U radu programskog paketa VMware ESX otkriveno je više sigurnosnih propusta. Riječ je o paketu namijenjenom virtualizaciji različitih operacijskih sustava na jednom poslužitelju. Propusti su posljedica ranjivosti u paketima Glibc, OpenLDAP i naredbi SUDO. Udaljeni, zlonamjerni korisnik ih može zlouporabiti za izvođenje DoS napada, pokretanje proizvoljnog programskog koda, povećanje ovlasti i otkrivanje osjetljivih podataka. Za detalje propusta preporuča se čitanje izvorne preporuke. Dostupna je nadogradnja za inačicu 4.0 pa se korisnicima savjetuje njezina primjena. Za inačicu 4.1. nadogradnja će biti izdana naknadno.

VMSA-2011-0001
VMware ESX third party updates for Service Console packages glibc, sudo, and openldap

------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2011-0001
Synopsis:          VMware ESX third party updates for Service Console
                   packages glibc, sudo, and openldap
Issue date:        2011-01-04
Updated on:        2011-01-04 (initial release of advisory)
CVE numbers:       CVE-2010-3847 CVE-2010-385 CVE-2010-2956
                   CVE-2010-0211 CVE-2010-0212
------------------------------------------------------------------------

1. Summary

   ESX 4.0 Service Console OS (COS) updates for glibc, sudo, and 
   openldap packages.

2. Relevant releases

   VMware ESX 4.0 without patches ESX400-201101405-SG,
   ESX400-201101404-SG, ESX400-201101402-SG

3. Problem Description

 a. Service Console update for glibc 

    The service console packages glibc, glibc-common, and nscd are each
    updated to version 2.5-34.4908.vmw.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2010-3847 and CVE-2010-3856 to the issues
    addressed in this update.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.  

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not applicable

    ESX            4.1       ESX      affected, patch pending
    ESX            4.0       ESX      ESX400-201101405-SG
    ESX            3.5       ESX      not applicable
    ESX            3.0.3     ESX      not applicable

  * Hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 b. Service Console update for sudo

    The service console package sudo is updated to version
    1.7.2p1-8.el5_5.
   
    The Common Vulnerabilities and Exposures project (cve.mitre.org) 
    has assigned the name CVE-2010-2956 to the issue addressed in this
    update.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.  

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.1       ESX      affected, patch pending
    ESX            4.0       ESX      ESX400-201101404-SG
    ESX            3.5       ESX      not applicable
    ESX            3.0.3     ESX      not applicable

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 c. Service Console update for openldap

    The service console package openldap is updated to version 
    2.3.43-12.el5_5.1.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2010-0211 and CVE-2010-0212 to the issues
    addressed in this update.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.1       ESX      affected, patch pending
    ESX            4.0       ESX      ESX400-201101402-SG
    ESX            3.5       ESX      not applicable
    ESX            3.0.3     ESX      not applicable

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

4. Solution

   Please review the patch/release notes for your product and version
   and verify the checksum of your downloaded file.

   ESX 4.0
   -------
   ESX400-201101001
   Download link: 
   https://hostupdate.vmware.com/software/VUM/OFFLINE/release-257-20101231-664659/ESX400-201101001.zip
   md5sum: f1d522b380692e0845eb0dda480ab890
   sha1sum: 906989af3ddacc41321d685c4afe0d740856f9d5
   http://kb.vmware.com/kb/1029426

   ESX400-201101001 contains the following security bulletins:
      ESX400-201101401-SG (COS kernel) | http://kb.vmware.com/kb/1029424
      ESX400-201101405-SG (glibc)      | http://kb.vmware.com/kb/1029881
      ESX400-201101404-SG (sudo)       | http://kb.vmware.com/kb/1029421
      ESX400-201101402-SG (openldap)   | http://kb.vmware.com/kb/1029423

   ESX400-201101401-SG is documented in VMSA-2010-0017.1.
 
   To install an individual bulletin use esxupdate with the -b option.

5. References

   CVE numbers 
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3847
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3856
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2956
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0211
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0212

------------------------------------------------------------------------

6. Change log

2011-01-04  VMSA-2011-0001
Initial security advisory in conjunction with the release of patches
for ESX 4.0 on 2011-01-04

-----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2011 VMware Inc.  All rights reserved. 

Idi na vrh