-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2013-0028

Title: VMware vCenter Server, ESX and ESXi: Multiple vulnerabilities [1]

Version history:
27.02.2013 Initial publication

Summary
=======
VMware has updated VMware vCenter Server, ESXi and ESX to address a vulnerability in the Network File Copy (NFC) Protocol. This update also addresses multiple security vulnerabilities in third party libraries used by VirtualCenter, ESX and ESXi.

CVE-names: 

CVE-2013-1659 CVE-2012-5089 CVE-2012-5088
CVE-2012-5087 CVE-2012-5086 CVE-2012-5085
CVE-2012-5084 CVE-2012-5083 CVE-2012-5082
CVE-2012-5081 CVE-2012-5080 CVE-2012-5079
CVE-2012-5078 CVE-2012-5077 CVE-2012-5076
CVE-2012-5075 CVE-2012-5074 CVE-2012-5073
CVE-2012-5072 CVE-2012-5071 CVE-2012-5070
CVE-2012-5069 CVE-2012-5068 CVE-2012-5067
CVE-2012-4416 CVE-2012-3216 CVE-2012-3159
CVE-2012-3143 CVE-2012-2110 CVE-2012-1533
CVE-2012-1532 CVE-2012-1531 

Vulnerable systems
==================

VMware vCenter Server 5.1 prior to 5.1.0b 
VMware vCenter Server 5.0 prior to 5.0 Update 2 
VMware vCenter Server 4.0 prior to Update 4b 
VMware VirtualCenter 2.5 prior to Update 6c

VMware ESXi 5.1 without ESXi510-201212101-SG 
VMware ESXi 5.0 without ESXi500-201212102-SG 
VMware ESXi 4.1 without ESXi410-201301401-SG 
VMware ESXi 4.0 without ESXi400-201302401-SG 
VMware ESXi 3.5 without ESXe350-201302401-I-SG and ESXe350-201302403-C-SG

VMware ESX 4.1 without ESX410-201301401-SG 
VMware ESX 4.0 without ESX400-201302401-SG 
VMware ESX 3.5 without ESX350-201302401-SG

Original Details
================
Several problems identified [1]:

VMware vCenter Server, ESXi and ESX contain a vulnerability in the handling of the Network File Copy (NFC) protocol. To exploit this vulnerability, an attacker must intercept and modify the NFC traffic between vCenter Server and the client or ESXi/ESX and the client.  Exploitation of the issue may lead to code execution. (CVE-2013-1659)


In VirtualCenter, ESX and ESXi Oracle (Sun) JRE is updated to version 1.5.0_38, which addresses multiple security issues that existed in earlier releases of Oracle (Sun) JRE. 

ESX service console OpenSSL RPM is updated to version openssl-0.9.7a.33.28.i686 to resolve multiple security issues. (CVE-2012-2110)

What can you do?
================
Update your products to patched versions [1]: 


What to tell your users?
========================
N/A

More information
================
[1] http://www.vmware.com/security/advisories/VMSA-2013-0003.html


Best regards,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJRLliiAAoJEPpzpNLI8SVoavcP/j1p33GcX9k0dORygY+u3Vsz
6jENqFWZ9scz3Ax9ftSy9iu316p8MIOOnR6FI9wEwjwWGJtWFaSJFrtjfcIYCUvi
UL4Mql0eIZZ5/H9Moq72AsALNmTZM15nUr/ZWJC+z9cKE4c6YeV9akK+zXDmoGF/
jN++dtSuiXzXzXo72b6Bu1O6KjKN6DnOEL84YuB/lag4cHCk0jU5IxsqInt9Lp2b
ioS3KqRJfEJUilXi8fx55MAXBw8AGBkDGmN58oskRRN8rFa+2gkwA21ZrnmgN01C
WOXR21IrrAW/rMRhmpOxzm5DIz97hnE7aHQT8vVN6LFSHnR1GRspS4wR8yvYJE7P
o5vdR4vAWpuFXcJHfZywj+FvVR1EkAMiBgNsAM6pjf67kEbGTDFqG+P9bOuro9sv
ShoRGYG5FmjlgtaOmxB5/npguwDsVWVL9IOsFOcihSozAp99si9r/6DJF/+gb10k
mOgV3GklfaDFxz7atnU/+k3XVtOPWU8r/k753A5SpFHoCO8Ta3gtM3jA3VshZpme
ZsQ775Fz6MzzzeebC3WFdvAWOZbWwIx85zvwxj1qd2xOXqRDrvQ+MMRkWmXUGpgL
pF84TZ1ha2oB/6/N9Qbh/vmZqzIphxYPdleVdqRJypQ6pqAe50EUC0HCil44Cer2
8if41g2Jhs+JWUdx4EUZ
=IeSS
-----END PGP SIGNATURE-----