NEW VMSA-2013-0015 VMware ESX updates to thirdparty libraries

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

              VMware Security Advisory

Advisory ID:  VMSA-2013-0015
Synopsis:     VMware ESX updates to third party libraries
Issue date:   2013-12-05
Updated on:   2013-12-05 (initial release)
CVE numbers:  --- kernel (service console) ---
              CVE-2012-2372, CVE-2012-3552, CVE-2013-2147, CVE-2013-2164,
              CVE-2013-2206, CVE-2013-2224, CVE-2013-2234, CVE-2013-2237,
              CVE-2013-2232
              --- nss and nspr (service console) ---
              CVE-2013-0791, CVE-2013-1620
- -------------------------------------------------------------------------
1. Summary

   VMware has updated several third party libraries in ESX that address 
   multiple security vulnerabilities.

2. Relevant releases

   VMware ESX 4.1 without patch ESX410-201312001

3. Problem Description

      a. Update to ESX service console kernel

      The ESX service console kernel is updated to resolve multiple
      security issues.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2012-2372, CVE-2012-3552, CVE-2013-2147,
      CVE-2013-2164, CVE-2013-2206, CVE-2013-2224, CVE-2013-2234, 
      CVE-2013-2237, CVE-2013-2232 to these issues.

        VMware          Product   Running  Replace with/
        Product         Version   on       Apply Patch
        ==============  ========  =======  =================
        ESXi            any       ESXi     not applicable

        ESX             4.1       ESX      ESX410-201312401-SG
        ESX             4.0       ESX      patch pending 

      b. Update to ESX service console NSPR and NSS

      This patch updates the ESX service console Netscape Portable 
      Runtime (NSPR) and Network Security Services (NSS) RPMs to resolve
      multiple security issues. 

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2013-0791 and CVE-2013-1620 to these 
      issues.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

        VMware          Product   Running  Replace with/
        Product         Version   on       Apply Patch
        ==============  ========  =======  =================
        ESXi            any       ESXi     not applicable

        ESX             4.1       ESX      ESX410-201312403-SG
        ESX             4.0       ESX      patch pending 

4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   ESX 4.1
   -------
   File: ESX410-201312001.zip
   md5sum: c35763a84db169dd0285442d4129cc18
   sha1sum: ee8e1b8d2d383422ff0dde04749c5d89e77d8e40
   http://kb.vmware.com/kb/2061209
   ESX410-201312001 contains ESX410-201312401-SG and ESX410-201312403-SG.

5. References

   --- kernel (service console) ---
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2372
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3552
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2147
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2164
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2206
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2224
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2234
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2237
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2232

   --- NSPR and NSS (service console) ---
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0791
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1620

- -------------------------------------------------------------------------

6. Change log

   2013-12-05 VMSA-2013-0015
   Initial security advisory in conjunction with the release of ESX 4.1
   patches on 2013-12-05.

- -------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

   * security-announce at lists.vmware.com
   * bugtraq at securityfocus.com
   * full-disclosure at lists.grok.org.uk

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware security response policy
   http://www.vmware.com/support/policies/security_response.html

   General support life cycle policy
   http://www.vmware.com/support/policies/eos.html

   VMware Infrastructure support life cycle policy
   http://www.vmware.com/support/policies/eos_vi.html

   Copyright 2013 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iEYEARECAAYFAlKhUEEACgkQDEcm8Vbi9kMhDACfV3FNa6tlAK39I+nriVr462NJ
TtwAnRcl4PAICCPknirkUT804VlueHwZ
=cimI
-----END PGP SIGNATURE-----

Leave a Reply