-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2012-0057

Title: VMware ESX updates to ESX Service Console [1]

Version history:
27.04.2012 Initial publication

Summary
=======
VMware has released a patch to the ESX Service Console Operating System (COS) kernel which addresses several security issues in the COS kernel. The ESX Console Operating System (COS) libxml2 rpms are updated to the following versions libxml2-2.6.26-2.1.12.el5_7.2 and libxml2-python-2.6.26-2.1.12.el5_7.2 which addresses several security issues.

The list of CVEs patched includes: CVE-2011-3191, CVE-2011-4348, CVE-2012-0028 CVE-2010-4008, CVE-2011-0216, CVE-2011-1944, CVE-2011-2834, CVE-2011-3905, and CVE-2011-3919.

CVSS v2 Base Score for these vulnerabilities vary from 4.3 to 7.1 (from MEDIUM to HIGH) [3]

Vulnerable systems
==================
ESX 4.1 ESX patch available
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable 

What can you do?
================
Fix is available for ESX 4.1 and partially for ESX 4.0 [1]. Install the patch ESX410-201204001. 

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

What to tell your users?
========================
N/A

More information
================
[1] http://www.vmware.com/security/advisories/VMSA-2012-0008.html 
[2] Information about CVSS: http://www.first.org/cvss/cvss-guide.html

Best regards,
CERT-EU
CERT-EU Pre-configuration Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383

(DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in
its setup phase, until May 2012. Services are provided in a pilot
fashion, and are not yet fully functional. Announcements, alerts and
warnings are sent out in best  effort manner, and to contact information
currently known to us. We apologise if you are not the correct
recipient, or if you had already been warned about this issue from
another source . Format, content and way of alerting are subject  to
change in the future. Contact information or even the team name may
change as well.)

-----BEGIN PGP SIGNATURE-----
Version: BCPG v1.39

iQJXBAEBAgBBBQJPmoMjOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp
b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4P5Sg/+LvVw9BAR
sUhgf0L1qO4uQgdI8mEmykmCG1ySiSpqHTqxcQOMXw92d5jgXMaoEUDbvlu1kZ+0
wqXS8x5tNhPO2+7cI+MkOzVGYaFdGrDtyjFR0QnxcV8ETgLsYXC2ZGMExygQv0oH
KmfNevUtaqrRaSHZy8+HLzMQnun3VbUR4zsMyf0QJdNI2LV2CI1ktwkPksbNovWc
h+YLRR5PXCe7SHTlzOHTRvjKxpz6kTTaG9ruAeY6rQW+eRhF4qcaw/eXqiupD6Qu
ic//Ykd3Pyou75fEVg9SwPwEYKxn1eCgk9J/zh8DPHCLNpDlEjDdrPjbW3zEN3c5
zyRmAiIjl6a8w9s0L30AKXb3xu/EERfsBhnUSMZ9B62wKdcCDJfEpWYN1pw6Z8fi
6zS/mYkbvIl/YD/y0N+62nbq+0n/Wdp73OEetRx23gUzuj1bGRcBylofr7t5ifnT
213eK/9ZJVXvyrre1yv07qNJdYyXT2iKcAOfEmCV2vOGN+EZ+GgvZozkmUKgmOEO
lmQi7k9j9h0foj3pgUFIfZl0eK5XWmzkgKAdsDASDr54/LKeEZXoTa1XSxmaIOqv
QZGNLf15NZyjj82m3Jc71/udxsMO+Xgczh//tpRilo02MaCmtDu90N4U8D0S9bFA
ejTwteewRWVpdk1XUqXukQSRzyk099mWzAU=
=yPFA
-----END PGP SIGNATURE-----