Sign up for Security
Advisories

Enter your email address:


VMSA-2010-0003.1

VMSA-2010-0003.1 ESX Service Console update for net-snmp

VMware Security Advisory
Advisory ID: VMSA-2010-0003.1
Synopsis: VMSA-2010-0003.1 ESX Service Console update for net-snmp
Issue date: 2010-02-16
Updated on: 2010-03-08
CVE numbers: CVE-2009-1887
1. Summary
Update for Service Console package net-snmp
2. Relevant releases
VMware ESX 3.5 without patch ESX350-201002401-SG
VMware ESX 3.0.3 without patch ESX303-201002202-SG
3. Problem Description
a. Service Console package net-snmp updated
This patch updates the service console package for net-snmp, net-snmp-utils, and net-snmp-libs to version net-snmp-5.0.9-2.30E.28. This net-snmp update fixes a divide-by- zero flaw in the snmpd daemon. A remote attacker could issue a specially crafted GETBULK request that could cause the snmpd daemon to fail.

This vulnerability was introduced by an incorrect fix for CVE-2008-4309.

The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1887 to this issue.

Note: After installing the previous patch for net-snmp (ESX350-200901409-SG), running the snmpbulkwalk command with the parameter -CnX results in no output, and the snmpd daemon stops.

The following table lists what action remediates the vulnerability (column 4) if a solution is available.
VMware
Product
Product
Version
Running
On
Replace with
Apply Path
============= ======== ======= =================
VirtualCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.0 ESX not affected
ESX 3.5 ESX ESX350-201002401-SG
ESX 3.0.3 ESX ESX303-201002202-SG
ESX 2.0.5 ESX not affected


* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
4. Solution
Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file.

ESX 3.5
-------
ESX350-201002401-SG
http://download3.vmware.com/software/vi/ESX350-201002401-SG.zip
md5sum: a91428cb6bc2da794f581aefd5eef010
http://kb.vmware.com/kb/1017660

ESX 3.0.3
---------
ESX303-201002202-SG
http://download3.vmware.com/software/vi/ESX303-201002202-UG.zip
md5sum: b111601ecb6978fbac40df2700d08fe2
http://kb.vmware.com/kb/1018027

6. Change Log
2010-02-16 VMSA-2010-0003
Initial security advisory after release of patches for ESX 3.5
on 2010-02-16.
2010-03-08 VMSA-2010-0003.1
Update after release of ESX 3.0.3 Update 1 on 2010-03-08.
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  • security-announce at lists.vmware.com
  • bugtraq at securityfocus.com
  • full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at:
http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2010 VMware Inc. All rights reserved.