39649

43315

http://support.avaya.com/css/P8/documents/100088287

[oss-security] 20100507 CVE-2010-0730 xen: emulator instruction decoding inconsistency

RHSA-2010:0398

20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX

39979

http://www.vmware.com/security/advisories/VMSA-2011-0003.html

https://bugzilla.redhat.com/show_bug.cgi?id=572971

oval:org.mitre.oval:def:11430

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party components and libraries :

  - Apache Tomcat 
  - Apache Tomcat Manager
  - cURL 
  - Java Runtime Environment (JRE)
  - Kernel 
  - Microsoft SQL Express
  - OpenSSL
  - pam_krb5

From Red Hat Security Advisory 2010:0398 :

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* a flaw was found in the Unidirectional Lightweight Encapsulation (ULE) implementation. A remote attacker could send a specially crafted ISO MPEG-2 Transport Stream (TS) frame to a target system, resulting in an infinite loop (denial of service). (CVE-2010-1086, Important)

* on AMD64 systems, it was discovered that the kernel did not ensure the ELF interpreter was available before making a call to the SET_PERSONALITY macro. A local attacker could use this flaw to cause a denial of service by running a 32-bit application that attempts to execute a 64-bit application. (CVE-2010-0307, Moderate)

* a flaw was found in the kernel connector implementation. A local, unprivileged user could trigger this flaw by sending an arbitrary number of notification requests using specially crafted netlink messages, resulting in a denial of service. (CVE-2010-0410, Moderate)

* a flaw was found in the Memory-mapped I/O (MMIO) instruction decoder in the Xen hypervisor implementation. An unprivileged guest user could use this flaw to trick the hypervisor into emulating a certain instruction, which could crash the guest (denial of service).
(CVE-2010-0730, Moderate)

* a divide-by-zero flaw was found in the azx_position_ok() function in the driver for Intel High Definition Audio, snd-hda-intel. A local, unprivileged user could trigger this flaw to cause a kernel crash (denial of service). (CVE-2010-1085, Moderate)

This update also fixes the following bugs :

* in some cases, booting a system with the 'iommu=on' kernel parameter resulted in a Xen hypervisor panic. (BZ#580199)

* the fnic driver flushed the Rx queue instead of the Tx queue after fabric login. This caused crashes in some cases. (BZ#580829)

* 'kernel unaligned access' warnings were logged to the dmesg log on some systems. (BZ#580832)

* the 'Northbridge Error, node 1, core: -1 K8 ECC error' error occurred on some systems using the amd64_edac driver. (BZ#580836)

* in rare circumstances, when using kdump and booting a kernel with 'crashkernel=128M@16M', the kdump kernel did not boot after a crash.
(BZ#580838)

* TLB page table entry flushing was done incorrectly on IBM System z, possibly causing crashes, subtle data inconsistency, or other issues.
(BZ#580839)

* iSCSI failover times were slower than in Red Hat Enterprise Linux 5.3. (BZ#580840)

* fixed floating point state corruption after signal. (BZ#580841)

* in certain circumstances, under heavy load, certain network interface cards using the bnx2 driver and configured to use MSI-X, could stop processing interrupts and then network connectivity would cease. (BZ#587799)

* cnic parts resets could cause a deadlock when the bnx2 device was enslaved in a bonding device and that device had an associated VLAN.
(BZ#581148)

* some BIOS implementations initialized interrupt remapping hardware in a way the Xen hypervisor implementation did not expect. This could have caused a system hang during boot. (BZ#581150)

* AMD Magny-Cours systems panicked when booting a 32-bit kernel.
(BZ#580846)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

This kernel is already in SL 5.5

This updated contains all the security and bug fixes from the 2.6.18-194.el5 kernel. In additions this update fixes the following security issues :

  - a flaw was found in the Unidirectional Lightweight     Encapsulation (ULE) implementation. A remote attacker     could send a specially crafted ISO MPEG-2 Transport     Stream (TS) frame to a target system, resulting in an     infinite loop (denial of service). (CVE-2010-1086,     Important)

