VMSA-2010-0003.1

VMSA-2010-0003.1 ESX Service Console update for net-snmp

VMware Security Advisory

VMware Security Advisory Advisory ID:

VMSA-2010-0003.1

VMware Security Advisory Synopsis:

VMSA-2010-0003.1 ESX Service Console update for net-snmp

VMware Security Advisory Issue date:

2010-02-16

VMware Security Advisory Updated on:

2010-03-08

VMware Security Advisory CVE numbers:

CVE-2009-1887

1. Summary

Update for Service Console package net-snmp

2. Relevant releases

VMware ESX 3.5 without patch ESX350-201002401-SG
VMware ESX 3.0.3 without patch ESX303-201002202-SG

3. Problem Description

a. Service Console package net-snmp updated
This patch updates the service console package for net-snmp, net-snmp-utils, and net-snmp-libs to version net-snmp-5.0.9-2.30E.28. This net-snmp update fixes a divide-by- zero flaw in the snmpd daemon. A remote attacker could issue a specially crafted GETBULK request that could cause the snmpd daemon to fail.

This vulnerability was introduced by an incorrect fix for CVE-2008-4309.

The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1887 to this issue.

Note: After installing the previous patch for net-snmp (ESX350-200901409-SG), running the snmpbulkwalk command with the parameter -CnX results in no output, and the snmpd daemon stops.

The following table lists what action remediates the vulnerability (column 4) if a solution is available.

VMware Product =============

Product Version ========

Running On =======

Replace with Apply Path =================

VMware Product ============= VirtualCenter

Product Version ======== any

Running On ======= Windows

Replace with Apply Path ================= not affected

VMware Product ============= hosted *

Product Version ======== any

Running On ======= any

Replace with Apply Path ================= not affected

VMware Product ============= ESXi

Product Version ======== any

Running On ======= ESXi

Replace with Apply Path ================= not affected

VMware Product ============= ESX

Product Version ======== 4.0

Running On ======= ESX

Replace with Apply Path ================= not affected

VMware Product ============= ESX

Product Version ======== 3.5

Running On ======= ESX

Replace with Apply Path ================= ESX350-201002401-SG

VMware Product ============= ESX

Product Version ======== 3.0.3

Running On ======= ESX

Replace with Apply Path ================= ESX303-201002202-SG

VMware Product ============= ESX

Product Version ======== 2.0.5

Running On ======= ESX

Replace with Apply Path ================= not affected

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.

4. Solution

Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file.

ESX 3.5
-------
ESX350-201002401-SG
http://download3.vmware.com/software/vi/ESX350-201002401-SG.zip
md5sum: a91428cb6bc2da794f581aefd5eef010
http://kb.vmware.com/kb/1017660

ESX 3.0.3
---------
ESX303-201002202-SG
http://download3.vmware.com/software/vi/ESX303-201002202-UG.zip
md5sum: b111601ecb6978fbac40df2700d08fe2
http://kb.vmware.com/kb/1018027

5. References

CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1887

6. Change Log

2010-02-16 VMSA-2010-0003
Initial security advisory after release of patches for ESX 3.5
on 2010-02-16.
2010-03-08 VMSA-2010-0003.1
Update after release of ESX 3.0.3 Update 1 on 2010-03-08.

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce at lists.vmware.com
bugtraq at securityfocus.com
full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at:
http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2010 VMware Inc. All rights reserved.

Today’s Multi-Cloud Reality: Cloud Chaos

87% of enterprises use two or more cloud environments to run their applications. Multi-cloud accelerates digital transformation, but also introduces complexity and risk, resulting in a chaotic reality for many organizations.

Conquer Cloud Chaos with VMware Cross-Cloud services

Anywhere Workspace

App Platform

Cloud & Edge Infrastructure

Cloud Management

Desktop Hypervisor

Security & Networking

Run VMware on any Cloud. Any Environment. Anywhere.

On Public & Hybrid Clouds

On Private & Local Clouds

Solutions

Anywhere Workspace Access Any App on Any Device Securely

App Platform Build and Operate Cloud Native Apps

Cloud Infrastructure Run Enterprise Apps Anywhere

Cloud Management Automate and Optimize Apps and Clouds

Edge Infrastructure Enable the Multi-Cloud Edge

Networking Enable Connectivity for Apps and Clouds

Security Secure Apps and Clouds

By Industry

VMware AI Solutions

For Customers

For Partners

Working Together with Partners for Customer Success

Tools & Training

Services

Support

Marketplace

Videos

Blogs & Communities

Customers

Events

VMSA-2010-0003.1

VMSA-2010-0003.1 ESX Service Console update for net-snmp

VMware Security Advisory

1. Summary

2. Relevant releases

3. Problem Description

VMware Product =============

Product Version ========

Running On =======

Replace with Apply Path =================

4. Solution

5. References

6. Change Log

7. Contact

Security

Anywhere Workspace
Access Any App on Any Device Securely

App Platform
Build and Operate Cloud Native Apps

Cloud Infrastructure
Run Enterprise Apps Anywhere

Cloud Management
Automate and Optimize Apps and Clouds

Edge Infrastructure
Enable the Multi-Cloud Edge

Networking
Enable Connectivity for Apps and Clouds

Security
Secure Apps and Clouds