Update for Service Console package net-snmp
VMware ESX 3.5 without patch ESX350-201002401-SG
VMware ESX 3.0.3 without patch ESX303-201002202-SG
a. Service Console package net-snmp updated
This patch updates the service console package for net-snmp, net-snmp-utils, and net-snmp-libs to version net-snmp-5.0.9-2.30E.28. This net-snmp update fixes a divide-by- zero flaw in the snmpd daemon. A remote attacker could issue a specially crafted GETBULK request that could cause the snmpd daemon to fail.
This vulnerability was introduced by an incorrect fix for CVE-2008-4309.
The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1887 to this issue.
Note: After installing the previous patch for net-snmp (ESX350-200901409-SG), running the snmpbulkwalk command with the parameter -CnX results in no output, and the snmpd daemon stops.
The following table lists what action remediates the vulnerability (column 4) if a solution is available.
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file.
Initial security advisory after release of patches for ESX 3.5
Update after release of ESX 3.0.3 Update 1 on 2010-03-08.
E-mail list for product security notifications and announcements:
This Security Advisory is posted to the following lists: