-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2013-0060 Title: VMware ESX and ESXi updates to third party libraries Version history: 02.08.2013 Initial publication Summary ======= VMware has updated several third party libraries in ESX and ESXi to address multiple security vulnerabilities. CVE numbers: --- OpenSSL --- CVE-2013-0169, CVE-2013-0166 --- libxml2 (COS and userworld) --- CVE-2013-0338 --- GnuTLS (COS) --- CVE-2013-2116 - --- Kernel (COS) --- CVE-2013-0268, CVE-2013-0871 Vulnerable systems ================== VMware ESXi 4.1 without patch ESXi410-201307001 VMware ESX 4.1 without patch ESX410-201307001 Original Details ================ a. ESX userworld update for OpenSSL library The userworld OpenSSL library is updated to version openssl-0.9.8y to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-0169 and CVE-2013-0166 to these issues. b. Service Console (COS) update for OpenSSL library The Service Console updates for OpenSSL library is updated to version openssl-0.9.8e-26.el5_9.1 to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-0169 and CVE-2013-0166 to these issues. c. ESX Userworld and Service Console (COS) update for libxml2 library The ESX Userworld and Service Console libxml2 library is updated to version libxml2-2.6.26-2.1.21.el5_9.1 and libxml2-python-2.6.26-2.1.21.el5_9.1. to resolve a security issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-0338 to this issue. d. Service Console (COS) update for GnuTLS library The ESX service console GnuTLS RPM is updated to version gnutls-1.4.1-10.el5_9.1 to resolve a security issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2116 to this issue. e. ESX third party update for Service Console kernel The ESX Service Console Operating System (COS) kernel is updated to kernel-2.6.18-348.3.1.el5 which addresses several security issues in the COS kernel. The Common Vulnerabilities and Exposures project ( cve.mitre.org)vhas assigned the names CVE-2013-0268 and CVE-2013-0871 to these issues. What can you do? ================ Patches are available at [1]. What to tell your users? ======================== N/A More information ================ [1] http://www.vmware.com/security/advisories/VMSA-2013-0009.html [2]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0166 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0338 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2116 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0871 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0268 Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJR+310AAoJEPpzpNLI8SVol84QAJ5zco16xkc1+wZJkDg+nP+V sjgfpdtHI1MmjuT9J/t913E+L00+XV+TRmg3aRhiIY5RgrHYAVDtKr+D7Q0KsH0d R4UiLbQLhR3GQzIL6/Ubapw+4QeINztoSpLeDsyHAPQSdCgOQNEFoAm5N7fSrQD2 Emif6fH02J8O9aZh88NC8tKAP/pqxSfFgI1Cqf1FpjCmpgYwJ91U28m04Q3b/36J JaVW1qzidmrMUHarq/UNSzaMKf5w7P3EIaAkpuYF83lhwUh9rVhS3cq+paFL4QL8 1ID0fJO62dGYWuk01sx0GEFBshA1a201tjIm9nwhGdgPaRncTGh9L3suaiFo9HyU Bi8Ur4brAPZhtJ7KhJjPRQIrL3osJ+xePJ060zrSRCe9liVKK7dJTzWSTS7+jT6x twFYxgvfgiiREzSGvF0xox9CLXdA/P1ksf4rDCRxEAj8yeE1cDfhJ50ups6EZkEq QjvZiVviapHypfnwrjosFHRKJFQ2NLyLejzNzt3n3WWyPrjsFnT9c2svmeI7gBeq bw4WYBcr0lnz7Hj0tpf7tyn9vTflaJnIQ1VrcmfCCImKIr7vPKZwGPCYTbgf4M7o scrXa1c6LGpL+0xrU3swOkqzRecZBy9mJvnXFQEiB4YDvbtuGH178Wbv0R7zkFPw Fj8hUBdyzf+pRsaDKI3/ =duIi -----END PGP SIGNATURE-----