VMSA-2013-0003 : VMware vCenter Server, ESXi and ESX address an NFC Protocol memory corruption and third-party library security issues.
High Nessus Plugin ID 64812
SynopsisThe remote VMware ESXi / ESX host is missing one or more security-related patches.
Descriptiona. VMware vCenter, ESXi and ESX NFC protocol memory corruption vulnerability
VMware vCenter Server, ESXi and ESX contain a vulnerability in the handling of the Network File Copy (NFC) protocol. To exploit this vulnerability, an attacker must intercept and modify the NFC traffic between vCenter Server and the client or ESXi/ESX and the client. Exploitation of the issue may lead to code execution.
To reduce the likelihood of exploitation, vSphere components should be deployed on an isolated management network
VMware would like to thank Alex Chapman of Context Information Security for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1659 to this issue.
b. VirtualCenter, ESX and ESXi Oracle (Sun) JRE update 1.5.0_38
Oracle (Sun) JRE is updated to version 1.5.0_38, which addresses multiple security issues that existed in earlier releases of Oracle (Sun) JRE.
Oracle has documented the CVE identifiers that are addressed in JRE 1.5.0_38 in the Oracle Java SE Critical Patch Update Advisory of October 2012.
c. Update to ESX service console OpenSSL RPM
The service console OpenSSL RPM is updated to version openssl-0.9.7a.33.28.i686 to resolve multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2110 to this issue.
SolutionApply the missing patches.