VMSA-2013-0004.3

VMware ESXi and ESX security update for third party library

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
VMSA-2013-0004.3
VMware Security Advisory Synopsis:
VMware ESXi and ESX security update for third party library
VMware Security Advisory Issue date:
2013-03-28
VMware Security Advisory Updated on:
2013-05-30
VMware Security Advisory CVE numbers:
CVE-2012-5134
1. Summary


VMware ESXi and ESX security update for third party library.

2. Relevant Releases


ESXi 5.1 without patch ESXi510-201304101
ESXi 5.0 without patch ESXi500-201303101
ESXi 4.0 without patch ESXi400-201305001
ESXi 4.1 without patch ESXi410-201304401
ESX  4.1 without patch ESX410-201304401
ESX 4.0 without patch ESX400-201305404

3. Problem Description

a. Update to ESX/ESXi libxml2 userworld and service console.


The ESX/ESXi userworld libxml2 library has been updated to resolve a security issue. Also, the ESX service console libxml2 packages are updated to the following versions:

  • libxml2-2.6.26-2.1.15.el5_8.6
  • libxml2-python-2.6.26-2.1.15.el5_8.6

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-5134 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Replace with / Apply Patch
VMware Product ESXi
Product Version 5.1
Running on ESXi
Replace with / Apply Patch ESXi510-201304101-SG
VMware Product ESXi
Product Version 5.0
Running on ESXi
Replace with / Apply Patch ESXi500-201303101-SG
VMware Product ESXi
Product Version 4.1
Running on ESXi
Replace with / Apply Patch ESXi410-201304401-SG
VMware Product ESXi
Product Version 4.0
Running on ESXi
Replace with / Apply Patch ESXi400-201305401-SG
VMware Product ESX
Product Version 4.1
Running on ESX
Replace with / Apply Patch ESX410-201304401-SG
VMware Product ESX
Product Version 4.0
Running on ESX
Replace with / Apply Patch ESX400-201305404-SG

 

4. Solution


Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
 
ESXi and ESX
---------------------------
https://my.vmware.com/web/vmware/downloads

ESXi 5.1
--------
File: update-from-esxi5.1-5.1_update01.zip
md5sum: 28b8026bcfbe3cd1817509759d4b61d6
sha1sum: 9d3124d3c5efa6d0c3b9ba06511243fc6e205542
update-from-esxi5.1-5.1_update01.zip contains ESXi510-201304101-SG
http://kb.vmware.com/kb/2041632
 
ESXi 5.0
---------------------------
File: ESXi500-201303001.zip
md5sum: c62470c48e81da84891c79d5533c8e91
sha1sum: 69fe8933888d2a6c4e53cfe822441c963bdcd2c7
http://kb.vmware.com/kb/2044373

ESXi 4.1
-----------------
File: ESXi410-201304001.zip
md5sum: 9ce63bcacb3412fc1c8a6a8c47ac6af6
sha1sum: 241603ef6b856e573a62fe27da039c8fffe54b1d
http://kb.vmware.com/kb/2045255
ESXi410-201304001.zip contains ESXi410-201304401

ESXi 4.0
----------------
File: ESXi400-201305001.zip
md5sum: d09b9853dd47573fcef7200622d5eee7
sha1sum: 80de7ba73ab28be59abe8463baa9b12ec1b390dd
http://kb.vmware.com/kb/2044246
ESXi400-201305001 contains ESXi400-201305401-SG

ESX 4.1
-----------------
File: ESX410-201304001.zip
md5sum: df9ef1d25f383a12d2fbc47cdc5f55d2
sha1sum: e49068da7cf7e0ada57c4604cbc9ba253c03e3a0
http://kb.vmware.com/kb/2045253
ESX410-201304001.zip contains ESX410-201304401

ESX 4.0
--------
File: ESX400-201305001.zip
md5sum: ad8e8f1709c799fc26841514248605f3
sha1sum: 7e4e7ac361a8cc5fe8fa4b0bbd57ecfb81ab804c
http://kb.vmware.com/kb/2046005
ESX400-201305001 contains ESX400-201305404-SG

6. Change log


2013-03-28 VMSA-2013-0004
Initial security advisory in conjunction with the release of ESXi 5.0 patch on 2013-03-28.

2013-04-25 VMSA-2013-0004.1
Updated security advisory due to ESXi 5.1 update released on 2013-04-25

2013-04-30 VMSA-2013-0004.2
Updated security advisory due to ESXi and ESX 4.1 update released on 2013-04-30

2013-05-30 VMSA-2013-0004.3
Updated security advisory in conjunction with the release of ESX 4.0 patch on 2013-05-30

7. Contacts


E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  • security-announce at lists.vmware.com
  • bugtraq at securityfocus.com
  • full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2013 VMware Inc. All rights reserved.