Update for Service Console package net-snmp
VMware ESX 3.5 without patch ESX350-201002401-SG
VMware ESX 3.0.3 without patch ESX303-201002202-SG
a. Service Console package net-snmp updated
This patch updates the service console package for net-snmp, net-snmp-utils, and net-snmp-libs to version net-snmp-5.0.9-2.30E.28. This net-snmp update fixes a divide-by- zero flaw in the snmpd daemon. A remote attacker could issue a specially crafted GETBULK request that could cause the snmpd daemon to fail.
This vulnerability was introduced by an incorrect fix for CVE-2008-4309.
The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1887 to this issue.
Note: After installing the previous patch for net-snmp (ESX350-200901409-SG), running the snmpbulkwalk command with the parameter -CnX results in no output, and the snmpd daemon stops.
The following table lists what action remediates the vulnerability (column 4) if a solution is available.
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file.
ESX 3.5
-------
ESX350-201002401-SG
http://download3.vmware.com/software/vi/ESX350-201002401-SG.zip
md5sum: a91428cb6bc2da794f581aefd5eef010
http://kb.vmware.com/kb/1017660
ESX 3.0.3
---------
ESX303-201002202-SG
http://download3.vmware.com/software/vi/ESX303-201002202-UG.zip
md5sum: b111601ecb6978fbac40df2700d08fe2
http://kb.vmware.com/kb/1018027
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1887
2010-02-16 VMSA-2010-0003
Initial security advisory after release of patches for ESX 3.5
on 2010-02-16.
2010-03-08 VMSA-2010-0003.1
Update after release of ESX 3.0.3 Update 1 on 2010-03-08.
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists: