exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

VMware Security Advisory 2010-0003

VMware Security Advisory 2010-0003
Posted Feb 16, 2010
Authored by VMware | Site vmware.com

VMware Security Advisory - This patch updates the service console package for net-snmp, net-snmp-utils, and net-snmp-libs to version net-snmp-5.0.9-2.30E.28. This net-snmp update fixes a divide-by- zero flaw in the snmpd daemon. A remote attacker could issue a specially crafted GETBULK request that could cause the snmpd daemon to fail.

tags | advisory, remote
advisories | CVE-2009-1887, CVE-2008-4309
SHA-256 | be9eec1e0afa2608f6e5a930b35d6a797d067f76d7824fe15b60c52609c39c15

VMware Security Advisory 2010-0003

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2010-0003
Synopsis: ESX Service Console update for net-snmp
Issue date: 2010-02-16
Updated on: 2010-02-16 (initial release of advisory)
CVE numbers: CVE-2009-1887
- -------------------------------------------------------------------------

1. Summary

Update for Service Console package net-snmp

2. Relevant releases

VMware ESX 3.5 without patch ESX350-201002401-SG

3. Problem Description

a. Service Console package net-snmp updated

This patch updates the service console package for net-snmp,
net-snmp-utils, and net-snmp-libs to version
net-snmp-5.0.9-2.30E.28. This net-snmp update fixes a divide-by-
zero flaw in the snmpd daemon. A remote attacker could issue a
specially crafted GETBULK request that could cause the snmpd daemon
to fail.

This vulnerability was introduced by an incorrect fix for
CVE-2008-4309.

The Common Vulnerabilities and Exposures Project (cve.mitre.org) has
assigned the name CVE-2009-1887 to this issue.

Note: After installing the previous patch for net-snmp
(ESX350-200901409-SG), running the snmpbulkwalk command with the
parameter -CnX results in no output, and the snmpd daemon stops.

The following table lists what action remediates the vulnerability
(column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected

hosted * any any not affected

ESXi any ESXi not affected

ESX 4.0 ESX not affected
ESX 3.5 ESX ESX350-201002401-SG
ESX 3.0.3 ESX affected, patch pending
ESX 2.5.5 ESX not affected

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.

4. Solution

Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.

ESX 3.5
-------
ESX350-201002401-SG
http://download3.vmware.com/software/vi/ESX350-201002401-SG.zip
md5sum: a91428cb6bc2da794f581aefd5eef010
http://kb.vmware.com/kb/1017660

5. References

CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1887

- -------------------------------------------------------------------------
6. Change log

2010-02-16 VMSA-2010-0003
Initial security advisory after release of patches for ESX 3.5
on 2010-02-16.

- ------------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2010 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkt66IQACgkQS2KysvBH1xmhuACbBL6u9x1WUt/wG2F45y2jjkHs
WIIAn0tgLrLQGODyeK5pI8cPBIqsslNL
=Fk9e
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close