  - on AMD64 systems, it was discovered that the kernel did     not ensure the ELF interpreter was available before     making a call to the SET_PERSONALITY macro. A local     attacker could use this flaw to cause a denial of     service by running a 32-bit application that attempts to     execute a 64-bit application. (CVE-2010-0307, Moderate)

  - a flaw was found in the kernel connector implementation.
    A local, unprivileged user could trigger this flaw by     sending an arbitrary number of notification requests     using specially crafted netlink messages, resulting in a     denial of service. (CVE-2010-0410, Moderate)

  - a flaw was found in the Memory-mapped I/O (MMIO)     instruction decoder in the Xen hypervisor     implementation. An unprivileged guest user could use     this flaw to trick the hypervisor into emulating a     certain instruction, which could crash the guest (denial     of service). (CVE-2010-0730, Moderate)

  - a divide-by-zero flaw was found in the azx_position_ok()     function in the driver for Intel High Definition Audio,     snd-hda-intel. A local, unprivileged user could trigger     this flaw to cause a kernel crash (denial of service).
    (CVE-2010-1085, Moderate)

This update also fixes the following bugs :

  - in some cases, booting a system with the 'iommu=on'     kernel parameter resulted in a Xen hypervisor panic.
    (BZ#580199)

  - the fnic driver flushed the Rx queue instead of the Tx     queue after fabric login. This caused crashes in some     cases. (BZ#580829)

  - 'kernel unaligned access' warnings were logged to the     dmesg log on some systems. (BZ#580832)

  - the 'Northbridge Error, node 1, core: -1 K8 ECC error'     error occurred on some systems using the amd64_edac     driver. (BZ#580836)

  - in rare circumstances, when using kdump and booting a     kernel with 'crashkernel=128M@16M', the kdump kernel did     not boot after a crash. (BZ#580838)

  - TLB page table entry flushing was done incorrectly on     IBM System z, possibly causing crashes, subtle data     inconsistency, or other issues. (BZ#580839)

  - iSCSI failover times were slower than in Red Hat     Enterprise Linux 5.3. (BZ#580840)

  - fixed floating point state corruption after signal.
    (BZ#580841)

  - in certain circumstances, under heavy load, certain     network interface cards using the bnx2 driver and     configured to use MSI-X, could stop processing     interrupts and then network connectivity would cease.
    (BZ#587799)

  - cnic parts resets could cause a deadlock when the bnx2     device was enslaved in a bonding device and that device     had an associated VLAN. (BZ#581148)

  - some BIOS implementations initialized interrupt     remapping hardware in a way the Xen hypervisor     implementation did not expect. This could have caused a     system hang during boot. (BZ#581150)

  - AMD Magny-Cours systems panicked when booting a 32-bit     kernel. (BZ#580846)

The system must be rebooted for this update to take effect.

a. vCenter Server and vCenter Update Manager update Microsoft    SQL Server 2005 Express Edition to Service Pack 3

   Microsoft SQL Server 2005 Express Edition (SQL Express)    distributed with vCenter Server 4.1 Update 1 and vCenter Update    Manager 4.1 Update 1 is upgraded from  SQL Express Service Pack 2    to SQL Express Service Pack 3, to address multiple security    issues that exist in the earlier releases of Microsoft SQL Express.

   Customers using other database solutions need not update for    these issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2008-5416, CVE-2008-0085, CVE-2008-0086,    CVE-2008-0107 and CVE-2008-0106 to the issues addressed in MS SQL    Express Service Pack 3.

b. vCenter Apache Tomcat Management Application Credential Disclosure

   The Apache Tomcat Manager application configuration file contains    logon credentials that can be read by unprivileged local users.

   The issue is resolved by removing the Manager application in    vCenter 4.1 Update 1.

   If vCenter 4.1 is updated to vCenter 4.1 Update 1 the logon    credentials are not present in the configuration file after the    update.

