Sign up for Security
Advisories

Enter your email address:


VMSA-2009-0016.6

VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.

VMware Security Advisory
Advisory ID: VMSA-2009-0016.6
Synopsis: VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.
Issue date: 2009-11-20
Updated on: 2010-03-29
CVE numbers: --- JRE ---
CVE-2009-1093 CVE-2009-1094 CVE-2009-1095
CVE-2009-1096 CVE-2009-1097 CVE-2009-1098
CVE-2009-1099 CVE-2009-1100 CVE-2009-1101
CVE-2009-1102 CVE-2009-1103 CVE-2009-1104
CVE-2009-1105 CVE-2009-1106 CVE-2009-1107
CVE-2009-2625 CVE-2009-2670 CVE-2009-2671
CVE-2009-2672 CVE-2009-2673 CVE-2009-2675
CVE-2009-2676 CVE-2009-2716 CVE-2009-2718
CVE-2009-2719 CVE-2009-2720 CVE-2009-2721
CVE-2009-2722 CVE-2009-2723 CVE-2009-2724
--- Tomcat ---
CVE-2008-5515 CVE-2009-0033 CVE-2009-0580
CVE-2009-0781 CVE-2009-0783 CVE-2008-1232
CVE-2008-1947 CVE-2008-2370 CVE-2007-5333
CVE-2007-5342 CVE-2007-5461 CVE-2007-6286
CVE-2008-0002
--- ntp ---
CVE-2009-1252 CVE-2009-0159
--- kernel ---
CVE-2008-3528 CVE-2008-5700 CVE-2009-0028
CVE-2009-0269 CVE-2009-0322 CVE-2009-0675
CVE-2009-0676 CVE-2009-0778 CVE-2008-4307
CVE-2009-0834 CVE-2009-1337 CVE-2009-0787
CVE-2009-1336 CVE-2009-1439 CVE-2009-1633
CVE-2009-1072 CVE-2009-1630 CVE-2009-1192
CVE-2007-5966 CVE-2009-1385 CVE-2009-1388
CVE-2009-1389 CVE-2009-1895 CVE-2009-2406
CVE-2009-2407 CVE-2009-2692 CVE-2009-2698
CVE-2009-0745 CVE-2009-0746 CVE-2009-0747
CVE-2009-0748 CVE-2009-2847 CVE-2009-2848
--- python ---
CVE-2007-2052 CVE-2007-4965 CVE-2008-1721
CVE-2008-1887 CVE-2008-2315 CVE-2008-3142
CVE-2008-3143 CVE-2008-3144 CVE-2008-4864
CVE-2008-5031
--- bind ---
CVE-2009-0696
--- libxml and libxml2 ---
CVE-2009-2414 CVE-2009-2416
--- curl --
CVE-2009-2417
--- gnutil ---
CVE-2007-2052
1. Summary

Updated Java JRE packages and Tomcat packages address several
security issues. Updates for the ESX Service Console and vMA include
kernel, ntp, Python, bind libxml, libxml2, curl and gnutil packages.
ntp is also updated for ESXi userworlds.
2. Relevant releases

vCenter Server 4.0 before Update 1

Virtual Center 2.5 before Update 6

ESXi 4.0 without patch ESXi400-200911201-UG

ESXi 3.5 without patch ESXe350-201002401-O-SG

ESX 4.0 without patches ESX400-200911201-UG, ESX400-200911223-UG,
ESX400-200911232-SG, ESX400-200911233-SG,
ESX400-200911234-SG, ESX400-200911235-SG,
ESX400-200911237-SG, ESX400-200911238-SG

ESX 3.5 without patches ESX350-201002407-SG, ESX350-201002402-SG,
ESX350-201002404-SG, ESX350-201003403-SG

ESX 3.0.3 without patches ESX303-201002206-SG ESX303-201002204-SG
ESX303-201002205-SG

vMA 4.0 before patch 02
3. Problem Description
a. JRE Security Update

JRE update to version 1.5.0_20, which addresses multiple security
issues that existed in earlier releases of JRE.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095,
CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099,
CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103,
CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671,
CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676,
CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720,
CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724.

