VMWare Releases Critical Security Patches – ESX, VirtualCenter Updated

By Marc Handelman on October 19th, 2009

VMWare INC. (NYSE: VMW) has announced critical security updates targeting the virtualization company’s ESX hypervisor platform and VirtualCenter (utilized to control virtual environments- now monikered by the crack VMWare marketing team as vSphere) products. More information, inclusive of linkage and release notice text, appears after the jump.

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
- ———————————————————————–

VMware Security Advisory

Advisory ID: VMSA-2009-0014
Synopsis: VMware ESX patches for DHCP, Service Console kernel, and JRE resolve multiple security issues
Issue date: 2009-10-16
Updated on: 2009-10-16 (initial release of advisory)
CVE numbers: CVE-2009-0692 CVE-2009-1893 CVE-2009-0692
CVE-2008-4210 CVE-2008-3275 CVE-2008-5356
CVE-2008-0598 CVE-2008-2136 CVE-2008-2812
CVE-2007-6063 CVE-2008-3525 CVE-2008-2086
CVE-2008-5347 CVE-2008-5348 CVE-2008-5349
CVE-2008-5350 CVE-2008-5351 CVE-2008-5352
CVE-2008-5353 CVE-2008-5354 CVE-2008-5357
CVE-2008-5358 CVE-2008-5359 CVE-2008-5360
CVE-2008-5339 CVE-2008-5342 CVE-2008-5344
CVE-2008-5345 CVE-2008-5346 CVE-2008-5340
CVE-2008-5341 CVE-2008-5343 CVE-2008-5355
CVE-2009-1093 CVE-2009-1094 CVE-2009-1095
CVE-2009-1096 CVE-2009-1097 CVE-2009-1098
CVE-2009-1099 CVE-2009-1100 CVE-2009-1101
CVE-2009-1102 CVE-2009-1103 CVE-2009-1104
CVE-2009-1105 CVE-2009-1106 CVE-2009-1107
- ———————————————————————–

1. Summary

Updated DHCP and Kernel packages for ESX 3.5 and ESX 3.0.3 and
updated Java JRE packages for ESX 3.5 address several security
issues.

2. Relevant releases

ESX 3.5 without patches ESX350-200910406-SG, ESX350-200910401-SG,
ESX350-200910403-SG
ESX 3.0.3 without patch ESX303-200910402-SG

3. Problem Description

a. Service Console update for DHCP and third party library update
for DHCP client.

DHCP is an Internet-standard protocol by which a computer can be
connected to a local network, ask to be given configuration
information, and receive from a server enough information to
configure itself as a member of that network.

A stack-based buffer overflow in the script_write_params method in
ISC DHCP dhclient allows remote DHCP servers to execute arbitrary
code via a crafted subnet-mask option.

The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2009-0692 to this issue.

An insecure temporary file use flaw was discovered in the DHCP
daemon’s init script (“/etc/init.d/dhcpd”). A local attacker could
use this flaw to overwrite an arbitrary file with the output of the
“dhcpd -t” command via a symbolic link attack, if a system
administrator executed the DHCP init script with the “configtest”,
“restart”, or “reload” option.

The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2009-1893 to this issue.

The following table lists what action remediates the vulnerability
in the Service Console (column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected

hosted * any any not affected

ESXi any ESXi not affected

ESX 4.0 ESX not affected
ESX 3.5 ESX ESX350-200910406-SG
ESX 3.0.3 ESX ESX303-200910402-SG
ESX 2.5.5 ESX not affected

ESX 3.5 and later have a DHCP client component outside of the
Service Console. The following table lists what action remediates
the vulnerability in this component (column 4) if a solution is
available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected

hosted * any any not affected

ESXi 4.0 ESXi affected, patch pending
ESXi 3.5 ESXi not affected

ESX 4.0 ESX affected, patch pending
ESX 3.5 ESX ESX350-200910401-SG
ESX 3.0.3 ESX not affected
ESX 2.5.5 ESX not affected