   VMware would like to thank Claudio Criscione of Secure Networking    for reporting this issue to us.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2010-2928 to this issue.

c. vCenter Server and ESX, Oracle (Sun) JRE is updated to version    1.6.0_21

   Oracle (Sun) JRE update to version 1.6.0_21, which addresses    multiple security issues that existed in earlier releases of    Oracle (Sun) JRE.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the following names to the security issues fixed in    Oracle (Sun) JRE 1.6.0_19: CVE-2009-3555, CVE-2010-0082,    CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088,    CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092,    CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837,    CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841,    CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845,    CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849,    CVE-2010-0850.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the following name to the security issue fixed in    Oracle (Sun) JRE 1.6.0_20: CVE-2010-0886.

d. vCenter Update Manager Oracle (Sun) JRE is updated to version   1.5.0_26

   Oracle (Sun) JRE update to version 1.5.0_26, which addresses    multiple security issues that existed in earlier releases of    Oracle (Sun) JRE.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the following names to the security issues fixed in    Oracle (Sun) JRE 1.5.0_26: CVE-2010-3556, CVE-2010-3566,    CVE-2010-3567, CVE-2010-3550, CVE-2010-3561, CVE-2010-3573,    CVE-2010-3565,CVE-2010-3568, CVE-2010-3569,  CVE-2009-3555,    CVE-2010-1321, CVE-2010-3548, CVE-2010-3551, CVE-2010-3562,    CVE-2010-3571, CVE-2010-3554, CVE-2010-3559, CVE-2010-3572,    CVE-2010-3553, CVE-2010-3549, CVE-2010-3557, CVE-2010-3541,    CVE-2010-3574.

e. vCenter Server and ESX Apache Tomcat updated to version 6.0.28

   Apache Tomcat updated to version 6.0.28, which addresses multiple    security issues that existed in earlier releases of Apache Tomcat

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the following names to the security issues fixed in    Apache Tomcat 6.0.24: CVE-2009-2693, CVE-2009-2901, CVE-2009-2902,i    and CVE-2009-3548.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the following names to the security issues fixed in    Apache Tomcat 6.0.28: CVE-2010-2227, CVE-2010-1157.

f. vCenter Server third-party component OpenSSL updated to version    0.9.8n

   The version of the OpenSSL library in vCenter Server is updated to    0.9.8n.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2010-0740 and CVE-2010-0433 to the    issues addressed in this version of OpenSSL.

g. ESX third-party component OpenSSL updated to version 0.9.8p

   The version of the ESX OpenSSL library is updated to 0.9.8p.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2010-3864 and CVE-2010-2939 to the    issues addressed in this update.

h. ESXi third-party component cURL updated

   The version of cURL library in ESXi is updated.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2010-0734 to the issues addressed in    this update.

i. ESX third-party component pam_krb5 updated

   The version of pam_krb5 library is updated.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2008-3825 and CVE-2009-1384 to the    issues addressed in the update.

j. ESX third-party update for Service Console kernel

   The Service Console kernel is updated to include kernel version    2.6.18-194.11.1.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2010-1084, CVE-2010-2066, CVE-2010-2070,    CVE-2010-2226, CVE-2010-2248, CVE-2010-2521, CVE-2010-2524,    CVE-2010-0008, CVE-2010-0415, CVE-2010-0437, CVE-2009-4308,    CVE-2010-0003, CVE-2010-0007, CVE-2010-0307, CVE-2010-1086,    CVE-2010-0410, CVE-2010-0730, CVE-2010-1085, CVE-2010-0291,    CVE-2010-0622, CVE-2010-1087, CVE-2010-1173, CVE-2010-1437,    CVE-2010-1088, CVE-2010-1187, CVE-2010-1436, CVE-2010-1641, and    CVE-2010-3081 to the issues addressed in the update.