The following table lists what action remediates the vulnerability
(column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
vCenter 4.0 Windows Update 1
VirtualCenter 2.5 Windows see VMSA-2010-0002
VirtualCenter 2.0.2 Windows affected, no patch planned
       
Workstation any any not affected
       
Player any any not affected
       
Server 2.0 any affected, no patch planned
Server 1.0 any not affected
       
ACE any any  not affected
       
Fusion any any not affected
       
ESXi any ESXi not affected
       
ESX 4.0 ESX ESX400-200911223-UG
ESX 3.5 ESX see VMSA-2010-0002.1
ESX 3.0.3 ESX affected, no patch planned
ESX 2.5.5 ESX not affected
       
vMA 4.0 RHEL5 Patch 2 *


* vMA JRE is updated to version JRE 1.5.0_21

Notes: These vulnerabilities can be exploited remotely only if the
attacker has access to the Service Console network.

Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.

The currently installed version of JRE depends on your patch
deployment history.
b. Update Apache Tomcat version

Update for VirtualCenter and ESX patch update the Tomcat package to
version 6.0.20 (vSphere 4.0) or version 5.5.28 (VirtualCenter 2.5)
which addresses multiple security issues that existed
in the previous version of Apache Tomcat.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
Apache Tomcat 6.0.20 and Tomcat 5.5.28: CVE-2008-5515,
CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
Apache Tomcat 6.0.18: CVE-2008-1232, CVE-2008-1947, CVE-2008-2370.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
Apache Tomcat 6.0.16: CVE-2007-5333, CVE-2007-5342, CVE-2007-5461,
CVE-2007-6286, CVE-2008-0002.

The following table lists what action remediates the vulnerability
(column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
vCenter 4.0 Windows Update 1
VirtualCenter 2.5 Windows Update 6
VirtualCenter 2.0.2 Windows affected, no patch planned
       
Workstation any any not affected
       
Player any any not affected
       
ACE any Windows not affected
       
Server 2.x any affected, no patch planned
Server 1.x any not affected
       
Fusion any Mac OS/X not affected
       
ESXi any ESXi not affected
       
ESX 4.0 ESX ESX400-200911223-UG
ESX 3.5 ESX ESX350-201003403-SG
ESX 3.0.3 ESX affected, no patch planned
ESX 2.5.5 ESX not affected
       
vMA 4.0 RHEL5 not affected


Notes: These vulnerabilities can be exploited remotely only if the
attacker has access to the Service Console network.

Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.

The currently installed version of Tomcat depends on your
patch deployment history.
c. Third party library update for ntp.

The Network Time Protocol (NTP) is used to synchronize a computer's
time with a referenced time source.

ESXi 3.5 and ESXi 4.0 have a ntp client that is affected by the
following security issue. Note that the same security issue is
present in the ESX Service Console as described in section d. of
this advisory.

A buffer overflow flaw was discovered in the ntpd daemon's NTPv4
authentication code. If ntpd was configured to use public key
cryptography for NTP packet authentication, a remote attacker could
use this flaw to send a specially-crafted request packet that could
crash ntpd or, potentially, execute arbitrary code with the
privileges of the "ntp" user.

The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2009-1252 to this issue.

The NTP security issue identified by CVE-2009-0159 is not relevant
for ESXi 3.5 and ESXi 4.0.

The following table lists what action remediates the vulnerability
in this component (column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
VirtualCenter any Windows not affected
       
hosted * any any not affected
       
ESXi 4.0 ESXi ESXi400-200911201-UG
ESXi 3.5 ESXi ESXe350-201002401-O-SG
       
ESX 4.0 ESX not affected
ESX 3.5 ESX not affected
ESX 3.0.3 ESX not affected
ESX 2.5.5 ESX not affected
       
vMA 4.0 RHEL5 not affected


* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
d. Service Console update for ntp

Service Console package ntp updated to version ntp-4.2.2pl-9el5_3.2

The Network Time Protocol (NTP) is used to synchronize a computer's
time with a referenced time source.

The Service Console present in ESX is affected by the following
security issues.

A buffer overflow flaw was discovered in the ntpd daemon's NTPv4
authentication code. If ntpd was configured to use public key
cryptography for NTP packet authentication, a remote attacker could
use this flaw to send a specially-crafted request packet that could
crash ntpd or, potentially, execute arbitrary code with the
privileges of the "ntp" user.

NTP authentication is not enabled by default on the Service Console.

The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2009-1252 to this issue.

