[Security-announce] UPDATED: VMSA-2013-0001.1 – VMware vSphere security updates for the authentication service and third party libraries

In our effort to provide our viewers with up to the minute information on VMware related news and topics, we’re posting the following Security Alert direct from the VMware Security Alert distribution.

– ———————————————————————–

VMware Security Advisory

Advisory ID: VMSA-2013-0001.1
Synopsis:    VMware vSphere security updates for the authentication
service and third party libraries
Issue date:  2013-01-31
Updated on:  2013-02-07
CVE numbers: — vSphere authentication —
CVE-2013-1405
— libxml2 —
CVE-2011-3102, CVE-2012-2807
— bind (service console) —
CVE-2012-4244
— xslt (service console) —
CVE-2011-1202, CVE-2011-3970, CVE-2012-2825,
CVE-2012-2870, CVE-2012-2871
– ———————————————————————–

1. Summary

VMware vSphere security updates for the authentication service and
third party libraries

2. Relevant releases

– vCenter Server 4.1 without Update 3a
– vCenter Server 4.0 without Update 4b

– vSphere Client 4.1 without Update 3a
– vSphere Client 4.0 without Update 4b

– ESXi 4.1 without patch ESXi410-201301401-SG
– ESX 4.1 without patches ESX410-201301401-SG, ESX410-201301402-SG,
ESX410-201301403-SG, and ESX410-201301405-SG

– ESXi 4.0 without patches ESXi400-201302401-SG and
ESXi400-201302403-SG
– ESX 4.0 without patch ESX400-201302401-SG

3. Problem Description

a. VMware vSphere client-side authentication memory corruption
vulnerability

VMware vCenter Server, vSphere Client, and ESX contain a
vulnerability in the handling of the management authentication
protocol. To exploit this vulnerability, an attacker must
convince either vCenter Server, vSphere Client or ESX to
interact with a malicious server as a client. Exploitation of
the issue may lead to code execution on the client system.

To reduce the likelihood of exploitation, vSphere components
should be deployed on an isolated management network.

The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2013-1405 to this issue.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware            Product     Running     Replace with/
Product           Version     on          Apply Patch
==============    =======     =======     =================
vCenter Server    5.1         Windows     not affected
vCenter Server    5.0         Windows     not affected
vCenter Server    4.1         Windows     4.1 Update 3a
vCenter Server    4.0         Windows     4.0 Update 4b
VirtualCenter     2.5         Windows     patch pending

vSphere Client    5.1         Windows     not affected
vSphere Client    5.0         Windows     not affected
vSphere Client    4.1         Windows     4.1 Update 3a **
vSphere Client    4.0         Windows     4.0 Update 4b **
VI-Client         2.5         Windows     patch pending

hosted *          any         any         not affected

ESXi              5.1         ESXi        not affected
ESXi              5.0         ESXi        not affected
ESXi              4.1         ESXi        ESXi410-201301401-SG
ESXi              4.0         ESXi        ESXi400-201302401-SG
ESXi400-201302403-SG (vSphere client)
ESXi              3.5         ESXi        patch pending

ESX               4.1         ESX         ESX410-201301401-SG
ESX               4.0         ESX         ESX400-201302401-SG (includes vSphere client)
ESX               3.5         ESX         patch pending

* hosted products are VMware Workstation, Player, ACE, Fusion.

** To remediate CVE-2013-1405, customers must apply updates to
all components of the authentication service.  First,
customers should update vCenter Server or ESXi/ESX as
appropriate to ensure that the updated vSphere Client is
downloaded.  Then, the vSphere client can be updated using
any one of the following methods:

– Run the installer that ships with vCenter Server
– Follow the client installation link on the vCenter Server
welcome page
– Follow the client installation link on the ESXi/ESX
Server welcome page

b. Update to ESX/ESXi libxml2 userworld and service console

The ESX/ESXi userworld libxml2 library has been updated to
resolve multiple security issues. Also, the ESX service console
libxml2 packages are updated to the following versions:

libxml2-2.6.26-2.1.15.el5_8.5
libxml2-python-2.6.26-2.1.15.el5_8.5

These updates fix multiple security issues. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2011-3102 and CVE-2012-2807 to these
issues.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware          Product   Running  Replace with/
Product         Version   on       Apply Patch
==============  ========  =======  =================
ESXi            5.1       ESXi     patch pending
ESXi            5.0       ESXi     patch pending
ESXi            4.1       ESXi     ESXi410-201301401-SG
ESXi            4.0       ESXi     no patch planned
ESXi            3.5       ESXi     no patch planned

