VMSA-2011-0003.2

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
  VMSA-2011-0003.2
VMware Security Advisory Synopsis:
  Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX
VMware Security Advisory Issue date:
 
VMware Security Advisory Updated on:
 
VMware Security Advisory CVE numbers:
 
VMSA-2011-0003.2

Third part component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX

------------------------------------------------------------------------

VMware Security Advisory

Advisory ID: VMSA-2011-0003.2

Synopsis: Third party component updates for VMware vCenter

Server, vCenter Update Manager, ESXi and ESX

Issue date: 2011-02-10

Updated on: 2011-05-05

CVE numbers: --- Apache Tomcat ---

CVE-2009-2693 CVE-2009-2901 CVE-2009-2902

CVE-2009-3548 CVE-2010-2227 CVE-2010-1157

--- Apache Tomcat Manager ---

CVE-2010-2928

--- cURL ---

CVE-2010-0734

--- COS Kernel ---

CVE-2010-1084 CVE-2010-2066 CVE-2010-2070

CVE-2010-2226 CVE-2010-2248 CVE-2010-2521

CVE-2010-2524 CVE-2010-0008 CVE-2010-0415

CVE-2010-0437 CVE-2009-4308 CVE-2010-0003

CVE-2010-0007 CVE-2010-0307 CVE-2010-1086

CVE-2010-0410 CVE-2010-0730 CVE-2010-1085

CVE-2010-0291 CVE-2010-0622 CVE-2010-1087

CVE-2010-1173 CVE-2010-1437 CVE-2010-1088

CVE-2010-1187 CVE-2010-1436 CVE-2010-1641

CVE-2010-3081 CVE-2010-2240

--- Microsoft SQL Express ---

CVE-2008-5416 CVE-2008-0085 CVE-2008-0086

CVE-2008-0107 CVE-2008-0106

--- OpenSSL ---

CVE-2010-0740 CVE-2010-0433

CVE-2010-3864 CVE-2010-2939

--- Oracle (Sun) JRE ---

CVE-2009-3555 CVE-2010-0082 CVE-2010-0084

CVE-2010-0085 CVE-2010-0087 CVE-2010-0088

CVE-2010-0089 CVE-2010-0090 CVE-2010-0091

CVE-2010-0092 CVE-2010-0093 CVE-2010-0094

CVE-2010-0095 CVE-2010-0837 CVE-2010-0838

CVE-2010-0839 CVE-2010-0840 CVE-2010-0841

CVE-2010-0842 CVE-2010-0843 CVE-2010-0844

CVE-2010-0845 CVE-2010-0846 CVE-2010-0847

CVE-2010-0848 CVE-2010-0849 CVE-2010-0850

CVE-2010-0886 CVE-2010-3556 CVE-2010-3566

CVE-2010-3567 CVE-2010-3550 CVE-2010-3561

CVE-2010-3573 CVE-2010-3565 CVE-2010-3568

CVE-2010-3569 CVE-2010-1321 CVE-2010-3548

CVE-2010-3551 CVE-2010-3562 CVE-2010-3571

CVE-2010-3554 CVE-2010-3559 CVE-2010-3572

CVE-2010-3553 CVE-2010-3549 CVE-2010-3557

CVE-2010-3541 CVE-2010-3574

--- pam_krb5 ---

CVE-2008-3825 CVE-2009-1384

------------------------------------------------------------------------

1. Summary

Update 1 for vCenter Server 4.x, vCenter Update Manager 4.x, vSphere

Hypervisor (ESXi) 4.1, ESXi 4.1, addresses several security issues.

2. Relevant releases

vCenter Server 4.1 without Update 1,

vCenter Server 4.0 without Update 3,

vCenter Update Manager 4.1 without Update 1,

vCenter Update Manager 4.0 without Update 3,

ESXi 4.1 without patch ESXi410-201101201-SG,

ESXi 4.0 without patch ESXi400-201103401-SG.

ESX 4.1 without patch ESX410-201101201-SG.

ESX 4.0 without patches ESX400-201103401-SG, ESX400-201103403-SG.

3. Problem Description

a. vCenter Server and vCenter Update Manager update Microsoft

SQL Server 2005 Express Edition to Service Pack 3

Microsoft SQL Server 2005 Express Edition (SQL Express)

distributed with vCenter Server 4.1 Update 1 and vCenter Update

Manager 4.1 Update 1 is upgraded from SQL Express Service Pack 2

to SQL Express Service Pack 3, to address multiple security

issues that exist in the earlier releases of Microsoft SQL Express.