A buffer overflow flaw was found in the ntpq diagnostic command. A
malicious, remote server could send a specially-crafted reply to an
ntpq request that could crash ntpq or, potentially, execute
arbitrary code with the privileges of the user running the ntpq
command.

The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2009-0159 to this issue.

The following table lists what action remediates the vulnerability
in the Service Console (column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
vCenter any Windows not affected
       
hosted * any any not affected
       
ESXi any ESXi not affected
       
ESX 4.0 ESX ESX400-200911238-SG
ESX 3.5 ESX affected, patch pending **
ESX 3.0.3 ESX affected, patch pending **
ESX 2.5.5 ESX no patch planned **
       
vMA 4.0 RHEL5 Patch 2


* hosted products are VMware Workstation, Player, ACE, Server, Fusion.

** The service consoles of ESX 2.5.5, ESX 3.0.3 and ESX 3.5 are not
affected by CVE-2009-1252. The security issue identified by
CVE-2009-0159 has a low impact on the service console of ESX 2.5.5,
ESX 3.0.3 and ESX 3.5.
e. Updated Service Console package kernel

Updated Service Console package kernel addresses the security
issues listed below.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-3528, CVE-2008-5700, CVE-2009-0028,
CVE-2009-0269, CVE-2009-0322, CVE-2009-0675, CVE-2009-0676,
CVE-2009-0778 to the security issues fixed in kernel
2.6.18-128.1.6.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-4307, CVE-2009-0834, CVE-2009-1337,
CVE-2009-0787, CVE-2009-1336 to the security issues fixed in
kernel 2.6.18-128.1.10.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2009-1439, CVE-2009-1633, CVE-2009-1072,
CVE-2009-1630, CVE-2009-1192 to the security issues fixed in
kernel 2.6.18-128.1.14.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2007-5966, CVE-2009-1385, CVE-2009-1388,
CVE-2009-1389, CVE-2009-1895, CVE-2009-2406, CVE-2009-2407 to the
security issues fixed in kernel 2.6.18-128.4.1.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2009-2692, CVE-2009-2698 to the
security issues fixed in kernel 2.6.18-128.7.1.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2009-0745, CVE-2009-0746, CVE-2009-0747,
CVE-2009-0748, CVE-2009-2847, CVE-2009-2848 to the security issues
fixed in kernel 2.6.18-164.

The following table lists what action remediates the vulnerability
(column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
vCenter any Windows not applicable
       
hosted * any any not applicable
       
ESXi any ESXi not applicable
       
ESX 4.0 ESX ESX400-200911201-UG
ESX 3.5 ESX not applicable
ESX 3.0.3 ESX not applicable
ESX 2.5.5 ESX not applicable
       
vMA 4.0 RHEL5 Patch 2 **


* hosted products are VMware Workstation, Player, ACE, Server, Fusion.

** vMA is updated to kernel version 2.6.18-164.
f. Updated Service Console package python


Service Console package Python update to version 2.4.3-24.el5.

When the assert() system call was disabled, an input sanitization
flaw was revealed in the Python string object implementation that
led to a buffer overflow. The missing check for negative size values
meant the Python memory allocator could allocate less memory than
expected. This could result in arbitrary code execution with the
Python interpreter's privileges.

Multiple buffer and integer overflow flaws were found in the Python
Unicode string processing and in the Python Unicode and string
object implementations. An attacker could use these flaws to cause
a denial of service.

Multiple integer overflow flaws were found in the Python imageop
module. If a Python application used the imageop module to
process untrusted images, it could cause the application to
disclose sensitive information, crash or, potentially, execute
arbitrary code with the Python interpreter's privileges.

Multiple integer underflow and overflow flaws were found in the
Python snprintf() wrapper implementation. An attacker could use
these flaws to cause a denial of service (memory corruption).

Multiple integer overflow flaws were found in various Python
modules. An attacker could use these flaws to cause a denial of
service.

An integer signedness error, leading to a buffer overflow, was
found in the Python zlib extension module. If a Python application
requested the negative byte count be flushed for a decompression
stream, it could cause the application to crash or, potentially,
execute arbitrary code with the Python interpreter's privileges.

