-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2013-0028 Title: VMware vCenter Server, ESX and ESXi: Multiple vulnerabilities [1] Version history: 27.02.2013 Initial publication Summary ======= VMware has updated VMware vCenter Server, ESXi and ESX to address a vulnerability in the Network File Copy (NFC) Protocol. This update also addresses multiple security vulnerabilities in third party libraries used by VirtualCenter, ESX and ESXi. CVE-names: CVE-2013-1659 CVE-2012-5089 CVE-2012-5088 CVE-2012-5087 CVE-2012-5086 CVE-2012-5085 CVE-2012-5084 CVE-2012-5083 CVE-2012-5082 CVE-2012-5081 CVE-2012-5080 CVE-2012-5079 CVE-2012-5078 CVE-2012-5077 CVE-2012-5076 CVE-2012-5075 CVE-2012-5074 CVE-2012-5073 CVE-2012-5072 CVE-2012-5071 CVE-2012-5070 CVE-2012-5069 CVE-2012-5068 CVE-2012-5067 CVE-2012-4416 CVE-2012-3216 CVE-2012-3159 CVE-2012-3143 CVE-2012-2110 CVE-2012-1533 CVE-2012-1532 CVE-2012-1531 Vulnerable systems ================== VMware vCenter Server 5.1 prior to 5.1.0b VMware vCenter Server 5.0 prior to 5.0 Update 2 VMware vCenter Server 4.0 prior to Update 4b VMware VirtualCenter 2.5 prior to Update 6c VMware ESXi 5.1 without ESXi510-201212101-SG VMware ESXi 5.0 without ESXi500-201212102-SG VMware ESXi 4.1 without ESXi410-201301401-SG VMware ESXi 4.0 without ESXi400-201302401-SG VMware ESXi 3.5 without ESXe350-201302401-I-SG and ESXe350-201302403-C-SG VMware ESX 4.1 without ESX410-201301401-SG VMware ESX 4.0 without ESX400-201302401-SG VMware ESX 3.5 without ESX350-201302401-SG Original Details ================ Several problems identified [1]: VMware vCenter Server, ESXi and ESX contain a vulnerability in the handling of the Network File Copy (NFC) protocol. To exploit this vulnerability, an attacker must intercept and modify the NFC traffic between vCenter Server and the client or ESXi/ESX and the client. Exploitation of the issue may lead to code execution. (CVE-2013-1659) In VirtualCenter, ESX and ESXi Oracle (Sun) JRE is updated to version 1.5.0_38, which addresses multiple security issues that existed in earlier releases of Oracle (Sun) JRE. ESX service console OpenSSL RPM is updated to version openssl-0.9.7a.33.28.i686 to resolve multiple security issues. (CVE-2012-2110) What can you do? ================ Update your products to patched versions [1]: What to tell your users? ======================== N/A More information ================ [1] http://www.vmware.com/security/advisories/VMSA-2013-0003.html Best regards, -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJRLliiAAoJEPpzpNLI8SVoavcP/j1p33GcX9k0dORygY+u3Vsz 6jENqFWZ9scz3Ax9ftSy9iu316p8MIOOnR6FI9wEwjwWGJtWFaSJFrtjfcIYCUvi UL4Mql0eIZZ5/H9Moq72AsALNmTZM15nUr/ZWJC+z9cKE4c6YeV9akK+zXDmoGF/ jN++dtSuiXzXzXo72b6Bu1O6KjKN6DnOEL84YuB/lag4cHCk0jU5IxsqInt9Lp2b ioS3KqRJfEJUilXi8fx55MAXBw8AGBkDGmN58oskRRN8rFa+2gkwA21ZrnmgN01C WOXR21IrrAW/rMRhmpOxzm5DIz97hnE7aHQT8vVN6LFSHnR1GRspS4wR8yvYJE7P o5vdR4vAWpuFXcJHfZywj+FvVR1EkAMiBgNsAM6pjf67kEbGTDFqG+P9bOuro9sv ShoRGYG5FmjlgtaOmxB5/npguwDsVWVL9IOsFOcihSozAp99si9r/6DJF/+gb10k mOgV3GklfaDFxz7atnU/+k3XVtOPWU8r/k753A5SpFHoCO8Ta3gtM3jA3VshZpme ZsQ775Fz6MzzzeebC3WFdvAWOZbWwIx85zvwxj1qd2xOXqRDrvQ+MMRkWmXUGpgL pF84TZ1ha2oB/6/N9Qbh/vmZqzIphxYPdleVdqRJypQ6pqAe50EUC0HCil44Cer2 8if41g2Jhs+JWUdx4EUZ =IeSS -----END PGP SIGNATURE-----