Customers using other database solutions need not update for

these issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org)

has assigned the names CVE-2008-5416, CVE-2008-0085, CVE-2008-0086,

CVE-2008-0107 and CVE-2008-0106 to the issues addressed in MS SQL

Express Service Pack 3.

Column 4 of the following table lists the action required to

remediate the vulnerability in each release, if a solution is

available.

VMware Product Running Replace with/

Product Version on Apply Patch

============= ======== ======= =================

vCenter 4.1 Windows Update 1

vCenter 4.0 Windows Update 3

VirtualCenter 2.5 Windows affected, no patch planned

Update Manager 4.1 Windows Update 1

Update Manager 4.0 Windows Update 3

Update Manager 1.0 Windows affected, no patch planned

hosted * any any not affected

ESXi any ESXi not affected

ESX any ESX not affected

* Hosted products are VMware Workstation, Player, ACE, Fusion.

b. vCenter Apache Tomcat Management Application Credential Disclosure

The Apache Tomcat Manager application configuration file contains

logon credentials that can be read by unprivileged local users.

The issue is resolved by removing the Manager application in

vCenter 4.1 Update 1.

If vCenter 4.1 is updated to vCenter 4.1 Update 1 the logon

credentials are not present in the configuration file after the

update.

VMware would like to thank Claudio Criscione of Secure Networking

for reporting this issue to us.

The Common Vulnerabilities and Exposures Project (cve.mitre.org)

has assigned the name CVE-2010-2928 to this issue.

Column 4 of the following table lists the action required to

remediate the vulnerability in each release, if a solution is

available.

VMware Product Running Replace with/

Product Version on Apply Patch

============= ======== ======= =================

vCenter 4.1 Windows Update 1

vCenter 4.0 Windows not affected

VirtualCenter 2.5 Windows not affected

hosted * any any not affected

ESXi any ESXi not affected

ESX any ESX not affected

* hosted products are VMware Workstation, Player, ACE, Fusion.

c. vCenter Server and ESX, Oracle (Sun) JRE is updated to version

1.6.0_21

Oracle (Sun) JRE update to version 1.6.0_21, which addresses

multiple security issues that existed in earlier releases of

Oracle (Sun) JRE.

The Common Vulnerabilities and Exposures project (cve.mitre.org)

has assigned the following names to the security issues fixed in

Oracle (Sun) JRE 1.6.0_19: CVE-2009-3555, CVE-2010-0082,

CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088,

CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092,

CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837,

CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841,

CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845,

CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849,

CVE-2010-0850.

The Common Vulnerabilities and Exposures project (cve.mitre.org)

has assigned the following name to the security issue fixed in

Oracle (Sun) JRE 1.6.0_20: CVE-2010-0886.

Column 4 of the following table lists the action required to

remediate the vulnerability in each release, if a solution is

available.

VMware Product Running Replace with/

Product Version on Apply Patch

============= ======== ======= =================

vCenter 4.1 Windows Update 1

vCenter 4.0 Windows not applicable **

VirtualCenter 2.5 Windows not applicable **

Update Manager 4.1 Windows not applicable **

Update Manager 4.0 Windows not applicable **

Update Manager 1.0 Windows not applicable **

hosted * any any not affected

ESXi any ESXi not affected

ESX 4.1 ESX ESX410-201101201-SG

ESX 4.0 ESX not applicable **

ESX 3.5 ESX not applicable **

ESX 3.0.3 ESX not applicable **

* hosted products are VMware Workstation, Player, ACE, Fusion.

** this product uses the Oracle (Sun) JRE 1.5.0 family

d. vCenter Update Manager Oracle (Sun) JRE is updated to version

1.5.0_26

Oracle (Sun) JRE update to version 1.5.0_26, which addresses

multiple security issues that existed in earlier releases of

Oracle (Sun) JRE.

The Common Vulnerabilities and Exposures project (cve.mitre.org)

has assigned the following names to the security issues fixed in

Oracle (Sun) JRE 1.5.0_26: CVE-2010-3556, CVE-2010-3566,

CVE-2010-3567, CVE-2010-3550, CVE-2010-3561, CVE-2010-3573,

CVE-2010-3565,CVE-2010-3568, CVE-2010-3569, CVE-2009-3555,

CVE-2010-1321, CVE-2010-3548, CVE-2010-3551, CVE-2010-3562,

CVE-2010-3571, CVE-2010-3554, CVE-2010-3559, CVE-2010-3572,

CVE-2010-3553, CVE-2010-3549, CVE-2010-3557, CVE-2010-3541,

CVE-2010-3574.

