VMSA-2010-0015 : VMware ESX third-party updates for Service Console

Critical Nessus Plugin ID 49703

Synopsis

The remote VMware ESX host is missing one or more security-related patches.

Description

a. Service Console update for NSS_db

The service console package NSS_db is updated to version nss_db-2.2-35.4.el5_5.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-0826 to this issue.

b. Service Console update for OpenLDAP

The service console package OpenLDAP updated to version 2.3.43-12.el5.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-3767 to this issue.

c. Service Console update for cURL

The service console packages for cURL updated to version 7.15.5-9.el5.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-0734 to this issue.

d. Service Console update for sudo

The service console package sudo updated to version 1.7.2p1-7.el5_5.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1646 to this issue.

e. Service Console update for OpenSSL, GnuTLS, NSS and NSPR

Service Console updates for OpenSSL to version 097a-0.9.7a-9.el5_4.2 and version 0.9.8e-12.el5_4.6, GnuTLS to version 1.4.1-3.el5_4.8, and NSS to version 3.12.6-1.3235.vmw and NSPR to version 4.8.4-1.3235.vmw. These four updates are bundled together due to their mutual dependencies.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-3555, CVE-2009-2409, CVE-2009-3245 and CVE-2010-0433 to the issues addressed in this update.

Solution

Apply the missing patches.

See Also

http://lists.vmware.com/pipermail/security-announce/2010/000110.html

Plugin Details

Severity: Critical

ID: 49703

File Name: vmware_VMSA-2010-0015.nasl

Version: 1.18

Type: local

Published: 2010/10/04

Updated: 2018/08/06

Dependencies: 12634

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/o:vmware:esx:4.0, cpe:/o:vmware:esx:4.1

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2010/09/30

Exploitable With

Metasploit (Sun Java JRE AWT setDiffICM Buffer Overflow)

Reference Information

CVE: CVE-2009-2409, CVE-2009-3245, CVE-2009-3555, CVE-2009-3767, CVE-2010-0433, CVE-2010-0734, CVE-2010-0826, CVE-2010-1646

BID: 36844, 36881, 36935, 38162, 38533, 38562, 39132, 40538

VMSA: 2010-0015

CWE: 20, 310