ESX             4.1       ESX      ESX410-201301405-SG
ESX             4.0       ESX      no patch planned
ESX             3.5       ESX      no patch planned

c. Update to ESX service console bind packages

The ESX service console bind packages are updated to the
following versions:

bind-libs-9.3.6-20.P1.el5_8.2
bind-utils-9.3.6-20.P1.el5_8.2

These updates fix a security issue. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name
CVE-2012-4244 to this issue.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware          Product   Running  Replace with/
Product         Version   on       Apply Patch
==============  ========  =======  =================
ESXi            any       ESXi     not applicable

ESX             4.1       ESX      ESX410-201301402-SG
ESX             4.0       ESX      patch pending
ESX             3.5       ESX      not applicable

d. Update to ESX service console libxslt package

The ESX service console libxslt package is updated to version
libxslt-1.1.17-4.el5_8.3 to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2011-1202, CVE-2011-3970,
CVE-2012-2825, CVE-2012-2870, and CVE-2012-2871 to these issues.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware          Product   Running  Replace with/
Product         Version   on       Apply Patch
==============  ========  =======  =================
ESXi            any       ESXi     not applicable

ESX             4.1       ESX      ESX410-201301403-SG
ESX             4.0       ESX      not affected
ESX             3.5       ESX      not applicable

4. Solution

Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.

vCenter Server 4.1 Update 3a
—————————
The download for vCenter Server includes vSphere Update Manager,
vSphere Client, and vCenter Orchestrator.

Download link:
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1

Release Notes:
https://www.vmware.com/support/vsphere4/doc/vsp_vc41_u3a_rel_notes.html

vCenter Server 4.0 Update 4b
—————————
The download for vCenter Server includes vSphere Update Manager,
vSphere Client, and vCenter Orchestrator.

Download link:
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_0

Release Notes:
https://www.vmware.com/support/vsphere4/doc/vsp_vc40_u4b_rel_notes.html

ESXi and ESX
————
https://my.vmware.com/web/vmware/downloads

ESXi 4.1
——–
File: ESXi410-201301001.zip
Build: 975799
md5sum: 3543d3f16a1f1b1369dcdb5c25fa7106
sha1sum: cced12e87838a3b037c9ec99d8490809c61fe883
http://kb.vmware.com/kb/2041332
ESXi410-201301001 contains ESXi410-201301401-SG

ESX 4.1
——-
File: ESX410-201301001.zip
Build: 977344
md5sum: 0219dbcbcc6fafe8bf33695682c8658d
sha1sum: 2eab9d56ac81f7d2d00c15b155bd93c36b0e03c3
http://kb.vmware.com/kb/2041331
ESX410-201301001 contains ESX410-201301401-SG, ESX410-201301402-SG,
ESX410-201301403-SG, and ESX410-201301405-SG

ESXi 4.0
——–
File: ESXi400-201302001.zip
md5sum: 03dc9246239dd449bf21a122e7b1bcf3
sha1sum: 276346a186c068c1fdbf19e1b753b8a2dbc8c89c
http://kb.vmware.com/kb/2041344
ESXi400-201302001 contains ESXi400-201302401-SG and
ESXi400-201302403-SG

ESX 4.0
——-
File: ESX400-201302001.zip
Build: 987598
md5sum: 2a883e737c3cde990fe4792c64c32fcd
sha1sum: 92c3b13ab3fdee73c335d5e8b41159f546def199
http://kb.vmware.com/kb/2041343
ESX400-201302001 contains ESX400-201302401-SG

5. References

— vSphere authentication —
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1405
— libxml2 —
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2807
— bind (service console) —
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4244
— xslt (service console) —
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1202
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3970
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2825
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2870
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2871

– ———————————————————————–

6. Change log

2013-01-31 VMSA-2013-0001
Initial security advisory in conjunction with the release of
vCenter 4.1 Update 3a and ESX 4.1 patches on 2013-01-31.

2013-02-07 VMSA-2013-0001.1
Updated security advisory to include vCenter 4.0 Update 4b and
patches for ESX 4.0.


Created on February 8, 2013 by Rick Scherer

Posted under Alert.

This blog has 1,144 views.

Tags: , , , ,

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Leave a Comment

Name (required)

Email (required)

Website

Comments

More Blog Post