VMSA-2013-0001.4

VMware

VMSA-2013-0001.4

	VMware Security Advisory
Advisory ID:	VMSA-2013-0001.4
Synopsis:	VMware vSphere security updates for the authentication service and third party libraries
Issue date:	2013-01-31
Updated on:	2013-04-25
CVE numbers:	--- vSphere authentication --- CVE-2013-1405 --- libxml2 --- CVE-2011-3102, CVE-2012-2807 --- bind (service console) --- CVE-2012-4244 --- xslt (service console) --- CVE-2011-1202, CVE-2011-3970, CVE-2012-2825, CVE-2012-2870, CVE-2012-2871

1. Summary

VMware vSphere security updates for the authentication service and third party libraries

2. Relevant releases

vCenter Server 4.1 without Update 3a
vCenter Server 4.0 without Update 4b
VirtualCenter 2.5 without Update 6c

vSphere Client 4.1 without Update 3a
vSphere Client 4.0 without Update 4b
VI-Client 2.5 without Update 6c

ESXi 5.0 without Update 1
ESXi 5.0 without patch ESXi500-201303101-SG
ESXi 4.1 without patch ESXi410-201301401-SG
ESXi 4.0 without patches ESXi400-201302401-SG and ESXi400-201302403-SG
ESXi 3.5 without patches ESXe350-201302401-I-SG and ESXe350-201302403-C-SG

ESX 4.1 without patches ESX410-201301401-SG, ESX410-201301402-SG, ESX410-201301403-SG, and ESX410-201301405-SG
ESX 4.0 without patch ESX400-201302401-SG
ESX 3.5 without patch ESX350-201302401-SG

3. Problem Description

a. VMware vSphere client-side authentication memory corruption vulnerability

VMware vCenter Server, vSphere Client, and ESX contain a vulnerability in the handling of the management authentication protocol. To exploit this vulnerability, an attacker must convince either vCenter Server, vSphere Client or ESX to interact with a malicious server as a client. Exploitation of the issue may lead to code execution on the client system.

To reduce the likelihood of exploitation, vSphere components should be deployed on an isolated management network.

The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2013-1405 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware	Product	Running	Replace with/
Product	Version	on	Apply Patch
=============	=======	=======	=================
vCenter Server	5.1	Windows	not affected
vCenter Server	5.0	Windows	not affected
vCenter Server	4.1	Windows	4.1 Update 3a
vCenter Server	4.0	Windows	4.0 Update 4b
VirtualCenter	2.5	Windows	2.5 Update 6c

vSphere Client	5.1	Windows	not affected
vSphere Client	5.0	Windows	not affected
vSphere Client	4.1	Windows	4.1 Update 3a **
vSphere Client	4.0	Windows	4.0 Update 4b **
VI-Client	2.5	Windows	2.5 Update 6c **

ESXi	5.1	ESXi	not affected
ESXi	5.0	ESXi	not affected
ESXi	4.1	ESXi	ESXi410-201301401-SG
ESXi	4.0	ESXi	ESXi400-201302401-SG
			ESXi400-201302403-SG (vSphere client)
ESXi	3.5	ESXi	ESXe350-201302401-I-SG
			ESXe350-201302403-C-SG (vSphere client)

ESX	4.1	ESX	ESX410-201301401-SG
ESX	4.0	ESX	ESX400-201302401-SG (includes vSphere client)
ESX	3.5	ESX	ESX350-201302401-SG (includes vSphere client)

* hosted products are VMware Workstation, Player, ACE, Fusion.
** To remediate CVE-2013-1405, customers must apply updates to all components of the authentication service. First, customers should update vCenter Server or ESXi/ESX as apropriate to ensure that the updated vSphere Client is downloaded. Then, the vSphere client can be updated using any one of the following methods:

Run the installer that ships with vCenter Server
Follow the client installation link on the vCenter Server welcome page
Follow the client installation link on the ESXi/ESX Server welcome page

b. Update to ESX/ESXi libxml2 userworld and service console

The ESX/ESXi userworld libxml2 library has been updated to resolve multiple security issues. Also, the ESX service console libxml2 packages are updated to the following versions:

libxml2-2.6.26-2.1.15.el5_8.5
libxml2-python-2.6.26-2.1.15.el5_8.5

These updates fix multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-3102 and CVE-2012-2807 to these issues.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware	Product	Running	Replace with/
Product	Version	on	Apply Patch
=============	=======	=======	=================
ESXi	5.1	ESXi	see VMSA-2013-0004
ESXi	5.0	ESXi	see VMSA-2013-0004
ESXi	4.1	ESXi	ESXi410-201301401-SG
ESXi	4.0	ESXi	no patch planned
ESXi	3.5	ESXi	not applicable

ESX	4.1	ESX	ESX410-201301405-SG
ESX	4.0	ESX	no patch planned
ESX	3.5	ESX	no patch planned

c. Update to ESX service console bind packages

The ESX service console bind packages are updated to the following versions:

bind-libs-9.3.6-20.P1.el5_8.2
bind-utils-9.3.6-20.P1.el5_8.2

These updates fix a security issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-4244 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware	Product	Running	Replace with/
Product	Version	on	Apply Patch
=============	=======	=======	=================
ESXi	any	ESXi	not applicable

