Sign up for Security
Advisories

Enter your email address:


VMSA-2013-0009.3

VMware vSphere, ESX and ESXi updates to third party libraries

VMware Security Advisory
Advisory ID: VMSA-2013-0009.3
Synopsis: VMware vSphere, ESX and ESXi updates to third party libraries
Issue date: 2013-07-31
Updated on: 2014-01-16
CVE numbers:  --- OpenSSL ---
CVE-2013-0169, CVE-2013-0166
 --- libxml2 (COS and userworld) ---
CVE-2013-0338
 --- GnuTLS (COS) ---
CVE-2013-2116
--- Kernel (COS) ---
CVE-2013-0268, CVE-2013-0871
1. Summary

VMware has updated several third party libraries in vCenter Server, ESX and ESXi to address multiple security vulnerabilities.
2. Relevant Releases

VMware vCenter 5.1 without Update 2
VMware vCenter 5.0 without Update 3

VMware ESXi 5.1 without patch ESXi510-201401101
VMware ESXi 5.0 without Update 3

VMware ESXi 4.1 without patch ESXi410-201307001

VMware ESX 4.1 without patch ESX410-201307001

VMware ESXi 4.0 without patch ESXi400-201310001

VMware ESX 4.0 without patch ESX400-201310001

3. Problem Description
a. vCenter Server and ESX userworld update for OpenSSL library

The userworld OpenSSL library is updated to version openssl-0.9.8y to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-0169 and CVE-2013-0166 to these issues.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Running Replace with /
Product Version on Apply Patch
==========
=====
=====
==================
vCenter 5.1 Windows vCenter 5.1 Update 2
vCenter
5.0 Windows
vCenter 5.0 Update 3
vCenter 4.1 Windows
patch pending
vCenter 4.0 Windows
patch pending
ESXi 5.1
ESXi ESXi510-201401101-SG
ESXi 5.0
ESXi
ESXi500-201310101-SG
ESXi 4.1 ESXi ESXi410-201307401-SG
ESXi 4.0 ESXi patch pending
ESX 4.1 ESX ESX410-201307403-SG
ESX 4.0 ESX patch pending
b. Service Console (COS) update for OpenSSL library

The Service Console updates for OpenSSL library is updated to version openssl-0.9.8e-26.el5_9.1 to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-0169 and CVE-2013-0166 to these issues.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Running Replace with /
Product Version on Apply Patch
==========
=====
=====
==================
ESXi any
ESXi not affected




ESX 4.1 ESX ESX410-201307403-SG
ESX 4.0 ESX ESX400-201310401-SG
c. ESX Userworld and Service Console (COS) update for libxml2 library

The ESX Userworld and Service Console libxml2 library is updated to version  libxml2-2.6.26-2.1.21.el5_9.1 and libxml2-python-2.6.26-2.1.21.el5_9.1. to resolve a security issue.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-0338 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Running Replace with /
Product Version on Apply Patch
==========
=====
=====
==================
ESXi 5.1
ESXi ESXi510-201401101-SG
ESXi
5.0
ESXi
ESXi500-201310101-SG
ESXi 4.1 ESXi ESXi410-201307401-SG
ESXi 4.0 ESXi ESXi400-201310401-SG
ESX 4.1 ESX ESX410-201307405-SG
ESX 4.0 ESX ESX400-201310402-SG
d. Service Console (COS) update for GnuTLS library

The ESX service console GnuTLS RPM is updated to version gnutls-1.4.1-10.el5_9.1 to resolve a security issue.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2116 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Running Replace with /
Product Version on Apply Patch
==========
=====
=====
==================
ESXi any
ESXi not affected
ESX 4.1 ESX ESX410-201307404-SG
ESX 4.0 ESX ESX400-201310401-SG
e. ESX third party update for Service Console kernel

The ESX Service Console Operating System (COS) kernel is updated to kernel-2.6.18-348.3.1.el5 which addresses several security issues in the COS kernel.

The Common Vulnerabilities and Exposures project ( cve.mitre.org)vhas assigned the names CVE-2013-0268 and CVE-2013-0871 to these issues.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Running Replace with /
Product Version on Apply Patch
==========
=====
=====
==================
ESXi any
ESXi not affected
ESX 4.1 ESX ESX410-201307401-SG
ESX 4.0 ESX ESX400-201310401-SG
4. Solution


Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

vCenter Server 5.1 Update 2
---------------------------
The download for vCenter Server includes vSphere Update Manager, vSphere Client and vCenter Orchestrator

Download link:
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/5_1

Release Notes:
https://www.vmware.com/support/pubs/vsphere-esxi-vcenter-server-pubs.html

vCenter Server 5.0 Update 3
---------------------------
The download for vCenter Server includes vSphere Update Manager, vSphere Client and vCenter Orchestrator

Download link:
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/5_0

Release Notes:
https://www.vmware.com/support/pubs/vsphere-esxi-vcenter-server-pubs.html

ESXi and ESX
------------------
http://downloads.vmware.com/go/selfsupport-download

ESXi 5.1
------------------
File: update-from-esxi5.1-5.1_update02.zip
md5sum: 462cb98dc011804d3bad85f54f6b8133
sha1sum: 0352bf0adc78ceead74c7ace256ed87705e64703
http://kb.vmware.com/kb/2062314
update-from-esxi5.1-5.1_update02 contains ESXi510-201401101-SG

ESXi 5.0
------------------
File: update-from-esxi5.0-5.0_update03.zip
md5sum: 7e6185fa3238a4895613b39e57a2a94b
sha1sum: aa3929d2c8183aeaecdc238cbbf4d270bd70dd07
http://kb.vmware.com/kb/2055559

ESXi 4.1
------------------
File: ESXi410-201307001.zip
md5sum: b171ea162cd753782483fa64196e8152
sha1sum: f2f19db06864a05eb4fdfea57626576f2836e718
http://kb.vmware.com/kb/2053396

ESX 4.1
------------------
File: ESX410-201307001.ZIP
md5sum: 60f15f96454b953f7747486a6a261e4f
sha1sum: 8e494b450f539ed65729205333dc3598d6ba87f8
http://kb.vmware.com/kb/2053393

ESXi 4.0
------------------
File: ESXi400-201310001.zip
md5sum: 3075bce1b19a52b053a5dc18d06d40e0
sha1sum: 19952da0dd9f81ea299cb8ae6c462f11566b56e0
http://kb.vmware.com/kb/2059496

ESX 4.0
------------------
File: ESX400-201310001.zip
md5sum: 9d47cf815ed142a17f97002379b5e386
sha1sum: 91082ec4263333f9b996883cb53dbe9aab7a88b5
http://kb.vmware.com/kb/2059490

6. Change log


2013-07-31 VMSA-2013-0009
Initial security advisory in conjunction with the release of ESX 4.1 patches on 2013-07-31.

2013-10-17 VMSA-2013-0009.1
Updated security advisory in conjunction with the release of vCenter Server 5.0 Update 3 and ESXi 5.0 Update 3 on 2013-10-17

2013-10-24 VMSA-2013-0009.2 
Updated security advisory in conjunction with the release of ESX 4.0 patches on 2013-10-24

2014-01-16 VMSA-2014-0009.3
Updated security advisory in conjunction with the release of vSphere 5.1 Update 2 2014-01-16

7. Contact


E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  • security-announce at lists.vmware.com
  • bugtraq at securityfocus.com
  • full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at:  http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2013 VMware Inc. All rights reserved.