VMSA-2012-0013 : VMware vSphere and vCOps updates to third-party libraries

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.


Synopsis :

The remote VMware ESXi / ESX host is missing one or more
security-related patches.

Description :

a. vCenter and ESX update to JRE 1.6.0 Update 31

The Oracle (Sun) JRE is updated to version 1.6.0_31, which
addresses multiple security issues. Oracle has documented the
CVE identifiers that are addressed by this update in the Oracle
Java SE Critical Patch Update Advisory of February 2012.

b. vCenter Update Manager update to JRE 1.5.0 Update 36

The Oracle (Sun) JRE is updated to 1.5.0_36 to address multiple
security issues. Oracle has documented the CVE identifiers that
are addressed in JRE 1.5.0_36 in the Oracle Java SE Critical
Patch Update Advisory for June 2012.

c. Update to ESX/ESXi userworld OpenSSL library

The ESX/ESXi userworld OpenSSL library is updated from version
0.9.8p to version 0.9.8t to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2010-4180, CVE-2010-4252,
CVE-2011-0014, CVE-2011-4108, CVE-2011-4109, CVE-2011-4576,
CVE-2011-4577, CVE-2011-4619, and CVE-2012-0050 to these issues.

d. Update to ESX service console OpenSSL RPM

The service console OpenSSL RPM is updated to version
0.9.8e-22.el5_8.3 to resolve a security issue.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-2110 to this issue.

e. Update to ESX service console kernel

The ESX service console kernel is updated to resolve multiple
security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2011-1833, CVE-2011-2484,
CVE-2011-2496, CVE-2011-3188, CVE-2011-3209, CVE-2011-3363,
CVE-2011-4110, CVE-2011-1020, CVE-2011-4132, CVE-2011-4324,
CVE-2011-4325, CVE-2012-0207, CVE-2011-2699, and CVE-2012-1583
to these issues.

f. Update to ESX service console Perl RPM

The ESX service console Perl RPM is updated to
perl-5.8.8.32.1.8999.vmw to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2010-2761, CVE-2010-4410, and
CVE-2011-3597 to these issues.

g. Update to ESX service console libxml2 RPMs

The ESX service console libmxl2 RPMs are updated to
libxml2-2.6.26-2.1.15.el5_8.2 and
libxml2-python-2.6.26-2.1.15.el5_8.2 to resolve a security
issue.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-0841 to this issue.

h. Update to ESX service console glibc RPM

The ESX service console glibc RPM is updated to version
glibc-2.5-81.el5_8.1 to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2009-5029, CVE-2009-5064,
CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, and CVE-2012-0864
to these issue.

i. Update to ESX service console GnuTLS RPM

The ESX service console GnuTLS RPM is updated to version
1.4.1-7.el5_8.2 to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2011-4128, CVE-2012-1569, and
CVE-2012-1573 to these issues.

j. Update to ESX service console popt, rpm, rpm-libs,
and rpm-python RPMS

The ESX service console popt, rpm, rpm-libs, and rpm-python RPMS
are updated to the following versions to resolve multiple
security issues :
- popt-1.10.2.3-28.el5_8
- rpm-4.4.2.3-28.el5_8
- rpm-libs-4.4.2.3-28.el5_8
- rpm-python-4.4.2.3-28.el5_8

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-0060, CVE-2012-0061, and
CVE-2012-0815 to these issues.

k. Vulnerability in third-party Apache Struts component

The version of Apache Struts in vCenter Operations has been
updated to 2.3.4 which addresses an arbitrary file overwrite
vulnerability. This vulnerability allows an attacker to create
a denial of service by overwriting arbitrary files without
authentication. The attacker would need to be on the same network
as the system where vCOps is installed.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2012-0393 to this issue.

Note: Apache struts 2.3.4 addresses the following issues as well :
CVE-2011-5057, CVE-2012-0391, CVE-2012-0392, CVE-2012-0394. It
was found that these do not affect vCOps.

VMware would like to thank Alexander Minozhenko from ERPScan for
reporting this issue to us.

See also :

http://lists.vmware.com/pipermail/security-announce/2012/000197.html

Solution :

Apply the missing patches.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true