ESX	4.1	ESX	ESX410-201301402-SG
ESX	4.0	ESX	patch pending
ESX	3.5	ESX	not applicable

d. Update to ESX service console libxslt package

The ESX service console libxslt package is updated to version libxslt-1.1.17-4.el5_8.3 to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-1202, CVE-2011-3970, CVE-2012-2825, CVE-2012-2870, and CVE-2012-2871 to these issues.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware	Product	Running	Replace with/
Product	Version	on	Apply Patch
=============	=======	=======	=================
ESXi	any	ESXi	not applicable

ESX	4.1	ESX	ESX410-201301403-SG
ESX	4.0	ESX	not affected
ESX	3.5	ESX	not applicable

4. Solution

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

vCenter Server 4.1 Update 3a
---------------------------
The download for vCenter Server includes vSphere Update Manager, vSphere Client, and vCenter Orchestrator.
Download link:
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1
Release Notes:
https://www.vmware.com/support/vsphere4/doc/vsp_vc41_u3a_rel_notes.html

vCenter Server 4.0 Update 4b
---------------------------
The download for vCenter Server includes vSphere Update Manager, vSphere Client, and vCenter Orchestrator.
Download link:
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_0
Release Notes:
https://www.vmware.com/support/vsphere4/doc/vsp_vc40_u4b_rel_notes.html

VirtualCenter 2.5 Update U6c
---------------------------
Download link:
http://downloads.vmware.com/d/info/datacenter_downloads/vmware_infrastructure_3/3_5
Release Notes:
https://www.vmware.com/support/vi3/doc/vi3_vc25u6c_rel_notes.html

ESXi and ESX
------------
https://my.vmware.com/web/vmware/downloads

ESXi 4.1
--------
File: ESXi410-201301001.zip
md5sum: 3543d3f16a1f1b1369dcdb5c25fa7106
sha1sum: cced12e87838a3b037c9ec99d8490809c61fe883
http://kb.vmware.com/kb/2041332
ESXi410-201301001 contains ESXi410-201301401-SG

ESXi 4.0
--------
File: ESXi400-201302001.zip
md5sum: 03dc9246239dd449bf21a122e7b1bcf3
sha1sum: 276346a186c068c1fdbf19e1b753b8a2dbc8c89c
http://kb.vmware.com/kb/2041344
ESXi400-201302001 contains ESXi400-201302401-SG and ESXi400-201302403-SG

ESXi 3.5
--------
File: ESXe350-201302401-O-SG.zip
md5sum: a2c5f49bc865625b3796c41c202d1696
sha1sum: 12d25011d9940ea40d45f77a4e5bcc7e7b0c0cee
http://kb.vmware.com/kb/2042543
ESXi350-201302401-O-SG contains ESXe350-201302401-I-SG and ESXe350-201302403-C-SG

ESX 4.1
-------
File: ESX410-201301001.zip
md5sum: 0219dbcbcc6fafe8bf33695682c8658d
sha1sum: 2eab9d56ac81f7d2d00c15b155bd93c36b0e03c3
http://kb.vmware.com/kb/2041331
ESX410-201301001 contains ESX410-201301401-SG, ESX410-201301402-SG, ESX410-201301403-SG, and ESX410-201301405-SG

ESX 4.0
-------
File: ESX400-201302001.zip
md5sum: 2a883e737c3cde990fe4792c64c32fcd
sha1sum: 92c3b13ab3fdee73c335d5e8b41159f546def199
http://kb.vmware.com/kb/2041343
ESX400-201302001 contains ESX400-201302401-SG

ESX 3.5
-------
File: ESX350-201302401-SG.zip
md5sum: e703cb0bc3e1eaa8932a96ea96f34a00
sha1sum: 91dcf1bf7194a289652d0904dd7af8bce0a1d2dd
http://kb.vmware.com/kb/2042541
ESX350-201302401-SG contains ESX350-201302401-SG

5. References

6. Change log

2013-01-31 VMSA-2013-0001
Initial security advisory in conjunction with the release of vCenter 4.1 Update 3a and ESX 4.1 patches on 2013-01-31.

2013-02-07 VMSA-2013-0001.1
Updated security advisory to include vCenter 4.0 Update 4b and patches for ESX 4.0.

2013-02-21 VMSA-2013-0001.2
Updated security advisory to include vCenter 2.5 Update U6c and patches for ESX 3.5 released on 2013-02-21.

2013-03-28 VMSA-2013-0001.3
Updated security advisory for issue b) due to ESXi 5.0 update released on 2013-03-28.

2013-04-25 VMSA-2013-0001.4
Updated security advisory for issue b) due to ESXi 5.1 update released on 2013-04-25.

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce at lists.vmware.com
bugtraq at securityfocus.com
full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2013 VMware Inc. All rights reserved.