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.

b. Updated Service Console package kernel

Service Console package kernel update to version
kernel-2.4.21-58.EL.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-4210, CVE-2008-3275, CVE-2008-0598,
CVE-2008-2136, CVE-2008-2812, CVE-2007-6063, CVE-2008-3525 to the
security issues fixed in kernel-2.4.21-58.EL

The following table lists what action remediates the vulnerability
(column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not applicable

hosted * any any not applicable

ESXi any ESXi not applicable

ESX 4.0 ESX not applicable
ESX 3.5 ESX ESX350-200910401-SG
ESX 3.0.3 ESX affected, no update planned
ESX 2.5.5 ESX not applicable

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.

c. JRE Security Update

JRE update to version 1.5.0_18, which addresses multiple security
issues that existed in earlier releases of JRE.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
JRE 1.5.0_17: CVE-2008-2086, CVE-2008-5347, CVE-2008-5348,
CVE-2008-5349, CVE-2008-5350, CVE-2008-5351, CVE-2008-5352,
CVE-2008-5353, CVE-2008-5354, CVE-2008-5356, CVE-2008-5357,
CVE-2008-5358, CVE-2008-5359, CVE-2008-5360, CVE-2008-5339,
CVE-2008-5342, CVE-2008-5344, CVE-2008-5345, CVE-2008-5346,
CVE-2008-5340, CVE-2008-5341, CVE-2008-5343, and CVE-2008-5355.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095,
CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099,
CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103,
CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107.

The following table lists what action remediates the vulnerability
(column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.0 Windows affected, patch pending **
VirtualCenter 2.5 Windows affected, patch pending **
VirtualCenter 2.0.2 Windows affected, patch pending

Workstation any any not affected

Player any any not affected

Server 2.0 any affected, patch pending
Server 1.0 any not affected

ACE any any not affected

Fusion any any not affected

ESXi any ESXi not affected

ESX 4.0 ESX affected, patch pending **
ESX 3.5 ESX ESX350-200910403-SG
ESX 3.0.3 ESX affected, patch pending
ESX 2.5.5 ESX not affected

** JRE will be updated to version 1.5.0_20 in the next update release

Notes: These vulnerabilities can be exploited remotely only if the
attacker has access to the Service Console network.

Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.

The currently installed version of JRE depends on your patch
deployment history.

4. Solution

Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.

ESX 3.5
——-
ESX350-200910406-SG (DHCP Service Console)
http://download3.vmware.com/software/vi/ESX350-200910406-SG.zip
md5sum: dab682b1e3897fd43e2e7f90aa1156fc
sha1sum: 0962718f65d4c2f76657369ada4a61848253174e
http://kb.vmware.com/kb/1013129

ESX350-200910401-SG (DHCP third party library, kernel)
http://download3.vmware.com/software/vi/ESX350-200910401-SG.zip
md5sum: 73435b0495a61b00bedbead140b2a262
sha1sum: a957d57cf0df58d8a40759dce62efbf12a6c229c
http://kb.vmware.com/kb/1013124

ESX350-200910403-SG (JRE)
http://download3.vmware.com/software/vi/ESX350-200910403-SG.zip
md5sum: 0e90be5bd6aa986dc2356563e809a54f
sha1sum: a5968cf6db78e28d79a4fd0b4df172cadf0f7129
http://kb.vmware.com/kb/1013126

ESX 3.0.3
———
ESX303-200910402-SG (DHCP Service Console)
http://download3.vmware.com/software/vi/ESX303-200910402-SG.zip
md5sum: 59a090cf37971e7f13385b9f53cdf3ca
sha1sum: 3af9cf1b15dc151bce06c89cc0d81e1a7cf9c80e
http://kb.vmware.com/kb/1014758

5. References

- ————————————————————————
6. Change log

2009-10-16 VMSA-2009-0014
Initial security advisory after release of ESX 3.5 patch 18 and
ESX 3.0.3 patch 11 on 2009-10-16.

