Summary
The remote ESXi is missing one or more security related Updates from VMSA-2013-0003.
Insight
VMware has updated VMware vCenter Server, ESXi and ESX to address a vulnerability in the Network File Copy (NFC) Protocol. This update also addresses multiple security vulnerabilities in third party libraries used by VirtualCenter, ESX and ESXi.
Relevant releases
VMware vCenter Server 5.1 prior to 5.1.0b
VMware vCenter Server 5.0 prior to 5.0 Update 2
VMware vCenter Server 4.0 prior to Update 4b
VMware VirtualCenter 2.5 prior to Update 6c
VMware ESXi 5.1 without ESXi510-201212101-SG
VMware ESXi 5.0 without ESXi500-201212102-SG
VMware ESXi 4.1 without ESXi410-201301401-SG
VMware ESXi 4.0 without ESXi400-201302401-SG
VMware ESXi 3.5 without ESXe350-201302401-I-SG and ESXe350-201302403-C-SG
VMware ESX 4.1 without ESX410-201301401-SG
VMware ESX 4.0 without ESX400-201302401-SG
VMware ESX 3.5 without ESX350-201302401-SG
Problem Description
a. VMware vCenter, ESXi and ESX NFC protocol memory corruption vulnerability
VMware vCenter Server, ESXi and ESX contain a vulnerability in the handling of the Network File Copy (NFC) protocol. To exploit this vulnerability, an attacker must intercept and modify the NFC traffic between vCenter Server and the client or ESXi/ESX and the client. Exploitation of the issue may lead to code execution.
To reduce the likelihood of exploitation, vSphere components should be deployed on an isolated management network.
b. VirtualCenter, ESX and ESXi Oracle (Sun) JRE update 1.5.0_38
Oracle (Sun) JRE is updated to version 1.5.0_38, which addresses multiple security issues that existed in earlier releases of Oracle (Sun) JRE.
Oracle has documented the CVE identifiers that are addressed in JRE 1.5.0_38 in the Oracle Java SE Critical Patch Update Advisory of October 2012.
c. Update to ESX service console OpenSSL RPM
The service console OpenSSL RPM is updated to version openssl-0.9.7a.33.28.i686 to resolve multiple security issues.
Solution
Apply the missing patch(es).
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2012-2110, CVE-2013-1659 -
CVSS Base Score: 7.6
AV:N/AC:H/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- VMSA-2013-0002 VMware ESX, Workstation, Fusion, and View VMCI privilege escalation vulnerability
- VMSA-2012-0012 VMware ESXi update addresses several security issues.
- VMSA-2012-0011 VMware Workstation, Player, Fusion, ESXi and ESX patches address security issues.
- VMSA-2012-0016: VMware security updates for vSphere API and ESX Service Console
- VMSA-2014-0008: VMware vSphere product updates to third party libraries