VMSA-2013-0009.3

VMware vSphere, ESX and ESXi updates to third party libraries

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
  VMSA-2013-0009.3
VMware Security Advisory Synopsis:
  VMware vSphere, ESX and ESXi updates to third party libraries
VMware Security Advisory Issue date:
  2013-07-31
VMware Security Advisory Updated on:
  2014-01-16
VMware Security Advisory CVE numbers:
   --- OpenSSL ---
CVE-2013-0169, CVE-2013-0166
 --- libxml2 (COS and userworld) ---
CVE-2013-0338
 --- GnuTLS (COS) ---
CVE-2013-2116
--- Kernel (COS) ---
CVE-2013-0268, CVE-2013-0871
1. Summary


VMware has updated several third party libraries in vCenter Server, ESX and ESXi to address multiple security vulnerabilities.

2. Relevant Releases

VMware vCenter 5.1 without Update 2
VMware vCenter 5.0 without Update 3

VMware ESXi 5.1 without patch ESXi510-201401101
VMware ESXi 5.0 without Update 3

VMware ESXi 4.1 without patch ESXi410-201307001

VMware ESX 4.1 without patch ESX410-201307001

VMware ESXi 4.0 without patch ESXi400-201310001

VMware ESX 4.0 without patch ESX400-201310001

3. Problem Description

a. vCenter Server and ESX userworld update for OpenSSL library

The userworld OpenSSL library is updated to version openssl-0.9.8y to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-0169 and CVE-2013-0166 to these issues.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Replace with / Apply Patch
VMware Product vCenter
Product Version 5.1
Running on Windows
Replace with / Apply Patch vCenter 5.1 Update 2
VMware Product vCenter
Product Version 5.0
Running on Windows
Replace with / Apply Patch vCenter 5.0 Update 3
VMware Product vCenter
Product Version 4.1
Running on Windows
Replace with / Apply Patch patch pending
VMware Product vCenter
Product Version 4.0
Running on Windows
Replace with / Apply Patch patch pending
VMware Product ESXi
Product Version 5.1
Running on ESXi
Replace with / Apply Patch ESXi510-201401101-SG
VMware Product ESXi
Product Version 5.0
Running on ESXi
Replace with / Apply Patch ESXi500-201310101-SG
VMware Product ESXi
Product Version 4.1
Running on ESXi
Replace with / Apply Patch ESXi410-201307401-SG
VMware Product ESXi
Product Version 4.0
Running on ESXi
Replace with / Apply Patch patch pending
VMware Product ESX
Product Version 4.1
Running on ESX
Replace with / Apply Patch ESX410-201307403-SG
VMware Product ESX
Product Version 4.0
Running on ESX
Replace with / Apply Patch patch pending
b. Service Console (COS) update for OpenSSL library

The Service Console updates for OpenSSL library is updated to version openssl-0.9.8e-26.el5_9.1 to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-0169 and CVE-2013-0166 to these issues.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Replace with / Apply Patch
VMware Product ESXi
Product Version any
Running on ESXi
Replace with / Apply Patch not affected
VMware Product
Product Version
Running on
Replace with / Apply Patch
VMware Product ESX
Product Version 4.1
Running on ESX
Replace with / Apply Patch ESX410-201307403-SG
VMware Product ESX
Product Version 4.0
Running on ESX
Replace with / Apply Patch ESX400-201310401-SG
c. ESX Userworld and Service Console (COS) update for libxml2 library

The ESX Userworld and Service Console libxml2 library is updated to version  libxml2-2.6.26-2.1.21.el5_9.1 and libxml2-python-2.6.26-2.1.21.el5_9.1. to resolve a security issue.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-0338 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Replace with / Apply Patch
VMware Product ESXi
Product Version 5.1
Running on ESXi
Replace with / Apply Patch ESXi510-201401101-SG
VMware Product ESXi
Product Version 5.0
Running on ESXi
Replace with / Apply Patch ESXi500-201310101-SG
VMware Product ESXi
Product Version 4.1
Running on ESXi
Replace with / Apply Patch ESXi410-201307401-SG
VMware Product ESXi
Product Version 4.0
Running on ESXi
Replace with / Apply Patch ESXi400-201310401-SG
VMware Product ESX
Product Version 4.1
Running on ESX
Replace with / Apply Patch ESX410-201307405-SG
VMware Product ESX
Product Version 4.0
Running on ESX
Replace with / Apply Patch ESX400-201310402-SG
d. Service Console (COS) update for GnuTLS library

