VMSA-2010-0015 : VMware ESX third-party updates for Service Console

This script is Copyright (C) 2010-2014 Tenable Network Security, Inc.


Synopsis :

The remote VMware ESX host is missing one or more security-related
patches.

Description :

a. Service Console update for NSS_db

The service console package NSS_db is updated to version
nss_db-2.2-35.4.el5_5.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-0826 to this issue.

b. Service Console update for OpenLDAP

The service console package OpenLDAP updated to version
2.3.43-12.el5.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2009-3767 to this issue.

c. Service Console update for cURL

The service console packages for cURL updated to version
7.15.5-9.el5.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-0734 to this issue.

d. Service Console update for sudo

The service console package sudo updated to version 1.7.2p1-7.el5_5.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-1646 to this issue.

e. Service Console update for OpenSSL, GnuTLS, NSS and NSPR

Service Console updates for OpenSSL to version 097a-0.9.7a-9.el5_4.2
and version 0.9.8e-12.el5_4.6, GnuTLS to version 1.4.1-3.el5_4.8,
and NSS to version 3.12.6-1.3235.vmw and NSPR to version
4.8.4-1.3235.vmw. These four updates are bundled together due to
their mutual dependencies.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2009-3555, CVE-2009-2409, CVE-2009-3245
and CVE-2010-0433 to the issues addressed in this update.

See also :

http://lists.vmware.com/pipermail/security-announce/2010/000110.html

Solution :

Apply the missing patches.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.3
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true