Support Content Notification - Support Portal

VMSA-2009-0003:ESX 2.5.5 patch 12 updates service console packag ed

Product/Component

VMware

0 more products

Notification Id

23397

Last Updated

18 February 2009

Initial Publication Date

18 February 2009

Status

CLOSED

Severity

HIGH

CVSS Base Score

WorkAround

Affected CVE

CVE-2008-3916

VMSA-2009-0003

ESX 2.5.5 patch 12 updates service console packag ed

VMware Security Advisory

VMware Security Advisory Advisory ID:

VMSA-2009-0003

VMware Security Advisory Synopsis:

ESX 2.5.5 patch 12 updates service console packag ed

VMware Security Advisory Issue date:

2009-01-26

VMware Security Advisory Updated on:

2009-01-26 (initial release of advisory)

VMware Security Advisory CVE numbers:

CVE-2008-3916

1. Summary

ESX 2.5.5 patch 12 Build 142708 updates service console package ed

2. Relevant releases

VMware ESX 2.5.5 before patch 12
Extended support for ESX 2.5.5 ends on 2010-06-15. Users should plan to upgrade to ESX 3.0.3

3. Problem Description

a. Updated ESX patch updates Service Console package "ed"
If the VMDK delta disk of a snapshot is corrupt, an ESX host might crash when the corrupted disk is loaded. VMDK delta files exist for virtual machines with one or more snapshots. This change ensures that a corrupt VMDK delta file cannot be used to crash ESX hosts.

"ed" is a line-oriented text editor, used to create, display, and modify text files (both interactively and via shell scripts).
A heap-based buffer overflow was discovered in the way "ed", the GNU line editor, processed long file names. An attacker could create a file with a specially-crafted name that could possibly execute an arbitrary code when opened in the "ed" editor.

The Common Vulnerabilities and Exposures project ( cve.mitre.org) has assigned the name CVE-2008-3916 to this issue.

The following table lists what action remediates the vulnerability (column 4) if a solution is available.

VMware Product =============

Product Version =======

Running on =======

Replace with/ Apply Patch =================

VMware Product ============= VirtualCente

Product Version ======= any

Running on ======= Windows

Replace with/ Apply Patch ================= not affected

VMware Product ============= hosted*

Product Version ======= any

Running on ======= any

Replace with/ Apply Patch ================= not affected

VMware Product ============= ESXi

Product Version ======= 3.5

Running on ======= ESXi

Replace with/ Apply Patch ================= not affected

VMware Product ============= ESX

Product Version ======= 3.5

Running on ======= ESX

Replace with/ Apply Patch ================= ESX350-200901401-SG

VMware Product ============= ESX

Product Version ======= 3.0.3

Running on ======= ESX

Replace with/ Apply Patch ================= not affected

VMware Product ============= ESX

Product Version ======= 3.0.2

Running on ======= ESX

Replace with/ Apply Patch ================= not affected

VMware Product ============= ESX

Product Version ======= 2.5.5

Running on ======= ESX

Replace with/ Apply Patch ================= Upgrade Patch 12

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.

4. Solution

Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file.

ESX 2.5.5 Upgrade Patch 12 Build 142709
www.vmware.com/support/esx25/doc/esx-255-142709-patch.html
http://download3.vmware.com/software/esx/esx-2.5.5-142709-upgrade.tar.gz
md5sum: 2a0bd5cc3591b1f6b04616fa2c97f78c

5. References

CVE numbers

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3916

6. Change Log

2009-02-20 VMSA-2009-0003 Initial security advisory after release of patch 12 for ESX 2.5.5 on 2009-02-20.

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce at lists.vmware.com
bugtraq at securityfocus.com
full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at:
http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2011 VMware Inc. All rights reserved.