The ESX service console GnuTLS RPM is updated to version gnutls-1.4.1-10.el5_9.1 to resolve a security issue.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2116 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Replace with / Apply Patch
VMware Product ESXi
Product Version any
Running on ESXi
Replace with / Apply Patch not affected
VMware Product ESX
Product Version 4.1
Running on ESX
Replace with / Apply Patch ESX410-201307404-SG
VMware Product ESX
Product Version 4.0
Running on ESX
Replace with / Apply Patch ESX400-201310401-SG
e. ESX third party update for Service Console kernel

The ESX Service Console Operating System (COS) kernel is updated to kernel-2.6.18-348.3.1.el5 which addresses several security issues in the COS kernel.

The Common Vulnerabilities and Exposures project ( cve.mitre.org)vhas assigned the names CVE-2013-0268 and CVE-2013-0871 to these issues.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Replace with / Apply Patch
VMware Product ESXi
Product Version any
Running on ESXi
Replace with / Apply Patch not affected
VMware Product ESX
Product Version 4.1
Running on ESX
Replace with / Apply Patch ESX410-201307401-SG
VMware Product ESX
Product Version 4.0
Running on ESX
Replace with / Apply Patch ESX400-201310401-SG
4. Solution


Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

vCenter Server 5.1 Update 2
---------------------------
The download for vCenter Server includes vSphere Update Manager, vSphere Client and vCenter Orchestrator

Download link:
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/5_1

Release Notes:
https://www.vmware.com/support/pubs/vsphere-esxi-vcenter-server-pubs.html

vCenter Server 5.0 Update 3
---------------------------
The download for vCenter Server includes vSphere Update Manager, vSphere Client and vCenter Orchestrator

Download link:
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/5_0

Release Notes:
https://www.vmware.com/support/pubs/vsphere-esxi-vcenter-server-pubs.html

ESXi and ESX
------------------
http://downloads.vmware.com/go/selfsupport-download

ESXi 5.1
------------------
File: update-from-esxi5.1-5.1_update02.zip
md5sum: 462cb98dc011804d3bad85f54f6b8133
sha1sum: 0352bf0adc78ceead74c7ace256ed87705e64703
http://kb.vmware.com/kb/2062314
update-from-esxi5.1-5.1_update02 contains ESXi510-201401101-SG

ESXi 5.0
------------------
File: update-from-esxi5.0-5.0_update03.zip
md5sum: 7e6185fa3238a4895613b39e57a2a94b
sha1sum: aa3929d2c8183aeaecdc238cbbf4d270bd70dd07
http://kb.vmware.com/kb/2055559

ESXi 4.1
------------------
File: ESXi410-201307001.zip
md5sum: b171ea162cd753782483fa64196e8152
sha1sum: f2f19db06864a05eb4fdfea57626576f2836e718
http://kb.vmware.com/kb/2053396

ESX 4.1
------------------
File: ESX410-201307001.ZIP
md5sum: 60f15f96454b953f7747486a6a261e4f
sha1sum: 8e494b450f539ed65729205333dc3598d6ba87f8
http://kb.vmware.com/kb/2053393

ESXi 4.0
------------------
File: ESXi400-201310001.zip
md5sum: 3075bce1b19a52b053a5dc18d06d40e0
sha1sum: 19952da0dd9f81ea299cb8ae6c462f11566b56e0
http://kb.vmware.com/kb/2059496

ESX 4.0
------------------
File: ESX400-201310001.zip
md5sum: 9d47cf815ed142a17f97002379b5e386
sha1sum: 91082ec4263333f9b996883cb53dbe9aab7a88b5
http://kb.vmware.com/kb/2059490

6. Change log


2013-07-31 VMSA-2013-0009
Initial security advisory in conjunction with the release of ESX 4.1 patches on 2013-07-31.

2013-10-17 VMSA-2013-0009.1
Updated security advisory in conjunction with the release of vCenter Server 5.0 Update 3 and ESXi 5.0 Update 3 on 2013-10-17

2013-10-24 VMSA-2013-0009.2 
Updated security advisory in conjunction with the release of ESX 4.0 patches on 2013-10-24

2014-01-16 VMSA-2014-0009.3
Updated security advisory in conjunction with the release of vSphere 5.1 Update 2 2014-01-16

7. Contact


E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  • security-announce at lists.vmware.com
  • bugtraq at securityfocus.com
  • full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2013 VMware Inc. All rights reserved.

 

Sign up for Security Advisories

Enter your email address: