VMware

VMSA-2009-0003

ESX 2.5.5 patch 12 updates service console package ed

------------------------------------------------------------------------
                   VMware Security Advisory                            

Advisory ID:       VMSA-2009-0003
Synopsis:          ESX 2.5.5 patch 12 updates service console package ed
Issue date:        2009-01-26                                          
Updated on:        2009-01-26 (initial release of advisory)            
CVE numbers:       CVE-2008-3916                                       
------------------------------------------------------------------------

1. Summary

   ESX 2.5.5 patch 12 Build 142708 updates service console package ed

2. Relevant releases

   VMware ESX 2.5.5 before patch 12

   Extended support for ESX 2.5.5 ends on 2010-06-15.  Users should plan
   to upgrade to ESX 3.0.3 and preferably to the newest release available.

3. Problem Description

 a. Updated ESX patch updates Service Console package ed

    ed is a line-oriented text editor, used to create, display, and
    modify text files (both interactively and via shell scripts). 

    A heap-based buffer overflow was discovered in the way ed, the GNU
    line editor, processed long file names. An attacker could create a
    file with a specially-crafted name that could possibly execute an
    arbitrary code when opened in the ed editor.                     

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2008-3916 to this issue.             

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.                           

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch 
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected    

    hosted *       any       any      not affected

    ESXi           3.5       ESXi     not affected

    ESX            3.5       ESX      not affected
    ESX            3.0.3     ESX      not affected
    ESX            3.0.2     ESX      not affected
    ESX            2.5.5     ESX      Upgrade Patch 12

    * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

4. Solution

   Please review the patch/release notes for your product and version
   and verify the md5sum of your downloaded file.

   ESX 2.5.5 Upgrade Patch 12 Build 142709
   www.vmware.com/support/esx25/doc/esx-255-200902-patch.html
   download3.vmware.com/software/esx/esx-2.5.5-142709-upgrade.tar.gz
   md5sum: 2a0bd5cc3591b1f6b04616fa2c97f78c

5. References

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3916

------------------------------------------------------------------------
6. Change log

2009-02-20  VMSA-2009-0003
Initial security advisory after release of patch 12 for ESX 2.5.5
on 2009-02-20.

-----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
www.vmware.com/support/policies/eos_vi.html

Copyright 2009 VMware Inc.  All rights reserved.

 

Sign Up for Email Alerts

Enter your email address: