-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2013-0017 Title: VMware security updates for vSphere [1] Version history: 05.02.2013 Initial publication Summary ======= VMware vSphere security updates for the authentication service and third party libraries. - --- vSphere authentication --- CVE-2013-1405 - --- libxml2 --- CVE-2011-3102, CVE-2012-2807 - --- bind (service console) --- CVE-2012-4244 - --- xslt (service console) --- CVE-2011-1202, CVE-2011-3970, CVE-2012-2825, CVE-2012-2870, CVE-2012-2871 Vulnerable systems ================== VMware vSphere VMware vCenter VMware ESX VMware ESXi Original Details ================ Several problems identified [1]: VMware vSphere client-side authentication memory corruption vulnerability (CVE-2013-1405) VMware vCenter Server, vSphere Client, and ESX contain a vulnerability in the handling of the management authentication protocol. To exploit this vulnerability, an attacker must convince either vCenter Server, vSphere Client or ESX to interact with a malicious server as a client. Exploitation of the issue may lead to code execution on the client system. Update to ESX/ESXi libxml2 userworld and service console (CVE-2011-3102, CVE-2012-2807) Multiple security issues. Update to ESX service console bind packages (CVE-2012-4244) This vulnerability can be exploited remotely against recursive servers by inducing them to query for records provided by an authoritative server. It affects authoritative servers if a zone containing this type of resource record is loaded from file or provided via zone transfer. Update to ESX service console libxslt package (CVE-2011-1202, CVE-2011-3970, CVE-2012-2825,CVE-2012-2870, CVE-2012-2871) Multiple security issues. What can you do? ================ Update your products to patched versions [1]: If there is no patch for your version of the product, it may be necessary to upgrade to a higher version. What to tell your users? ======================== N/A More information ================ [1] http://www.vmware.com/security/advisories/VMSA-2013-0001.html Best regards, -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJREOz8AAoJEPpzpNLI8SVo8HwQALGWhJzGPHprUgmaKTk1FdFp kME93IR5EpwKZCQg5fojJO6SGmtWdfVA2Dx62XT1pDVNAJqIzLuQhbeaRd743kUA FSX8tcUA/wEoaXOV3zB4JC4Cz9tDB9OwEE1U5SJlzXTYAVS+coNLEOK4j14dVkjp je0ueiVQS0MREM0dhP0zHd3VtVwVLTFaq4f+8s8i9lcwlFPLmZgrPFmoqe4FWc9n njKqQWsRP3Ii/8b6rX4HfR1iOJaulOiEyuI0lUSFs1Sm+Ha2lgDY5eLaG7BYLBwa Pmx7bn9dmZT/RwdVe+KJ93dOHSO2X5hlI7GrSegZLv92icroDkt7fjkiYJ8lWYrF 97+2qMWL95oHRkQhPllMVZq/uCMcM02hroqfD82vqoGoVtCHFj7kzd4WJmuBY1Ma T6wwTj1DWv6Yph+iVnFcNO0AnCJkknKjsTJ5mqvTOQlgKaDhgQlSgV0d5rLKqQtO mMAo+/wE7/t4L+T6l/PT6dAU4pcd/cf9MeZouySCwVfbx4GaxQEnSBdiAHG1klj4 z9DoWbXCrSQYe3qUIRhGeE9fNDKZWsVbXbQ40awxjJqyILPeIuApsZ2/+F2aOQwu UO5rmRmAR7ILu+KwzpjNspD9WZgdHQSO8A2m1SmfAEbEGv63rsxZauoWqX6xGYiU F1pe5KHPt5e64v9bPsim =TdG0 -----END PGP SIGNATURE-----