VMSA-2013-0009 : VMware vSphere, ESX and ESXi updates to third-party libraries

medium Nessus Plugin ID 69193
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote VMware ESXi / ESX host is missing one or more security-related patches.

Description

a. vCenter Server and ESX userworld update for OpenSSL library

The userworld OpenSSL library is updated to version openssl-0.9.8y to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-0169 and CVE-2013-0166 to these issues.

b. Service Console (COS) update for OpenSSL library

The Service Console updates for OpenSSL library is updated to version openssl-0.9.8e-26.el5_9.1 to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-0169 and CVE-2013-0166 to these issues.

c. ESX Userworld and Service Console (COS) update for libxml2 library

The ESX Userworld and Service Console libxml2 library is updated to version libxml2-2.6.26-2.1.21.el5_9.1 and libxml2-python-2.6.26-2.1.21.el5_9.1. to resolve a security issue.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-0338 to this issue.

d. Service Console (COS) update for GnuTLS library

The ESX service console GnuTLS RPM is updated to version gnutls-1.4.1-10.el5_9.1 to resolve a security issue.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2116 to this issue.

e. ESX third-party update for Service Console kernel

The ESX Service Console Operating System (COS) kernel is updated to kernel-2.6.18-348.3.1.el5 which addresses several security issues in the COS kernel.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-0268 and CVE-2013-0871 to these issues.

Solution

Apply the missing patches.

See Also

http://lists.vmware.com/pipermail/security-announce/2014/000230.html

Plugin Details

Severity: Medium

ID: 69193

File Name: vmware_VMSA-2013-0009.nasl

Version: 1.16

Type: local

Published: 8/2/2013

Updated: 1/6/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 5.7

Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: E:F/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/o:vmware:esx:4.0, cpe:/o:vmware:esx:4.1, cpe:/o:vmware:esxi:4.1, cpe:/o:vmware:esxi:5.0, cpe:/o:vmware:esxi:5.1

Required KB Items: Host/local_checks_enabled, Host/VMware/release, Host/VMware/version

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/31/2013

Exploitable With

CANVAS (CANVAS)

Reference Information

CVE: CVE-2013-0166, CVE-2013-0169, CVE-2013-0268, CVE-2013-0338, CVE-2013-0871, CVE-2013-2116

BID: 57778, 57838, 57986, 58180, 60215, 60268

VMSA: 2013-0009