VMSA-2008-0013.4
Updated ESX packages for OpenSSL, net-snmp, perl
VMware Security Advisory
CVE-2008-0960, CVE-2008-1927
1. Summary
Updated ESX packages for OpenSSL, net-snmp, perl
2. Relevant releases
ESX 3.5 without patches ESX350-200808405-SG, ESX350-200808406-SG
ESX 3.0.3 without patches ESX303-200808401-SG ESX303-200808402-SG
ESX 3.0.2 without patches ESX-1005116 ESX-1006031 ESX-1006037
ESX 3.0.1 without patches ESX-1005115 ESX-1006030 ESX-1006355
Note: Extended support (Security and Bug fixes) for ESX 3.0.2 ends on 10/29/2008 and Extended support for ESX 3.0.2 Update 1 ends on 8/8/2009. Users should plan to upgrade to ESX 3.0.3 and preferably to the newest release available.
Extended Support (Security and Bug fixes) for ESX 3.0.1 has ended on 2008-07-31. The 3.0.1 patches are released in August because there was no patch release in July.
3. Problem Description
I Security Issues
a. OpenSSL Binaries Updated
This fix updates the third party OpenSSL library.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-3108 and CVE-2007-5135 to the issues addressed by this update.
VMware Product =============
Product Version =======
Running on =======
Replace with/ Apply Patch =================
* hosted products are VMware Workstation, Player, ACE, Server, Fusion
II Service Console rpm updates
a. net-snmp Security update
This fix upgrades the service console rpm for net-snmp to version net-snmp-5.0.9-2.30E.24.
Note: this update is relevant for ESX 3.0.3. The initial advisory incorrectly stated that this update was present in ESX 3.0.3 when it was released on August 8, 2008.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-2292 and CVE-2008-0960 to the issues addressed in net-snmp-5.0.9-2.30E.24.
VMware Product =============
Product Version =======
Running on =======
Replace with/ Apply Patch =================
* hosted products are VMware Workstation, Player, ACE, Server, Fusion
b. perl Security update
This fix upgrades the service console rpm for perl to version perl-5.8.0-98.EL3.
Note: this update is relevant for ESX 3.0.3. The initial advisory incorrectly stated that this update was present in ESX 3.0.3 when it was released on August 8, 2008.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-1927 to the issue addressed in perl-5.8.0-98.EL3.
VMware Product =============
Product Version =======
Running on =======
Replace with/ Apply Patch =================
* hosted products are VMware Workstation, Player, ACE, Server, Fusion
4. Solution
Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.
ESX
---
ESX 3.5 patch ESX350-200808405-SG (net-snmp)
download3.vmware.com/software/esx/ESX350-200808405-SG.zip
md5sum: df41ff24c3f805958e7f270c5475dc42
kb.vmware.com/kb/1005814
ESX 3.5 patch ESX350-200808406-SG (perl)
download3.vmware.com/software/esx/ESX350-200808406-SG.zip
md5sum: 6916a5ea5533948ce17e4f4e7f61cd02
kb.vmware.com/kb/1005815
ESX 3.0.3 build 104629
ESX Server 3.0.3 CD image
md5sum: c2cda9242c6981c7eba1004e8fc5626d
Upgrade package from ESX Server 2.x to ESX Server 3.0.3
md5sum: 0ad8fa4707915139d8b2343afebeb92b
Upgrade package from earlier releases of ESX Server 3 to ESX Server 3.0.3
md5sum: ff7f3dc12d34b474b231212bdf314113
release notes:
www.vmware.com/support/vi3/doc/releasenotes_esx303.html
ESX 3.0.3 (net-snmp)
download3.vmware.com/software/vi/ESX303-200808401-SG.zip
md5sum: 93b8281b4e491e0c564c94a1419136cd
kb.vmware.com/kb/1006032
ESX 3.0.3 (perl)
download3.vmware.com/software/vi/ESX303-200808402-SG.zip
md5sum: a6734a3438da0492b3cad6c0bb462da4
kb.vmware.com/kb/1006033
ESX 3.0.2 (OpenSSL)
download3.vmware.com/software/vi/ESX-1005116.tgz
md5sum: 96fbbf2baf0744d7f23bfa1730be258d
kb.vmware.com/kb/1005116
ESX 3.0.2 (net-snmp)
download3.vmware.com/software/vi/ESX-1006031.tgz
md5sum: affd9ec9feaa7b42e0828c9634a40d56
kb.vmware.com/kb/1006031
ESX 3.0.2 (perl)
download3.vmware.com/software/vi/ESX-1006037.tgz
md5sum: 8c18cf1a06e359d5014efa04c3ca3787
kb.vmware.com/kb/1006037
ESX 3.0.1 (OpenSSL)
download3.vmware.com/software/vi/ESX-1005115.tgz
md5sum: ebaa361c959836156b707e824095dc99
kb.vmware.com/kb/1005115
ESX 3.0.1 (net-snmp)
download3.vmware.com/software/vi/ESX-1006030.tgz
md5sum: 3a52550ca6c958fc09af8ca4484aa6c9
kb.vmware.com/kb/1006030
ESX 3.0.1 (perl)
download3.vmware.com/software/vi/ESX-1006355.tgz
md5sum: 866846fa1f96cef45608a0e16e1ef979
kb.vmware.com/kb/1006355
6. Change log
2008-08-12 VMSA-2008-0013
Initial release following release of ESX 3.0.3.
2008-08-26 VMSA-2008-0013.1
Corrected version information for the net-snmp and perl Service Console
rpms that are present in ESX 3.0.3 released on August 8. Previous
communication incorrectly stated that these rpms had been updated.
Updates for these rpms will be provided in an upcoming patch release.
2008-08-29 VMSA-2008-0013.2
Updated version information after the release of patches with updates
for net-snmp and Perl for ESX301, ESX302 and ESX303 on August 28.
Added version information after the release of patches with an update
for OpenSSL for ESX301, and ESX302 on August 28.
2008-09-18 VMSA-2008-0013.3
Added updated information for net-snmp and perl after the release of
patches for ESXi 3.5 and ESX 3.5 on 2008-09-18.
7. Contact
E-mail list for product security notifications and announcements:
lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at:
kb.vmware.com/kb/1055
VMware Security Center
www.vmware.com/security
VMware security response policy
www.vmware.com/support/policies/security_response.html
General support life cycle policy
www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
www.vmware.com/support/policies/eos_vi.html
Copyright 2008 VMware Inc. All rights reserved.