Column 4 of the following table lists the action required to

remediate the vulnerability in each release, if a solution is

available.

VMware Product Running Replace with/

Product Version on Apply Patch

============= ======== ======= =================

vCenter 4.1 Windows not applicable **

vCenter 4.0 Windows Update 3

VirtualCenter 2.5 Windows affected, no patch planned

Update Manager 4.1 Windows Update 1

Update Manager 4.0 Windows Update 3

Update Manager 1.0 Windows affected, no patch planned

hosted * any any not affected

ESXi any ESXi not affected

ESX 4.1 ESX not applicable **

ESX 4.0 ESX ESX400-201103403-SG

ESX 3.5 ESX affected, no patch planned

ESX 3.0.3 ESX affected, no patch planned

* hosted products are VMware Workstation, Player, ACE, Fusion.

** this product uses the Oracle (Sun) JRE 1.6.0 family

e. vCenter Server and ESX Apache Tomcat updated to version 6.0.28

Apache Tomcat updated to version 6.0.28, which addresses multiple

security issues that existed in earlier releases of Apache Tomcat

The Common Vulnerabilities and Exposures project (cve.mitre.org)

has assigned the following names to the security issues fixed in

Apache Tomcat 6.0.24: CVE-2009-2693, CVE-2009-2901, CVE-2009-2902,i

and CVE-2009-3548.

The Common Vulnerabilities and Exposures project (cve.mitre.org)

has assigned the following names to the security issues fixed in

Apache Tomcat 6.0.28: CVE-2010-2227, CVE-2010-1157.

Column 4 of the following table lists the action required to

remediate the vulnerability in each release, if a solution is

available.

VMware Product Running Replace with/

Product Version on Apply Patch

============= ======== ======= =================

vCenter 4.1 Windows Update 1

vCenter 4.0 Windows Update 3

VirtualCenter 2.5 Windows not applicable **

hosted * any any not affected

ESXi any ESXi not affected

ESX 4.1 ESX ESX410-201101201-SG

ESX 4.0 ESX ESX400-201103403-SG

ESX 3.5 ESX not applicable **

ESX 3.0.3 ESX not applicable **

* hosted products are VMware Workstation, Player, ACE, Fusion.

** this product uses the Apache Tomcat 5.5 family

f. vCenter Server third party component OpenSSL updated to version

0.9.8n

The version of the OpenSSL library in vCenter Server is updated to

0.9.8n.

The Common Vulnerabilities and Exposures project (cve.mitre.org)

has assigned the names CVE-2010-0740 and CVE-2010-0433 to the

issues addressed in this version of OpenSSL.

Column 4 of the following table lists the action required to

remediate the vulnerability in each release, if a solution is

available.

VMware Product Running Replace with/

Product Version on Apply Patch

============= ======== ======= =================

vCenter 4.1 Windows Update 1

vCenter 4.0 Windows Update 3

VirtualCenter 2.5 Windows affected, no patch planned

hosted * any any not applicable

ESXi any ESXi not applicable

ESX any ESX not applicable

* hosted products are VMware Workstation, Player, ACE, Fusion.

g. ESX third party component OpenSSL updated to version 0.9.8p

The version of the ESX OpenSSL library is updated to 0.9.8p.

The Common Vulnerabilities and Exposures project (cve.mitre.org)

has assigned the names CVE-2010-3864 and CVE-2010-2939 to the

issues addressed in this update.

Column 4 of the following table lists the action required to

remediate the vulnerability in each release, if a solution is

available.

VMware Product Running Replace with/

Product Version on Apply Patch

============= ======== ======= =================

vCenter any Windows not applicable

hosted * any any not applicable

ESXi 4.1 ESXi ESXi410-201101201-SG

ESXi 4.0 ESXi ESXi400-201103401-SG

ESXi 3.5 ESXi affected, patch pending

ESX 4.1 ESX ESX410-201101201-SG

ESX 4.0 ESX ESX400-201103401-SG

ESX 3.5 ESX affected, patch pending

ESX 3.0.3 ESX affected, patch pending

* hosted products are VMware Workstation, Player, ACE, Fusion.

h. ESXi third party component cURL updated

The version of cURL library in ESXi is updated.