A flaw was discovered in the strxfrm() function of the Python
locale module. Strings generated by this function were not properly
NULL-terminated, which could possibly cause disclosure of data
stored in the memory of a Python application using this function.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2007-2052 CVE-2007-4965 CVE-2008-1721
CVE-2008-1887 CVE-2008-2315 CVE-2008-3142 CVE-2008-3143
CVE-2008-3144 CVE-2008-4864 CVE-2008-5031 to these issues.

The following table lists what action remediates the vulnerability
(column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
vCenter any Windows not applicable
       
hosted * any any not applicable
       
ESXi any ESXi not applicable
       
ESX 4.0 ESX ESX400-200911235-SG
ESX 3.5 ESX ESX350-201002402-SG
ESX 3.0.3 ESX ESX303-201002206-SG
ESX 2.5.5 ESX affected, no patch planned
       
vMA 4.0 RHEL5 Patch 2


* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
g. Updated Service Console package bind

Service Console package bind updated to version 9.3.6-4.P1.el5

The Berkeley Internet Name Domain (BIND) is an implementation of the
Domain Name System (DNS) protocols. BIND includes a DNS server
(named); a resolver library (routines for applications to use when
interfacing with DNS); and tools for verifying that the DNS server
is operating correctly.

A flaw was found in the way BIND handles dynamic update message
packets containing the "ANY" record type. A remote attacker could
use this flaw to send a specially-crafted dynamic update packet
that could cause named to exit with an assertion failure.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2009-0696 to this issue.

The following table lists what action remediates the vulnerability
(column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
vCenter any Windows not applicable
       
hosted * any any not applicable
       
ESXi any ESXi not applicable
       
ESX 4.0 ESX ESX400-200911237-SG
ESX 3.5 ESX ESX350-201002404-SG
ESX 3.0.3 ESX ESX303-201002205-SG
ESX 2.5.5 ESX affected, no patch planned
       
vMA 4.0 RHEL5 Patch 2


* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
h. Updated Service Console package libxml2

Service Console package libxml2 updated to version 2.6.26-2.1.2.8.

libxml is a library for parsing and manipulating XML files. A
Document Type Definition (DTD) defines the legal syntax (and also
which elements can be used) for certain types of files, such as XML
files.

A stack overflow flaw was found in the way libxml processes the
root XML document element definition in a DTD. A remote attacker
could provide a specially-crafted XML file, which once opened by a
local, unsuspecting user, would lead to denial of service.

Multiple use-after-free flaws were found in the way libxml parses
the Notation and Enumeration attribute types. A remote attacker
could provide a specially-crafted XML file, which once opened by a
local, unsuspecting user, would lead to denial of service.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2009-2414 and CVE-2009-2416 to these
issues.

The following table lists what action remediates the vulnerability
(column 4) if a solution is available. 

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
vCenter any Windows not applicable
       
hosted * any any not applicable
       
ESXi any ESXi not applicable
       
ESX 4.0 ESX ESX400-200911234-SG
ESX 3.5 ESX ESX350-201002407-SG
ESX 3.0.3 ESX ESX303-201002204-SG
ESX 2.5.5 ESX affected, no patch planned
       
vMA 4.0 RHEL5 Patch 2

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
i. Updated Service Console package curl

Service Console package curl updated to version 7.15.5-2.1.el5_3.5

A cURL is affected by the previously published "null prefix attack",
caused by incorrect handling of NULL characters in X.509
certificates. If an attacker is able to get a carefully-crafted
certificate signed by a trusted Certificate Authority, the attacker
could use the certificate during a man-in-the-middle attack and
potentially confuse cURL into accepting it by mistake.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2009-2417 to this issue

The following table lists what action remediates the vulnerability
(column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
vCenter any Windows not applicable
       
hosted * any any not applicable
       
ESXi any ESXi not applicable
       
ESX 4.0 ESX ESX400-200911232-SG
ESX 3.5 ESX not affected
ESX 3.0.3 ESX not affected
ESX 2.5.5 ESX not affected
       
vMA 4.0 RHEL5 Patch 2

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
j. Updated Service Console package gnutls

Service Console package gnutil updated to version 1.4.1-3.el5_3.5

A flaw was discovered in the way GnuTLS handles NULL characters in
certain fields of X.509 certificates. If an attacker is able to get
a carefully-crafted certificate signed by a Certificate Authority
trusted by an application using GnuTLS, the attacker could use the
certificate during a man-in-the-middle attack and potentially
confuse the application into accepting it by mistake.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2009-2730 to this issue

The following table lists what action remediates the vulnerability
(column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
vCenter any Windows not applicable
       
hosted * any any not applicable
       
ESXi any ESXi not applicable
       
ESX 4.0 ESX ESX400-200911233-SG
ESX 3.5 ESX not affected
ESX 3.0.3 ESX not affected
ESX 2.5.5 ESX not affected
       
vMA 4.0 RHEL5 Patch 2

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
4. Solution

Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.

