRE —

Oracle Java SE Critical Patch Update Advisory of February 2012
http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html
Oracle Java SE Critical Patch Update Advisory for June 2012
http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html

— OpenSSL (userworld) —
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4252
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0014
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4108
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4109
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0050
— OpenSSL (service console) —
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110
— kernel (service console) —
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1833
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2484
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2496
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3188
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3209
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3363
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4110
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4132
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4324
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4325
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0207
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2699
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1583
— Perl (service console) —
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2761
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4410
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3597
— libxm2 (service console) —
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0841
— glibc (service console) —
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5029
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5064
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0830
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4609
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0864
— GnuTLS (service console) —
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4128
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1569
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1573
— popt and rpm (service console) —
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0060
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0061
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0815
— Apache struts —
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0393

6. Change log

2012-08-30 VMSA-2012-0013 Initial security advisory in conjunction with the release of vSphere 4.1 U3 and vCOps 5.0.3 on 2012-08-30.
2012-09-12 VMSA-2012-0013.1 Updated security advisory in conjunction with the release of vSphere 4.0 U4a on 2012-09-12 and ESX 4.0 patches on 2012-09-13.

7. Contact

E-mail list for product security notifications and announcements:

http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  • security-announce at lists.vmware.com
  • bugtraq at securityfocus.com
  • full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2012 VMware Inc. All rights reserved.