   Notes :
   - The update also addresses the 64-bit compatibility mode    stack pointer underflow issue identified by CVE-2010-3081. This    issue was patched in an ESX 4.1 patch prior to the release of    ESX 4.1 Update 1 and in a previous ESX 4.0 patch release.
   - The update also addresses CVE-2010-2240 for ESX 4.0.

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* a flaw was found in the Unidirectional Lightweight Encapsulation (ULE) implementation. A remote attacker could send a specially crafted ISO MPEG-2 Transport Stream (TS) frame to a target system, resulting in an infinite loop (denial of service). (CVE-2010-1086, Important)

* on AMD64 systems, it was discovered that the kernel did not ensure the ELF interpreter was available before making a call to the SET_PERSONALITY macro. A local attacker could use this flaw to cause a denial of service by running a 32-bit application that attempts to execute a 64-bit application. (CVE-2010-0307, Moderate)

* a flaw was found in the kernel connector implementation. A local, unprivileged user could trigger this flaw by sending an arbitrary number of notification requests using specially crafted netlink messages, resulting in a denial of service. (CVE-2010-0410, Moderate)

* a flaw was found in the Memory-mapped I/O (MMIO) instruction decoder in the Xen hypervisor implementation. An unprivileged guest user could use this flaw to trick the hypervisor into emulating a certain instruction, which could crash the guest (denial of service).
(CVE-2010-0730, Moderate)

* a divide-by-zero flaw was found in the azx_position_ok() function in the driver for Intel High Definition Audio, snd-hda-intel. A local, unprivileged user could trigger this flaw to cause a kernel crash (denial of service). (CVE-2010-1085, Moderate)

This update also fixes the following bugs :

* in some cases, booting a system with the 'iommu=on' kernel parameter resulted in a Xen hypervisor panic. (BZ#580199)

* the fnic driver flushed the Rx queue instead of the Tx queue after fabric login. This caused crashes in some cases. (BZ#580829)

* 'kernel unaligned access' warnings were logged to the dmesg log on some systems. (BZ#580832)

* the 'Northbridge Error, node 1, core: -1 K8 ECC error' error occurred on some systems using the amd64_edac driver. (BZ#580836)

* in rare circumstances, when using kdump and booting a kernel with 'crashkernel=128M@16M', the kdump kernel did not boot after a crash.
(BZ#580838)

* TLB page table entry flushing was done incorrectly on IBM System z, possibly causing crashes, subtle data inconsistency, or other issues.
(BZ#580839)

* iSCSI failover times were slower than in Red Hat Enterprise Linux 5.3. (BZ#580840)

* fixed floating point state corruption after signal. (BZ#580841)

* in certain circumstances, under heavy load, certain network interface cards using the bnx2 driver and configured to use MSI-X, could stop processing interrupts and then network connectivity would cease. (BZ#587799)

* cnic parts resets could cause a deadlock when the bnx2 device was enslaved in a bonding device and that device had an associated VLAN.
(BZ#581148)

* some BIOS implementations initialized interrupt remapping hardware in a way the Xen hypervisor implementation did not expect. This could have caused a system hang during boot. (BZ#581150)

* AMD Magny-Cours systems panicked when booting a 32-bit kernel.
(BZ#580846)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2010-0398.

ID	Name	Product	Family	Severity
89674	VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0003) (remote check)	Nessus	Misc.	critical
68037	Oracle Linux 5 : kernel (ELSA-2010-0398)	Nessus	Oracle Linux Local Security Checks	high
60788	Scientific Linux Security Update : kernel on SL 5.0-5.4 i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
51971	VMSA-2011-0003 : Third-party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX	Nessus	VMware ESX Local Security Checks	critical
46759	CentOS 5 : kernel (CESA-2010:0398)	Nessus	CentOS Local Security Checks	high
46307	RHEL 5 : kernel (RHSA-2010:0398)	Nessus	Red Hat Local Security Checks	high
801490	CentOS RHSA-2010-0398 Security Check	Log Correlation Engine	Generic	high

CVE-2010-0730

LOW

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins

critical

high

high

critical

high

high

high