Sign up for Security

Enter your email address:


VMware Security Advisory
Advisory ID: VMSA-2012-0012.2
Synopsis: VMware ESXi update to third party library
Issue date: 2012-07-12
Updated on: 2012-09-13
CVE numbers: CVE-2010-4008, CVE-2011-0216, CVE-2011-1944,
CVE-2011-2834, CVE-2011-3905, CVE-2011-3919,
1. Summary
VMware ESXi update addresses several security issues.
2. Relevant releases
ESX 5.0 without patch ESXi500-201207101-SG

ESXi 4.1 without patch ESXi410-201208101-SG

ESXi 4.0 without patch ESXi400-201209401-SG
3. Problem Description
a. ESXi update to third party component libxml2
The libxml2 third party library has been updated which addresses multiple security issues.

The Common Vulnerabilities and Exposures project ( has assigned the names CVE-2010-4008, CVE-2011-0216,CVE-2011-1944, CVE-2011-2834, CVE-2011-3905,CVE-2011-3919 and CVE-2012-0841 to these issues.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
vCenter any Windows not affected
hosted* any any not affected
ESXi 5.0 any ESXi500-201207101-SG
ESXi 4.1 any ESXi410-201208101-SG
ESXi 4.0 any ESXi400-201209401-SG
ESXi 3.5 any patch pending
ESX any any not applicable

* hosted products are VMware Workstation, Player, ACE, Fusion.

Note: "patch pending" means that the product is affected, but no patch is currently available. The advisory will be updated when a patch is available.
4. Solution
Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

ESXi 5.0
md5sum: 01196c5c1635756ff177c262cb69a848
sha1sum: 85936f5439100cd5fb55c7add574b5b3b937fe86

ESXi500-201207001 contains ESXi500-201207101-SG

ESXi 4.1
md5sum: b35267e3c96a8ebd2e3acac09538cdf5
sha1sum: 2b2d456e89964528f25c01ae5d84edbd2bbcdefb update-from-esxi4.1-4.1_update03 contains ESXi410-201208101-SG

ESXi 4.0
File: ESXi400-201209001
md5sum: 8ea463e3814f147ab0889a733e66b9f0
sha1sum: f9526a0936975fa4b7cbdf588cd4c119d95973c9
ESXi400-201209001 contains ESXi400-201209401-SG
6. Change log
2012-07-12 VMSA-2012-0012 Initial security advisory in conjunction with the release of a patch for ESXi 5.0 on 2012-07-12.

2012-08-30 VMSA-2012-0012.1 Updated Relevant Releases, Problem Description, and Solution sections to include information regarding updates for ESXi in conjunction with the release of vSphere 4.1 U3 on 2012-08-30.

2012-09-13 VMSA-2012-0012.2 Updated security advisory in conjunction with the release of vSphere 4.0 U4a on 2012-09-12 and ESX 4.0 patches on 2012-09-13. Removed CVE-2010-4494 and CVE-2011-2821 since these CVEs are not relevant to ESXi.
7. Contact
E-mail list for product security notifications and announcements:

This Security Advisory is posted to the following lists:
  • security-announce at
  • bugtraq at
  • full-disclosure at
E-mail: security at
PGP key at:

VMware Security Advisories

VMware security response policy

General support life cycle policy

VMware Infrastructure support life cycle policy

Copyright 2012 VMware Inc. All rights reserved.