- ———————————————————————–
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

—–BEGIN PGP SIGNATURE—–
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFK2KIVS2KysvBH1xkRAljvAJ9Qb2BAmrPJ6IsT8JbW8pNS5fEQYACeOnhC
BNQuoX9p4mQgW3VDtD8/gcM=
=s7tr
—–END PGP SIGNATURE—–

—

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
- ————————————————————————

VMware Security Advisory

Advisory ID: VMSA-2009-0002.1
Synopsis: VirtualCenter Update 4 and ESX patch update Tomcat
to version 5.5.27
Issue date: 2009-02-23
Updated on: 2009-10-16
CVE numbers: CVE-2008-1232 CVE-2008-1947 CVE-2008-2370
- ————————————————————————

1. Summary

Updated VMware VirtualCenter Update 4 and ESX patch update Tomcat
packages.

2. Relevant releases

VirtualCenter 2.5 before Update 4
ESX 3.5 without patch ESX350-200910403-SG

3. Problem Description

a. Update for VirtualCenter and ESX patch update Apache Tomcat version
to 5.5.27

Update for VirtualCenter and ESX patch update the Tomcat package to
version 5.5.27 which addresses multiple security issues that existed
in the previous version of Apache Tomcat.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-1232, CVE-2008-1947 and
CVE-2008-2370 to these issues.

The following table lists what action remediates the vulnerability
(column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
======== ======== ======= =======================
vCenter 4.0 Windows affected, patch pending **
VirtualCenter 2.5 Windows VirtualCenter 2.5 Update 4
VirtualCenter 2.0.2 Windows affected, patch pending

Workstation any any not affected

Player any any not affected

ACE any Windows not affected

Server 2.x any affected, patch pending
Server 1.x any not affected

Fusion any Mac OS/X not affected

ESXi any ESXi not affected

ESX 4.0 ESX affected, patch pending **
ESX 3.5 ESX ESX350-200910403-SG
ESX 3.0.3 ESX affected, patch pending
ESX 3.0.2 ESX affected, end of life
ESX 2.5.5 ESX not affected

** Tomcat will be updated to version 6.0.20 in the next update release

Note: These vulnerabilities can be exploited remotely only if the
attacker has access to the Service Console network.

The currently installed version of Tomcat depends on your patch
deployment history.

4. Solution

Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.

VirtualCenter
————-
VMware VirtualCenter 2.5 Update 4
http://www.vmware.com/download/download.do?downloadGroup=VC250U4
DVD iso image
md5sum: 4304334ed7662b6a43646e6dde0956d2
Zip file
md5sum: 1306cb9b25e28a06bab84257d7cbf38f
Release Notes
http://www.vmware.com/support/vi3/doc/vi3_vc25u4_rel_notes.html

ESX 3.5
——-
ESX350-200910403-SG
http://download3.vmware.com/software/vi/ESX350-200910403-SG.zip
md5sum: 0e90be5bd6aa986dc2356563e809a54f
sha1sum: a5968cf6db78e28d79a4fd0b4df172cadf0f7129
http://kb.vmware.com/kb/1013126

5. References

Tomcat release notes
http://tomcat.apache.org/security-5.html

CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370

- ————————————————————————
6. Change log

2009-02-23 VMSA-2009-0002
Initial security advisory after release of VirtualCenter 2.5 Update 4
on 2009-02-23.
2009-10-16 VMSA-2009-0002.1
Updated after release of ESX 3.5 patch 18 on 2009-10-16.

- ———————————————————————–
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

—–BEGIN PGP SIGNATURE—–
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFK2KMcS2KysvBH1xkRArSqAJ48tFf8rlBUU5/vCNBmM7Rb3C5+LACfV3xS
t/ZgK6V7hJYf1KK4S0SRPtI=
=GRKY
—–END PGP SIGNATURE—–

Categories: Infosecurity
Tags: Features, Infosecurity, Kerberos, Virtualization, Virtualization Security