VMSA-2013-0003 VMware vCenter Server, ESXi and ESX address an NFC Protocol memory corruption and third party library security issues. (remote check)

  1. Network Vulnerabilities
  2. General
  3. VMSA-2013-0003 VMware vCenter Server, ESXi and ESX address an NFC Protocol memory corruption and third party library security issues. (remote check)
Summary
The remote ESXi is missing one or more security related Updates from VMSA-2013-0003.
Solution
Apply the missing patch(es).
Insight
VMware has updated VMware vCenter Server, ESXi and ESX to address a vulnerability in the Network File Copy (NFC) Protocol. This update also addresses multiple security vulnerabilities in third party libraries used by VirtualCenter, ESX and ESXi. Problem Description a. VMware vCenter, ESXi and ESX NFC protocol memory corruption vulnerability VMware vCenter Server, ESXi and ESX contain a vulnerability in the handling of the Network File Copy (NFC) protocol. To exploit this vulnerability, an attacker must intercept and modify the NFC traffic between vCenter Server and the client or ESXi/ESX and the client. Exploitation of the issue may lead to code execution. To reduce the likelihood of exploitation, vSphere components should be deployed on an isolated management network. b. VirtualCenter, ESX and ESXi Oracle (Sun) JRE update 1.5.0_38 Oracle (Sun) JRE is updated to version 1.5.0_38, which addresses multiple security issues that existed in earlier releases of Oracle (Sun) JRE. Oracle has documented the CVE identifiers that are addressed in JRE 1.5.0_38 in the Oracle Java SE Critical Patch Update Advisory of October 2012. c. Update to ESX service console OpenSSL RPM The service console OpenSSL RPM is updated to version openssl-0.9.7a.33.28.i686 to resolve multiple security issues.
Affected
VMware vCenter Server 5.1 prior to 5.1.0b VMware vCenter Server 5.0 prior to 5.0 Update 2 VMware vCenter Server 4.0 prior to Update 4b VMware VirtualCenter 2.5 prior to Update 6c VMware ESXi 5.1 without ESXi510-201212101-SG VMware ESXi 5.0 without ESXi500-201212102-SG VMware ESXi 4.1 without ESXi410-201301401-SG VMware ESXi 4.0 without ESXi400-201302401-SG VMware ESXi 3.5 without ESXe350-201302401-I-SG and ESXe350-201302403-C-SG VMware ESX 4.1 without ESX410-201301401-SG VMware ESX 4.0 without ESX400-201302401-SG VMware ESX 3.5 without ESX350-201302401-SG
Detection
Check the build number.
References
Updated on 2015-03-25
Severity
High Severity
Classification
Related Vulnerabilities