-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2010-0016 Synopsis: VMware ESXi and ESX third party updates for Service Console and Likewise components Issue date: 2010-11-15 Updated on: 2010-11-15 (initial release of advisory) CVE numbers: CVE-2010-0415 CVE-2010-0307 CVE-2010-0291 CVE-2010-0622 CVE-2010-1087 CVE-2010-1437 CVE-2010-1088 CVE-2009-0844 CVE-2009-0845 CVE-2009-0846 CVE-2009-4212 CVE-2010-1321 - ------------------------------------------------------------------------ 1. Summary ESX Service Console OS (COS) kernel update, and Likewise packages updates. 2. Relevant releases VMware ESXi 4.1 without patch ESXi410-201010401-SG VMware ESX 4.1 without patches ESX410-201010401-SG, ESX410-201010419-SG 3. Problem Description a. Service Console OS update for COS kernel This patch updates the service console kernel to fix multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0415, CVE-2010-0307, CVE-2010-0291, CVE-2010-0622, CVE-2010-1087, CVE-2010-1437, and CVE-2010-1088 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.1 ESX ESX410-201010401-SG ESX 4.0 ESX patch pending ESX 3.x ESX not applicable * hosted products are VMware Workstation, Player, ACE, Fusion. b. Likewise package updates Updates to the likewisekrb5, likewiseopenldap, likewiseopen, and pamkrb5 packages address several security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-4212, and CVE-2010-1321 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi 4.1 ESXi ESXi410-201010401-SG ESXi 4.0 ESXi not affected ESX 4.1 ESX ESX410-201010419-SG ESX 4.0 ESX not applicable ESX 3.x ESX not applicable * hosted products are VMware Workstation, Player, ACE, Fusion. 4. Solution Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file. ESXi 4.1 -------- ESXi410-201010401-SG Download link: http://bit.ly/bb3xjV md5sum: 05f1049c7a595481cd682e92fe8d3285 sha1sum: f6993c185f7d1cb971a4ae6e017e0246b8c25a76 http://kb.vmware.com/kb/1027753 ESX 4.1 ------- ESX410-201010001 Download link: http://bit.ly/a3Ffw8 md5sum: ff4435fd3c74764f064e047c6e5e7809 sha1sum: 322981f4dbb9e5913c8f38684369444ff7e265b3 http://kb.vmware.com/kb/1027027 ESX410-201010001 contains the following security bulletins: ESX410-201010401-SG (COS kernel) | http://kb.vmware.com/kb/1027013 ESX410-201010419-SG (Likewise) | http://kb.vmware.com/kb/1027026 ESX410-201010404-SG (NSS) | http://kb.vmware.com/kb/1027016 ESX410-201010409-SG (tar) | http://kb.vmware.com/kb/1027019 ESX410-201010412-SG (Perl) | http://kb.vmware.com/kb/1027022 ESX410-201010413-SG (cpio) | http://kb.vmware.com/kb/1027023 ESX410-201010410-SG (cURL) | http://kb.vmware.com/kb/1027020 ESX410-201010401-SG (vmkernel64, VMX, CIM)| http://kb.vmware.com/kb/1027013 ESX410-201010414-SG (vmware-esx-pam-config)| http://kb.vmware.com/kb/1027024 ESX410-201010402-SG (GnuTLS, NSS, and openSSL)| http://kb.vmware.com/kb/1027014 ESX410-201010001 also contains the following non-security bulletins ESX410-201010405-BG ESX410-201010415-BG To install an individual bulletin use esxupdate with the -b option. 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0415 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0307 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0291 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0622 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1087 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1437 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1088 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0844 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0845 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0846 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4212 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1321 - ------------------------------------------------------------------------ 6. Change log 2010-11-15 VMSA-2010-0016 Initial security advisory after release of patches for ESX 4.1 on 2010-11-15 - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware Security Advisories http://www.vmware.com/security/advisoiries VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2010 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iEYEARECAAYFAkziORMACgkQS2KysvBH1xlJWgCffEWdIT5/yCFltNx3UVpVxE3w V6AAn1LAO7JObXN5hLYOnWVRGquBCzYM =gLN2 -----END PGP SIGNATURE-----