Sign up for Security

Enter your email address:


VMSA-2010-0003.1 ESX Service Console update for net-snmp

VMware Security Advisory
Advisory ID: VMSA-2010-0003.1
Synopsis: VMSA-2010-0003.1 ESX Service Console update for net-snmp
Issue date: 2010-02-16
Updated on: 2010-03-08
CVE numbers: CVE-2009-1887
1. Summary
Update for Service Console package net-snmp
2. Relevant releases
VMware ESX 3.5 without patch ESX350-201002401-SG
VMware ESX 3.0.3 without patch ESX303-201002202-SG
3. Problem Description
a. Service Console package net-snmp updated
This patch updates the service console package for net-snmp, net-snmp-utils, and net-snmp-libs to version net-snmp-5.0.9-2.30E.28. This net-snmp update fixes a divide-by- zero flaw in the snmpd daemon. A remote attacker could issue a specially crafted GETBULK request that could cause the snmpd daemon to fail.

This vulnerability was introduced by an incorrect fix for CVE-2008-4309.

The Common Vulnerabilities and Exposures Project ( has assigned the name CVE-2009-1887 to this issue.

Note: After installing the previous patch for net-snmp (ESX350-200901409-SG), running the snmpbulkwalk command with the parameter -CnX results in no output, and the snmpd daemon stops.

The following table lists what action remediates the vulnerability (column 4) if a solution is available.
Replace with
Apply Path
============= ======== ======= =================
VirtualCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.0 ESX not affected
ESX 3.5 ESX ESX350-201002401-SG
ESX 3.0.3 ESX ESX303-201002202-SG
ESX 2.0.5 ESX not affected

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
4. Solution
Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file.

ESX 3.5
md5sum: a91428cb6bc2da794f581aefd5eef010

ESX 3.0.3
md5sum: b111601ecb6978fbac40df2700d08fe2

6. Change Log
2010-02-16 VMSA-2010-0003
Initial security advisory after release of patches for ESX 3.5
on 2010-02-16.
2010-03-08 VMSA-2010-0003.1
Update after release of ESX 3.0.3 Update 1 on 2010-03-08.
7. Contact
E-mail list for product security notifications and announcements:

This Security Advisory is posted to the following lists:

  • security-announce at
  • bugtraq at
  • full-disclosure at

E-mail: security at
PGP key at:

VMware Security Center

VMware security response policy

General support life cycle policy

VMware Infrastructure support life cycle policy

Copyright 2010 VMware Inc. All rights reserved.