The Common Vulnerabilities and Exposures project (cve.mitre.org)

has assigned the name CVE-2010-0734 to the issues addressed in

this update.

Column 4 of the following table lists the action required to

remediate the vulnerability in each release, if a solution is

available.

VMware Product Running Replace with/

Product Version on Apply Patch

============= ======== ======= =================

vCenter any Windows not affected

hosted * any any not affected

ESXi 4.1 ESXi ESXi410-201101201-SG

ESXi 4.0 ESXi affected, patch pending

ESXi 3.5 ESXi affected, patch pending

ESX any ESX not applicable

* hosted products are VMware Workstation, Player, ACE, Fusion.

i. ESX third party component pam_krb5 updated

The version of pam_krb5 library is updated.

The Common Vulnerabilities and Exposures project (cve.mitre.org)

has assigned the names CVE-2008-3825 and CVE-2009-1384 to the

issues addressed in the update.

Column 4 of the following table lists the action required to

remediate the vulnerability in each release, if a solution is

available.

VMware Product Running Replace with/

Product Version on Apply Patch

============= ======== ======= =================

vCenter any Windows not affected

hosted * any any not affected

ESXi any ESXi not affected

ESX 4.1 ESX ESX410-201101201-SG

ESX 4.0 ESX not affected

ESX 3.5 ESX not affected

ESX 3.0.3 ESX not affected

* hosted products are VMware Workstation, Player, ACE, Fusion.

j. ESX third party update for Service Console kernel

The Service Console kernel is updated to include kernel version

2.6.18-194.11.1.

The Common Vulnerabilities and Exposures project (cve.mitre.org)

has assigned the names CVE-2010-1084, CVE-2010-2066, CVE-2010-2070,

CVE-2010-2226, CVE-2010-2248, CVE-2010-2521, CVE-2010-2524,

CVE-2010-0008, CVE-2010-0415, CVE-2010-0437, CVE-2009-4308,

CVE-2010-0003, CVE-2010-0007, CVE-2010-0307, CVE-2010-1086,

CVE-2010-0410, CVE-2010-0730, CVE-2010-1085, CVE-2010-0291,

CVE-2010-0622, CVE-2010-1087, CVE-2010-1173, CVE-2010-1437,

CVE-2010-1088, CVE-2010-1187, CVE-2010-1436, CVE-2010-1641, and

CVE-2010-3081 to the issues addressed in the update.

Notes:

- The update also addresses the 64-bit compatibility mode

stack pointer underflow issue identified by CVE-2010-3081. This

issue was patched in an ESX 4.1 patch prior to the release of

ESX 4.1 Update 1 and in a previous ESX 4.0 patch release.

- The update also addresses CVE-2010-2240 for ESX 4.0.

Column 4 of the following table lists the action required to

remediate the vulnerability in each release, if a solution is

available.

VMware Product Running Replace with/

Product Version on Apply Patch

============= ======== ======= =================

vCenter any Windows not affected

hosted * any any not affected

ESXi any ESXi not affected

ESX 4.1 ESX ESX410-201101201-SG

ESX 4.0 ESX ESX400-201103401-SG

ESX 3.5 ESX not applicable

ESX 3.0.3 ESX not applicable

* hosted products are VMware Workstation, Player, ACE, Fusion.

4. Solution

Please review the patch/release notes for your product and version

and verify the checksum of your downloaded file.

VMware vCenter Server 4.1 Update 1 and modules

 

----------------------------------------------


http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0

 

Release Notes:


http://downloads.vmware.com/support/pubs/vs_pages/vsp_pubs_esx41_vc41.html

 

File type: .iso

md5sum: 729cf247aa5d33ceec431c86377eee1a

sha1sum: c1e10a5fcbc1ae9d13348d43541d574c563d66f0

File type: .zip

md5sum: fd1441bef48a153f2807f6823790e2f0

sha1sum: 31737a816ed1c08ab3a505fb6db2483f49ad7c19

VMware vSphere Client

File type: .exe

md5sum: cb6aa91ada1289575355d79e8c2a9f8e

sha1sum: f9e3d8eb83196ae7c31aab554e344a46b722b1e4

vCenter Server 4.0 Update 3

----------------------------------------------


http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0


Release Notes:


http://www.vmware.com/support/vsphere4/doc/vsp_vc40_u3_rel_notes.html

 

