VMSA-2013-0009 : VMware vSphere, ESX and ESXi updates to third-party libraries

Medium Nessus Plugin ID 69193

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 7.4

Synopsis

The remote VMware ESXi / ESX host is missing one or more security-related patches.

Description

a. vCenter Server and ESX userworld update for OpenSSL library

The userworld OpenSSL library is updated to version openssl-0.9.8y to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-0169 and CVE-2013-0166 to these issues.

b. Service Console (COS) update for OpenSSL library

The Service Console updates for OpenSSL library is updated to version openssl-0.9.8e-26.el5_9.1 to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-0169 and CVE-2013-0166 to these issues.

c. ESX Userworld and Service Console (COS) update for libxml2 library

The ESX Userworld and Service Console libxml2 library is updated to version libxml2-2.6.26-2.1.21.el5_9.1 and libxml2-python-2.6.26-2.1.21.el5_9.1. to resolve a security issue.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-0338 to this issue.

d. Service Console (COS) update for GnuTLS library

The ESX service console GnuTLS RPM is updated to version gnutls-1.4.1-10.el5_9.1 to resolve a security issue.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2116 to this issue.

e. ESX third-party update for Service Console kernel

The ESX Service Console Operating System (COS) kernel is updated to kernel-2.6.18-348.3.1.el5 which addresses several security issues in the COS kernel.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-0268 and CVE-2013-0871 to these issues.

Solution

Apply the missing patches.

See Also

http://lists.vmware.com/pipermail/security-announce/2014/000230.html

Plugin Details

Severity: Medium

ID: 69193

File Name: vmware_VMSA-2013-0009.nasl

Version: 1.15

Type: local

Published: 2013/08/02

Updated: 2018/08/06

Dependencies: 12634

Risk Information

Risk Factor: Medium

VPR Score: 7.4

CVSS v2.0

Base Score: 6.9

Temporal Score: 5.7

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/o:vmware:esx:4.0, cpe:/o:vmware:esx:4.1, cpe:/o:vmware:esxi:4.1, cpe:/o:vmware:esxi:5.0, cpe:/o:vmware:esxi:5.1

Required KB Items: Host/local_checks_enabled, Host/VMware/release, Host/VMware/version

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2013/07/31

Exploitable With

CANVAS (CANVAS)

Reference Information

CVE: CVE-2013-0166, CVE-2013-0169, CVE-2013-0268, CVE-2013-0338, CVE-2013-0871, CVE-2013-2116

BID: 57778, 57838, 57986, 58180, 60215, 60268

VMSA: 2013-0009