-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2009-0014 Synopsis: VMware ESX patches for DHCP, Service Console kernel, and JRE resolve multiple security issues Issue date: 2009-10-16 Updated on: 2009-10-16 (initial release of advisory) CVE numbers: CVE-2009-0692 CVE-2009-1893 CVE-2009-0692 CVE-2008-4210 CVE-2008-3275 CVE-2008-5356 CVE-2008-0598 CVE-2008-2136 CVE-2008-2812 CVE-2007-6063 CVE-2008-3525 CVE-2008-2086 CVE-2008-5347 CVE-2008-5348 CVE-2008-5349 CVE-2008-5350 CVE-2008-5351 CVE-2008-5352 CVE-2008-5353 CVE-2008-5354 CVE-2008-5357 CVE-2008-5358 CVE-2008-5359 CVE-2008-5360 CVE-2008-5339 CVE-2008-5342 CVE-2008-5344 CVE-2008-5345 CVE-2008-5346 CVE-2008-5340 CVE-2008-5341 CVE-2008-5343 CVE-2008-5355 CVE-2009-1093 CVE-2009-1094 CVE-2009-1095 CVE-2009-1096 CVE-2009-1097 CVE-2009-1098 CVE-2009-1099 CVE-2009-1100 CVE-2009-1101 CVE-2009-1102 CVE-2009-1103 CVE-2009-1104 CVE-2009-1105 CVE-2009-1106 CVE-2009-1107 - ----------------------------------------------------------------------- 1. Summary Updated DHCP and Kernel packages for ESX 3.5 and ESX 3.0.3 and updated Java JRE packages for ESX 3.5 address several security issues. 2. Relevant releases ESX 3.5 without patches ESX350-200910406-SG, ESX350-200910401-SG, ESX350-200910403-SG ESX 3.0.3 without patch ESX303-200910402-SG 3. Problem Description a. Service Console update for DHCP and third party library update for DHCP client. DHCP is an Internet-standard protocol by which a computer can be connected to a local network, ask to be given configuration information, and receive from a server enough information to configure itself as a member of that network. A stack-based buffer overflow in the script_write_params method in ISC DHCP dhclient allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0692 to this issue. An insecure temporary file use flaw was discovered in the DHCP daemon's init script ("/etc/init.d/dhcpd"). A local attacker could use this flaw to overwrite an arbitrary file with the output of the "dhcpd -t" command via a symbolic link attack, if a system administrator executed the DHCP init script with the "configtest", "restart", or "reload" option. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1893 to this issue. The following table lists what action remediates the vulnerability in the Service Console (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.0 ESX not affected ESX 3.5 ESX ESX350-200910406-SG ESX 3.0.3 ESX ESX303-200910402-SG ESX 2.5.5 ESX not affected ESX 3.5 and later have a DHCP client component outside of the Service Console. The following table lists what action remediates the vulnerability in this component (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected hosted * any any not affected ESXi 4.0 ESXi affected, patch pending ESXi 3.5 ESXi not affected ESX 4.0 ESX affected, patch pending ESX 3.5 ESX ESX350-200910401-SG ESX 3.0.3 ESX not affected ESX 2.5.5 ESX not affected * hosted products are VMware Workstation, Player, ACE, Server, Fusion. b. Updated Service Console package kernel Service Console package kernel update to version kernel-2.4.21-58.EL. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-4210, CVE-2008-3275, CVE-2008-0598, CVE-2008-2136, CVE-2008-2812, CVE-2007-6063, CVE-2008-3525 to the security issues fixed in kernel-2.4.21-58.EL The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not applicable hosted * any any not applicable ESXi any ESXi not applicable ESX 4.0 ESX not applicable ESX 3.5 ESX ESX350-200910401-SG ESX 3.0.3 ESX affected, no update planned ESX 2.5.5 ESX not applicable * hosted products are VMware Workstation, Player, ACE, Server, Fusion. c. JRE Security Update JRE update to version 1.5.0_18, which addresses multiple security issues that existed in earlier releases of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_17: CVE-2008-2086, CVE-2008-5347, CVE-2008-5348, CVE-2008-5349, CVE-2008-5350, CVE-2008-5351, CVE-2008-5352, CVE-2008-5353, CVE-2008-5354, CVE-2008-5356, CVE-2008-5357, CVE-2008-5358, CVE-2008-5359, CVE-2008-5360, CVE-2008-5339, CVE-2008-5342, CVE-2008-5344, CVE-2008-5345, CVE-2008-5346, CVE-2008-5340, CVE-2008-5341, CVE-2008-5343, and CVE-2008-5355. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter 4.0 Windows affected, patch pending ** VirtualCenter 2.5 Windows affected, patch pending ** VirtualCenter 2.0.2 Windows affected, patch pending Workstation any any not affected Player any any not affected Server 2.0 any affected, patch pending Server 1.0 any not affected ACE any any not affected Fusion any any not affected ESXi any ESXi not affected ESX 4.0 ESX affected, patch pending ** ESX 3.5 ESX ESX350-200910403-SG ESX 3.0.3 ESX affected, patch pending ESX 2.5.5 ESX not affected ** JRE will be updated to version 1.5.0_20 in the next update release Notes: These vulnerabilities can be exploited remotely only if the attacker has access to the Service Console network. Security best practices provided by VMware recommend that the Service Console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices. The currently installed version of JRE depends on your patch deployment history. 4. Solution Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file. ESX 3.5 ------- ESX350-200910406-SG (DHCP Service Console) http://download3.vmware.com/software/vi/ESX350-200910406-SG.zip md5sum: dab682b1e3897fd43e2e7f90aa1156fc sha1sum: 0962718f65d4c2f76657369ada4a61848253174e http://kb.vmware.com/kb/1013129 ESX350-200910401-SG (DHCP third party library, kernel) http://download3.vmware.com/software/vi/ESX350-200910401-SG.zip md5sum: 73435b0495a61b00bedbead140b2a262 sha1sum: a957d57cf0df58d8a40759dce62efbf12a6c229c http://kb.vmware.com/kb/1013124 ESX350-200910403-SG (JRE) http://download3.vmware.com/software/vi/ESX350-200910403-SG.zip md5sum: 0e90be5bd6aa986dc2356563e809a54f sha1sum: a5968cf6db78e28d79a4fd0b4df172cadf0f7129 http://kb.vmware.com/kb/1013126 ESX 3.0.3 --------- ESX303-200910402-SG (DHCP Service Console) http://download3.vmware.com/software/vi/ESX303-200910402-SG.zip md5sum: 59a090cf37971e7f13385b9f53cdf3ca sha1sum: 3af9cf1b15dc151bce06c89cc0d81e1a7cf9c80e http://kb.vmware.com/kb/1014758 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1893 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4210 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3275 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0598 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2136 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2812 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6063 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3525 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2086 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5347 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5348 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5349 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5350 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5351 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5352 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5354 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5356 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5357 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5358 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5359 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5360 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5339 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5342 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5344 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5345 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5346 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5340 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5341 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5343 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5355 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1099 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1100 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1105 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1106 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1107 - ------------------------------------------------------------------------ 6. Change log 2009-10-16 VMSA-2009-0014 Initial security advisory after release of ESX 3.5 patch 18 and ESX 3.0.3 patch 11 on 2009-10-16. - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2009 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFK2KUiS2KysvBH1xkRAqxIAJ901ZVAIyIK5ShhaI6EC1NZiOuGaACfX8cN XHpA5AngF0nSctnl1lqf5kY= =iiC7 -----END PGP SIGNATURE-----