File type: .iso

md5sum: b04780df75f70621d0c8794e8773a983

sha1sum: a9f1398306158572ea1c3d202ed8c6ad922e0764

File type: .zip

md5sum: bc8179a639dcc6563d7dbf968095edc7

sha1sum: 61b6dbb1bcf3aa74503e183317a00733b0253faa

VMware vSphere Client

File type: .exe

md5sum: 1b90081e422358c407ad9696c70c70f7

sha1sum: 7ba9043421f8b529b0da08fa83458069ccac0fe9

ESXi 4.1 Installable Update 1

 

-----------------------------


http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0

 

Release Notes:


http://downloads.vmware.com/support/vsphere4/doc/vsp_esxi41_u1_rel_notes.html


http://kb.vmware.com/kb/1027919

File type: .iso

MD5SUM: d68d6c2e040a87cd04cd18c04c22c998

SHA1SUM: bbaacc0d34503822c14f6ccfefb6a5b62d18ae64

ESXi 4.1 Update 1 (upgrade ZIP from ESXi 4.1)

File type: .zip

MD5SUM: 2f1e009c046b20042fae3b7ca42a840f

SHA1SUM: 1c9c644012dec657a705ddd3d033cbfb87a1fab1

ESXi 4.1 Update 1 (upgrade ZIP from ESXi 4.0)

File type: .zip

MD5SUM: 67b924618d196dafaf268a7691bd1a0f

SHA1SUM: 9d74b639e703259d9e49c0341158e0d4e45de516

ESXi 4.1 Update 1 (upgrade ZIP from ESXi 3.5)

File type: .zip

MD5SUM: a6024b9f6c6b7b2c629696afc6d07cf4

SHA1SUM: b3841de1a30617ac68d5a861882aa72de3a93488

VMware Tools CD image for Linux Guest OSes

File type: .iso

MD5SUM: dad66fa8ece1dd121c302f45444daa70

SHA1SUM: 56535a2cfa7799607356c6fd0a7d9f041da614af

VMware vSphere Client

File type: .exe

MD5SUM: cb6aa91ada1289575355d79e8c2a9f8e

SHA1SUM: f9e3d8eb83196ae7c31aab554e344a46b722b1e4

ESXi Installable Update 1 contains the following security bulletins:

ESXi410-201101201-SG.

ESX 4.1 Update 1

----------------


http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0

 

Release Notes:


http://downloads.vmware.com/support/vsphere4/doc/vsp_esx41_u1_rel_notes.html


http://kb.vmware.com/kb/1029353

ESX 4.1 Update 1 (DVD ISO)

File type: .iso

md5sum: b9a275b419a20c7bedf31c0bf64f504e

sha1sum: 2d85edcaca8218013585e1eab00bc80db6d96e11

ESX 4.1 Update 1 (upgrade ZIP from ESX 4.1)

File type: .zip

md5sum: 2d81a87e994aa2b329036f11d90b4c14

sha1sum: c2bfc0cf7ac03d24afd5049ddbd09a865aad1798

Pre-upgrade package for ESX 4.0 to ESX 4.1 Update 1

File type: .zip

md5sum: 75f8cebfd55d8a81deb57c27def963c2

sha1sum: 889c15aa8008fe0e29439d0ab3468c2beb1c4fe2

ESX 4.1 Update 1 (upgrade ZIP from ESX 4.0)

File type: .zip

md5sum: 1dc9035cd10e7e60d27e7a7aef57b4c2

sha1sum: e6d3fb65d83a3e263d0f634a3572025854ff8922

VMware Tools CD image for Linux Guest OSes

File type: .iso

md5sum: dad66fa8ece1dd121c302f45444daa70

sha1sum: 56535a2cfa7799607356c6fd0a7d9f041da614af

VMware vSphere Client

File type: .exe

md5sum: cb6aa91ada1289575355d79e8c2a9f8e

sha1sum: f9e3d8eb83196ae7c31aab554e344a46b722b1e4

ESX410-Update01 contains the following security bulletins:

ESX410-201101201-SG (COS kernel, pam_krb5, cURL, OpenSSL,

 

Apache Tomcat, Oracle (Sun) JRE) |
http://kb.vmware.com/kb/1027904

 

ESX410-201101226-SG (glibc) |
http://kb.vmware.com/kb/1031330

ESX410-Update01 also contains the following non-security bulletins

ESX410-201101211-UG, ESX410-201101213-UG, ESX410-201101215-UG,

ESX410-201101202-UG, ESX410-201101203-UG, ESX410-201101204-UG,

ESX410-201101206-UG, ESX410-201101207-UG, ESX410-201101208-UG,

ESX410-201101214-UG, ESX410-201101216-UG, ESX410-201101217-UG,

ESX410-201101218-UG, ESX410-201101219-UG, ESX410-201101220-UG,

ESX410-201101221-UG, ESX410-201101222-UG, ESX410-201101225-UG.

