VMSA-2011-0001.3

VMware ESX third party updates for Service Console packages glibc, sudo, and openldap

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
VMSA-2011-0001.3
VMware Security Advisory Synopsis:
VMware ESX third party updates for Service Console packages glibc, sudo, and openldap
VMware Security Advisory Issue date:
2011-01-04
VMware Security Advisory Updated on:
2011-10-27
VMware Security Advisory CVE numbers:
CVE-2010-3847 CVE-2010-3856 CVE-2010-2956
CVE-2010-0211 CVE-2010-0212
1. Summary

ESX 4.0 Service Console OS (COS) updates for glibc, sudo, and openldap packages.

 
2. Relevant releases

VMware ESX 4.1 without patches ESX410-201101226-SG, ESX410-201104404-SG

VMware ESX 4.0 without patches ESX400-201101405-SG, ESX400-201101404-SG

 

3. Problem Description

a. Service Console update for glibc
The service console packages glibc, glibc-common, and nscd are each updated to version 2.5-34.4908.vmw.
The Common Vulnerabilities and Exposures project ( cve.mitre.org) has assigned the names CVE-2010-3847 and CVE-2010-3856 to the issues addressed in this update.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product =============
Product Version =======
Running on =======
Replace with/ Apply Patch =================
VMware Product ============= VirtualCente
Product Version ======= any
Running on ======= Windows
Replace with/ Apply Patch ================= not affected
VMware Product ============= hosted*
Product Version ======= any
Running on ======= any
Replace with/ Apply Patch ================= not affected
VMware Product ============= ESXi
Product Version ======= any
Running on ======= ESXi
Replace with/ Apply Patch ================= not applicable
VMware Product ============= ESX
Product Version ======= 5.0
Running on ======= ESX
Replace with/ Apply Patch ================= not affected
VMware Product ============= ESX
Product Version ======= 4.1
Running on ======= ESX
Replace with/ Apply Patch ================= ESX410-201101226-SG
VMware Product ============= ESX
Product Version ======= 4.0
Running on ======= ESX
Replace with/ Apply Patch ================= ESX400-201101405-SG
VMware Product ============= ESX
Product Version ======= 3.5
Running on ======= ESX
Replace with/ Apply Patch ================= not applicable
VMware Product ============= ESX
Product Version ======= 3.0.3
Running on ======= ESX
Replace with/ Apply Patch ================= not applicable


* hosted products are VMware Workstation, Player, ACE, Fusion.

b. Service Console update for sudo
The service console package sudo is updated to version 1.7.2p1-8.el5_5.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-2956 to the issue addressed in this update.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product =============
Product Version =======
Running on =======
Replace with/ Apply Patch =================
VMware Product ============= VirtualCenter
Product Version ======= any
Running on ======= Windows
Replace with/ Apply Patch ================= not affected
VMware Product ============= hosted *
Product Version ======= any
Running on ======= any
Replace with/ Apply Patch ================= not affected
VMware Product ============= ESXi
Product Version ======= any
Running on ======= ESXi
Replace with/ Apply Patch ================= not affected
VMware Product ============= ESX
Product Version ======= 5.0
Running on ======= ESX
Replace with/ Apply Patch ================= not affected
VMware Product ============= ESX
Product Version ======= 4.1
Running on ======= ESX
Replace with/ Apply Patch ================= ESX410-201104404-SG
VMware Product ============= ESX
Product Version ======= 4.0
Running on ======= ESX
Replace with/ Apply Patch ================= ESX400-201101404-SG
VMware Product ============= ESX
Product Version ======= 3.5
Running on ======= ESX
Replace with/ Apply Patch ================= not applicable
VMware Product ============= ESX
Product Version ======= 3.0.3
Running on ======= ESX
Replace with/ Apply Patch ================= not applicable


* hosted products are VMware Workstation, Player, ACE, Fusion.