VMware vCenter Server 4 Update 1
--------------------------------
Version 4.0 Update 1
Build Number 208156
Release Date 2009/11/19
Type Product Binaries
http://downloads.vmware.com/download/download.do?downloadGroup=VC40U1

VMware vCenter Server 4 and modules
File size: 1.8 GB
File type: .iso
MD5SUM: 057d55b32eb27fe5f3e01bc8d3df3bc5
SHA1SUM: c90134418c2e4d3d6637d8bee44261300ad95ec1

VMware vCenter Server 4 and modules
File size: 1.5 GB
File type: .zip
MD5SUM: f843d9c19795eb3bc5a77f5c545468a8
SHA1SUM: 9a7abd8e70bd983151e2ee40e1b3931525c4480c

VMware vSphere Client and Host Update Utility
File size: 113.8 MB
File type: .exe
MD5SUM: 6cc6b2c958e7e9529c284e48dfae22a9
SHA1SUM: f4c19c63a75d93cffc57b170066358160788c959

VMware vCenter Converter BootCD
File size: 98.8 MB
File type: .zip
MD5SUM: 3df94eb0e93de76b0389132ada2a3799
SHA1SUM: 5d7c04e4f9f8ae25adc8de5963fefd8a4c92464c

VMware vCenter Converter CLI (Linux)
File size: 36.9 MB
File type: .tar.gz
MD5SUM: 3766097563936ba5e03e87e898f6bd48
SHA1SUM: 36d485bdb5eb279296ce8c8523df04bfb12a2cb4


VMware Virtual Center 2.5 Update 6
-----------------------------------
Version 2.5 Update 6
Build Number 227637
Release Date 2010/01/29
Type Product Binaries
http://downloads.vmware.com/download/download.do?downloadGroup=VC250U6

VirtualCenter DVD image - English only version
File size: 854 MB
File type: .iso
md5sum: d83b09ac0533a418d5b7f5493dbd3ed3
sha1sum: 1b969b397a937402b5e9463efc767eff7a980ad0

VirtualCenter as a Zip file - English only version
File size: 625 MB
File type: .zip
md5sum: 760f335ebcd363e0e159b20da923621f
sha1sum: e400bc1008d1e4c44d204a8135293b8ae305f14e

VMware vCenter Converter BootCD
VMware Converter Enterprise BootCD for VirtualCenter
File size: 97 MB
File type: .zip
md5sum: e49e0ff0f2563196cc5d4b5c471cd666

VMware vCenter Converter CLI (Linux)
VMware Converter Enterprise CLI for Linux platform
File size: 37 MB
File type: .tar.gz
md5sum: 30d1f5e58a6cad8dacd988908305bc1c


ESXi 4.0 Update 1
-----------------
ESXi400-200911201-UG
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-155-20091116-013169/ESXi-4.0.0-update01.zip
md5sum:c6fdd6722d9e5cacb280bdcc2cca0627
sha1sum:de9d4875f86b6493f9da991a8cff37784215db2e
http://kb.vmware.com/kb/1014886

NOTE: The three ESXi patches for Firmware, VMware Tools, and the
VI Client "C" are contained in a single download file.

ESXi 3.5
--------
ESXe350-201002401-O-SG
http://download3.vmware.com/software/vi/ESXe350-201002401-O-SG.zip
md5sum: 0c8d4d1c0e3c2aed9f785cf081225d83
http://kb.vmware.com/kb/1015047 (Vi Client)
http://kb.vmware.com/kb/1016665 (VM Tools)
http://kb.vmware.com/kb/1017685 (Firmware)

ESX 4.0
-------
ESX400-200911223-UG (Update 1a)
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-166-20091202-254879/ESX-4.0.0-update01a.zip
md5sum: 99c1fcafbf0ca105ce73840d686e9914
sha1sum: aa8a23416271bc28b6b8f6bdbe00045e36314ebb
http://kb.vmware.com/kb/1014842

To install an individual bulletin use esxupdate with the -b option.
esxupdate --bundle=ESX-4.0.0-update01.zip -b ESX400-200911223-UG
-b ESX400-200911238-SG -b ESX400-200911201-UG -b ESX400-200911235-SG
-b ESX400-200911237-SG -b ESX400-200911234-SG -b ESX400-200911232-SG
-b ESX400-200911233-SG update

ESX 3.5
-------
ESX350-201002407-SG (libxml2)
http://download3.vmware.com/software/vi/ESX350-201002407-SG.zip
md5sum: 73d53ef1da1da0104a7c0380b44a7b05
http://kb.vmware.com/kb/1017679

ESX350-201002402-SG (python)
http://download3.vmware.com/software/vi/ESX350-201002402-SG.zip
md5sum: fafa5cefbfdb06dfb576831ff3d9c1ae
http://kb.vmware.com/kb/1017663

ESX350-201002404-SG (bind)
http://download3.vmware.com/software/vi/ESX350-201002404-SG.zip
md5sum: 211f9a447a649d2c3f909208b89037af
http://kb.vmware.com/kb/1017665

ESX350-201003403-SG (Tomcat)
http://download3.vmware.com/software/vi/ESX350-201003403-SG.zip
md5sum: cdddef476c06eeb28c10c5dac3730dca
http://kb.vmware.com/kb/1018702


ESX 3.0.3
---------
ESX303-201002204-SG (libxml2)
http://download3.vmware.com/software/vi/ESX303-201002204-UG.zip
md5sum: 84f5a74f629241b616b2c8f2d7e2bfe6
http://kb.vmware.com/kb/1018031

ESX303-201002206-SG (python)
http://download3.vmware.com/software/vi/ESX303-201002206-UG.zip
md5sum: 33a2bb95a988015273e2d6970e242583
http://kb.vmware.com/kb/1018033

ESX303-201002205-SG (bind)
http://download3.vmware.com/software/vi/ESX303-201002205-UG.zip
md5sum: 27c255d70d5e71048deb73008ffdf98e
http://kb.vmware.com/kb/1018032
5. References

http://kb.vmware.com/kb/1016070

CVE numbers
--- JRE ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1099
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1100
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1104
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1105
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1106
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1107
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2670
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2671
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2672
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2673
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2675
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2676
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2716
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2718
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2719
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2721
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2722
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2723
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2724
--- Tomcat ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0002
--- ntp ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1252
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0159
--- kernel ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3528
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5700
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0028
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0269
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0322
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0675
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0676
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0778
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4307
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0834
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1439
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1633
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1072
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1630
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5966
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1385
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1388
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1895
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2406
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2407
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2698
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0745
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0746
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0747
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0748
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2847
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2848
--- python ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2052
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4965
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1721
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1887
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3142
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3143
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3144
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5031
--- bind ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0696
--- libxml and libxml2 ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2414
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2416
--- curl --
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2417
--- gnutil ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2052
6. Change log

2009-11-20 VMSA-2009-0016
Initial security advisory after release of vCenter 4.0 Update 1 and
ESX 4.0 Update 1 on 2009-11-19 and release of vMA Patch 2 on 2009-11-23.
2009-12-15 VMSA-2009-0016.1
The information of the ESX 4.0 Update 1 download in this advisory has
been updated. Upgrading to ESX 4.0 Update 1 can fail or time out and
leave the host in an unusable state if using HP Systems Insight
Management Agent. ESX 4.0 Update 1a (a re-release of ESX 4.0 Update 1)
addresses this issue. Please read KB article (ID 1016070) before
proceeding with the upgrade.
2010-01-29 VMSA-2009-0016.2
Updated security advisory after release of Virtual Center 2.5 Update 6
on 2010-01-29
2010-02-16 VMSA-2010-0016.3
Updated security advisory after release of ESXi and ESX 3.5 patches
on 2010-02-16.
2010-03-08 VMSA-2010-0016.4
Updated after release of ESX 3.0.3 Update 1 on 2010-03-08
2010-03-29 VMSA-2010-0016.5
Updated security advisory after release of ESX 3.5 patch for WebAccess.
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2009-2010 VMware Inc. All rights reserved.