To install an individual bulletin use esxupdate with the -b option.

ESXi 4.0

--------

ESXi400-201103001


https://hostupdate.vmware.com/software/VUM/OFFLINE/release-274-20110303-677367/ESXi400-201103001.zip

 

md5sum: a68ef31414573460cdadef4d81fb95d0

sha1sum: 7155e60962b21b5c295a2e9412ac4a445382db31


http://kb.vmware.com/kb/1032823

ESXi400-201103001 containes the following security bulletins:

ESXi400-201103401-SG (openssl) |
http://kb.vmware.com/kb/1032820

ESXi400-201103402-SG |
http://kb.vmware.com/kb/1032821

 

ESX 4.0

-------

ESX400-201103001


https://hostupdate.vmware.com/software/VUM/OFFLINE/release-273-20110303-574144/ESX400-201103001.zip

md5sum: 5b9a0cfe6c0ff1467c09c8d115910ff8

sha1sum: 8bfb5df8066a01704eaa24e4d8a34f371816904b


http://kb.vmware.com/kb/1032822

ESX400-201103001 containes the following security bulletins:

 

ESX400-201103401-SG (SLPD, openssl, COS kernel) | http://kb.vmware.com/kb/1032814

ESX400-201103403-SG (JRE, Tomcat) | http://kb.vmware.com/kb/1032815

ESX400-201103404-SG (pam) | http://kb.vmware.com/kb/1032816

ESX400-201103405-SG (bzip2) | http://kb.vmware.com/kb/1032817

ESX400-201103406-SG (popt/rpm) | http://kb.vmware.com/kb/1032818

ESX400-201103407-SG (bind) | http://kb.vmware.com/kb/1032819

5. References

CVE numbers


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5416


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0085


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0086


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0107


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0106


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2928


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0082


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0084


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0085


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0087


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0088


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0089


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0090


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0091


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0092


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0093


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0094


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0095


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0837


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0838


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0839


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0840


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0841


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0842


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0843


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0844


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0845


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0846


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0847


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0848


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0849


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0850


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0886


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2693


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2901


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2902


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0740


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0433


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3864


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2939


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0734


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3825


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1384


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1084


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2066


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2070


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2226


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2248


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2521


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2524


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0008


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0415


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0437


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4308


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0003


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0007


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0307


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1086


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0410


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0730


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1085


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0291


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0622


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1087


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1173


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1437


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1088


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1187


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1436


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1641


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3081


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3556


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3566


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3567


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3550


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3561


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3573


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3565


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3568


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3569


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1321


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3548


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3551


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3562


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3571


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3554


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3559


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3572


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3553


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3549


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3557


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3541


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3574


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2240

------------------------------------------------------------------------

6. Change log

2011-02-10 VMSA-2011-0003

Initial security advisory in conjunction with the release of vCenter

Server 4.1 Update 1, vCenter Update Manager 4.1 Update 1, ESXi 4.1

Update 1, and ESX 4.1 Update 1 on 2011-02-10.

2011-03-07 VMSA-2011-0003.1

Updated advisory after release of ESX 4.0 patches on 2011-03-07.

2011-05-05 VMSA-2011-0003.2

Updated advisory after the release of vCenter Server 4.0 Update 3 and vCenter Update Manager 4.0 Update 3 on 2011-05-05.

-----------------------------------------------------------------------

7. Contact

E-mail list for product security notifications and announcements:

http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

* security-announce at lists.vmware.com

* bugtraq at securityfocus.com

* full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com

PGP key at:
http://kb.vmware.com/kb/1055

VMware Security Advisories

http://www.vmware.com/security/advisories

VMware security response policy

http://www.vmware.com/support/policies/security_response.html

General support life cycle policy

http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy

http://www.vmware.com/support/policies/eos_vi.html

Copyright 2011 VMware Inc. All rights reserved. 

 

 

Sign up for Security Advisories

Enter your email address: