-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0010 Title: Multiple vulnerabilities in VMware ESXi and ESX [1] Version history: 01.02.2012 Initial publication Summary ======= VMware ESXi and ESX updates to third party library and ESX Service Console address several security issues [1]. Some of these vulnerabilities are rated as Critical (CVSS v2 Base Score: 9+ [2]) allowing remote attackers to cause a denial of service and possibly execute arbitrary code. Please see [1] for further details. * COS Kernel --- CVE-2011-0726, CVE-2011-1078, CVE-2011-1079, CVE-2011-1080, CVE-2011-1093, CVE-2011-1163, CVE-2011-1166, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-1494, CVE-2011-1495, CVE-2011-1577, CVE-2011-1763, CVE-2010-4649, CVE-2011-0695, CVE-2011-0711, CVE-2011-1044, CVE-2011-1182, CVE-2011-1573, CVE-2011-1576, CVE-2011-1593, CVE-2011-1745, CVE-2011-1746, CVE-2011-1776, CVE-2011-1936, CVE-2011-2022, CVE-2011-2213, CVE-2011-2492, CVE-2011-1780, CVE-2011-2525, CVE-2011-2689, CVE-2011-2482, CVE-2011-2491, CVE-2011-2495, CVE-2011-2517, CVE-2011-2519, CVE-2011-2901 * COS cURL --- CVE-2011-2192 * COS rpm --- CVE-2010-2059, CVE-2011-3378 * COS samba --- CVE-2010-0547, CVE-2010-0787, CVE-2011-1678, CVE-2011-2522, CVE-2011-2694 * COS python --- CVE-2009-3720, CVE-2010-3493, CVE-2011-1015, CVE-2011-1521 * python library --- CVE-2009-3560, CVE-2009-3720, CVE-2010-1634, CVE-2010-2089, CVE-2011-1521 Vulnerable systems ================== ESXi 4.1 without patch ESXi410-201201401-SG ESX 4.1 without patches ESX410-201201401-SG, ESX410-201201402-SG, ESX410-201201404-SG, ESX410-201201405-SG, ESX410-201201406-SG, ESX410-201201407-SG Details ======= * The ESX Service Console Operating System (COS) kernel is updated to kernel-2.6.18-274.3.1.el5 to fix multiple security issues in the COS kernel. * The ESX Service Console (COS) curl RPM is updated to cURL-7.15.5.9 resolving a security issue. * The ESX Service Console (COS) nspr and nss RPMs are updated to nspr-4.8.8-1.el5_7 and nss-3.12.10-4.el5_7 respectively resolving a security issue. * The ESX Service Console Operating System (COS) rpm packages are updated to popt-1.10.2.3-22.el5_7.2, rpm-4.4.2.3-22.el5_7.2, rpm-libs-4.4.2.3-22.el5_7.2 and rpm-python-4.4.2.3-22.el5_7.2 which fixes multiple security issues. * The ESX Service Console Operating System (COS) samba packages are updated to samba-client-3.0.33-3.29.el5_7.4, samba-common-3.0.33-3.29.el5_7.4 and libsmbclient-3.0.33-3.29.el5_7.4 which fixes multiple security issues in the Samba client. * The ESX Service Console (COS) python package is updated to 2.4.3-44 which fixes multiple security issues. * ESXi python third party library is updated to python 2.5.6 which fixes multiple security issues. What can you do? ================ Fixes are available at [1]. What to tell your users? ======================== N/A More information ================ [1] http://www.vmware.com/security/advisories/VMSA-2012-0001.html [2] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJPKQifOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4M2wRAApYaknp9q g69B7013+PcKnoKVBOVLK3+pLbEJNjOeLC8ZKVcJPD9KKHi1RjoTOmQ0S+/otalR YhhITDuHPfiXin5X8uO+mrElCmlHz6fVD1523+BoVKKM/9SxOw+79SglJjZKT2Wn eusjjy9XaSKaDVfts+3M1lIuNKWTYNl7sNUp+fkHyMOwVZ7v9rNXngsJW7OH9feO +fhKo4fTPdJdz8Bk3RH8CRyRLU8oC0GL2DotPDGO7BO5XjFDKXkcY36zGK7F9hVw QJvMW/gW2mUf81bfRcOgPvCpPBpwDob1qNYGMtugj0bPDp6LaIL/mITz+P+jmNdD D3B5HE0FUmDk7HHsAGx5v1IpozYjzbSJMBrJhY7BbmMoHo53RyCPpTqMKgUzhwJw 0ZeK7lMqiOWxhEPQH+1dJztjMfACSOM+KPxFuk1KuzQYnrP9VrdBSZgs6MDvWzKi kXg4n3IoqNBTtI4w0bBU/VAlCd6godkU/GbGAoJF1dM65T6V6iRPA0lN453vnq1S bRiP1B9ZVUiGRw+UCP2iA/n8fee7TXSBtWgZ+EHujBfC0avaWh3RQSMGD1oyjTCJ ZR+muNwS9Bs5Mv2FIkDolK3eFxGnvYqxSgfw1z+kMyw4vs/NalqGpurM41ik67e6 L2pOxxNijZLElEEO3AhRXsyAqKnkoWpKJMw= =aoi3 -----END PGP SIGNATURE-----