Summary
The remote ESXi is missing one or more security related Updates from VMSA-2012-0013.
Summary
VMware has updated several third party libraries in vSphere and vcOps to address multiple security vulnerabilities.
Relevant releases
VMware vCenter 4.1 without Update 3
VMware vCenter Update Manager 4.1 without Update 3 VMware ESX without patches ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG
VMware ESXi without patch ESXi410-201208101-SG
Problem Description
a. vCenter and ESX update to JRE 1.6.0 Update 31
The Oracle (Sun) JRE is updated to version 1.6.0_31, which addresses multiple security issues. Oracle has documented the CVE identifiers that are addressed by this update in the Oracle Java SE Critical Patch Update Advisory of February 2012.
b. vCenter Update Manager update to JRE 1.5.0 Update 36
The Oracle (Sun) JRE is updated to 1.5.0_36 to address multiple security issues.
Oracle has documented the CVE identifiers that are addressed in JRE 1.5.0_36 in the Oracle Java SE Critical Patch Update Advisory for June 2012.
c. Update to ESX/ESXi userworld OpenSSL library
The ESX/ESXi userworld OpenSSL library is updated from version 0.9.8p to version 0.9.8t to resolve multiple security issues.
d. Update to ESX service console OpenSSL RPM
The service console OpenSSL RPM is updated to version 0.9.8e-22.el5_8.3 to resolve a security issue.
e. Update to ESX service console kernel
The ESX service console kernel is updated to resolve multiple security issues.
f. Update to ESX service console Perl RPM
The ESX service console Perl RPM is updated to perl-5.8.8.32.1.8999.vmw to resolve multiple security issues.
g. Update to ESX service console libxml2 RPM
The ESX service console libmxl2 RPMs are updated to libxml2-2.6.26-2.1.15.el5_8.2 and libxml2-python-2.6.26-2.1.15.el5_8.2 to resolve a security issue.
h. Update to ESX service console glibc RPM
The ESX service console glibc RPM is updated to version glibc-2.5-81.el5_8.1 to resolve multiple security issues.
i. Update to ESX service console GnuTLS RPM
The ESX service console GnuTLS RPM is updated to version 1.4.1-7.el5_8.2 to resolve multiple security issues.
j. Update to ESX service console popt, rpm, rpm-libs, and rpm-python RPMS
The ESX service console popt, rpm, rpm-libs, and rpm-python RPMS are updated to the following versions to resolve multiple security issues:
k. Vulnerability in third party Apache Struts component
The version of Apache Struts in vCenter Operations has been updated to 2.3.4 which addresses an arbitrary file overwrite vulnerability. This vulnerability allows an attacker to create a denial of service by overwriting arbitrary files without authentication. The attacker would need to be on the same network as the system where vCOps is installed.
Solution
Apply the missing patch(es).
References
Updated on 2015-03-25
Severity
Classification
-
CVSS Base Score: 10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- VMSA-2013-0014 VMware Workstation, Fusion, ESXi and ESX patches address a guest privilege escalation
- VMSA-2012-0006 VMware ESXi and ESX address several security issues
- VMSA-2014-0003 VMware vSphere Client updates address security vulnerabilities
- VMSA-2013-0001 VMware vSphere security updates for the authentication service and third party libraries
- VMSA-2012-0016: VMware security updates for vSphere API and ESX Service Console