c. Service Console update for openldap
The service console package openldap is updated to version 2.3.43-12.el5_5.1.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0211 and CVE-2010-0212 to the issues addressed in this update.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product =============
Product Version =======
Running on =======
Replace with/ Apply Patch =================
VMware Product ============= VirtualCenter
Product Version ======= any
Running on ======= Windows
Replace with/ Apply Patch ================= not affected
VMware Product ============= hosted *
Product Version ======= any
Running on ======= any
Replace with/ Apply Patch ================= not affected
VMware Product ============= ESXi
Product Version ======= any
Running on ======= ESXi
Replace with/ Apply Patch ================= not affected
VMware Product ============= ESX
Product Version ======= 5.0
Running on ======= ESX
Replace with/ Apply Patch ================= patch pending
VMware Product ============= ESX
Product Version ======= 4.1
Running on ======= ESX
Replace with/ Apply Patch ================= not affected **
VMware Product ============= ESX
Product Version ======= 4.0
Running on ======= ESX
Replace with/ Apply Patch ================= ESX400-201101402-SG **
VMware Product ============= ESX
Product Version ======= 3.5
Running on ======= ESX
Replace with/ Apply Patch ================= not applicable
VMware Product ============= ESX
Product Version ======= 3.0.3
Running on ======= ESX
Replace with/ Apply Patch ================= not applicable


* hosted products are VMware Workstation, Player, ACE, Fusion. ** After the initial advisory, it was determined that ESX does not contain the affected component of openldap.

4. Solution

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

VMware ESX 4.1
---------------------------
VMware ESX 4.1 Update 1
Download link:
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-259-20110127-527075/update-from-esx4.1-4.1_update01.ziph
md5sum: md5sum: 2d81a87e994aa2b329036f11d90b4c14
sha1sum: c2bfc0cf7ac03d24afd5049ddbd09a865aad1798
http://kb.vmware.com/kb/1029353

update-from-esx4.1-4.1_update01 contains the following security bulletins:
ESX410-201101226-SG (glibc)
http://kb.vmware.com/kb/1031330 ESX410-201101201-SG (core & CIM)
http://kb.vmware.com/kb/1027904

VMware ESX 4.1 Update 1 also contains the following non-security bulletins
ESX410-201101219-UG, ESX410-201101203-UG, ESX410-201101214-UG,
ESX410-201101217-UG, ESX410-201101215-UG, ESX410-201101225-UG,
ESX410-201101223-UG, ESX410-201101216-UG, ESX410-201101202-UG,
ESX410-201101222-UG, ESX410-201101220-UG, ESX410-201101213-UG,
ESX410-201101218-UG, ESX410-201101204-UG, ESX410-201101221-UG,
ESX410-201101211-UG, ESX410-201101206-UG, ESX410-201101207-UG,
ESX410-201101224-UG, ESX410-201101208-UG.

To install an individual bulletin use esxupdate with the -b option.

VMware ESX 4.0
---------------------------
ESX400-201101001
Download link:
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-257-20101231-664659/ESX400-201101001.zip
md5sum: f1d522b380692e0845eb0dda480ab890
sha1sum: 906989af3ddacc41321d685c4afe0d740856f9d5
http://kb.vmware.com/kb/1029426

ESX400-201101001 contains the following security bulletins:
ESX400-201101401-SG (COS kernel)
http://kb.vmware.com/kb/1029424 ESX400-201101405-SG (glibc)
http://kb.vmware.com/kb/1029881 ESX400-201101404-SG (sudo)
http://kb.vmware.com/kb/1029421 ESX400-201101402-SG (openldap)
http://kb.vmware.com/kb/1029423

ESX400-201101401-SG is documented in VMSA-2010-0017.1.

To install an individual bulletin use esxupdate with the -b option.

6. Change log

2011-01-04 VMSA-2011-0001 Initial security advisory in conjunction with the release of patches for ESX 4.0 on 2011-01-04.

2011-02-10 VMSA-2011-0001.1 Updated security advisory in conjunction with the release of patches for ESX 4.1 as part of the ESX 4.1 Update 1 release on 2011-02-10.

2011-04-28 VMSA-2011-0001.2 Updated advisory after release of ESX 4.1 patches on 2011-04-28.

2011-10-27 VMSA-2010-0001.3 Updated section 3.c on openldap. After the initial advisory, it was determined that ESX does not contain the affected component of openldap.

 
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  • security-announce at lists.vmware.com
  • bugtraq at securityfocus.com
  • full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at:
http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html


Copyright 2011 VMware Inc. All rights reserved.