VMSA-2013-0009:VMware vSphere, ESX and ESXi updates to third party libraries
VMSA-2013-0009.3
VMware vSphere, ESX and ESXi updates to third party libraries
VMware Security Advisory
CVE-2013-0169, CVE-2013-0166
--- libxml2 (COS and userworld) ---
CVE-2013-0338
--- GnuTLS (COS) ---
CVE-2013-2116
--- Kernel (COS) ---
CVE-2013-0268, CVE-2013-0871
1. Summary
VMware has updated several third party libraries in vCenter Server, ESX and ESXi to address multiple security vulnerabilities.
2. Relevant Releases
VMware vCenter 5.1 without Update 2
VMware vCenter 5.0 without Update 3
VMware ESXi 5.1 without patch ESXi510-201401101
VMware ESXi 5.0 without Update 3
VMware ESXi 4.1 without patch ESXi410-201307001
VMware ESX 4.1 without patch ESX410-201307001
VMware ESXi 4.0 without patch ESXi400-201310001
VMware ESX 4.0 without patch ESX400-201310001
3. Problem Description
a. vCenter Server and ESX userworld update for OpenSSL library
The userworld OpenSSL library is updated to version openssl-0.9.8y to resolve multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-0169 and CVE-2013-0166 to these issues.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
VMware Product
Product Version
Running on
Replace with / Apply Patch
b. Service Console (COS) update for OpenSSL library
The Service Console updates for OpenSSL library is updated to version openssl-0.9.8e-26.el5_9.1 to resolve multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-0169 and CVE-2013-0166 to these issues.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
VMware Product
Product Version
Running on
Replace with / Apply Patch
c. ESX Userworld and Service Console (COS) update for libxml2 library
The ESX Userworld and Service Console libxml2 library is updated to version libxml2-2.6.26-2.1.21.el5_9.1 and libxml2-python-2.6.26-2.1.21.el5_9.1. to resolve a security issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-0338 to this issue.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
VMware Product
Product Version
Running on
Replace with / Apply Patch
d. Service Console (COS) update for GnuTLS library
The ESX service console GnuTLS RPM is updated to version gnutls-1.4.1-10.el5_9.1 to resolve a security issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2116 to this issue.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
VMware Product
Product Version
Running on
Replace with / Apply Patch
e. ESX third party update for Service Console kernel
The ESX Service Console Operating System (COS) kernel is updated to kernel-2.6.18-348.3.1.el5 which addresses several security issues in the COS kernel.
The Common Vulnerabilities and Exposures project ( cve.mitre.org)vhas assigned the names CVE-2013-0268 and CVE-2013-0871 to these issues.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
VMware Product
Product Version
Running on
Replace with / Apply Patch
4. Solution
Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
vCenter Server 5.1 Update 2
---------------------------
The download for vCenter Server includes vSphere Update Manager, vSphere Client and vCenter Orchestrator
Download link:
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/5_1
Release Notes:
https://www.vmware.com/support/pubs/vsphere-esxi-vcenter-server-pubs.html
vCenter Server 5.0 Update 3
---------------------------
The download for vCenter Server includes vSphere Update Manager, vSphere Client and vCenter Orchestrator
Download link:
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/5_0
Release Notes:
https://www.vmware.com/support/pubs/vsphere-esxi-vcenter-server-pubs.html
ESXi and ESX
------------------
http://downloads.vmware.com/go/selfsupport-download
ESXi 5.1
------------------
File: update-from-esxi5.1-5.1_update02.zip
md5sum: 462cb98dc011804d3bad85f54f6b8133
sha1sum: 0352bf0adc78ceead74c7ace256ed87705e64703
http://kb.vmware.com/kb/2062314
update-from-esxi5.1-5.1_update02 contains ESXi510-201401101-SG
ESXi 5.0
------------------
File: update-from-esxi5.0-5.0_update03.zip
md5sum: 7e6185fa3238a4895613b39e57a2a94b
sha1sum: aa3929d2c8183aeaecdc238cbbf4d270bd70dd07
http://kb.vmware.com/kb/2055559
ESXi 4.1
------------------
File: ESXi410-201307001.zip
md5sum: b171ea162cd753782483fa64196e8152
sha1sum: f2f19db06864a05eb4fdfea57626576f2836e718
http://kb.vmware.com/kb/2053396
ESX 4.1
------------------
File: ESX410-201307001.ZIP
md5sum: 60f15f96454b953f7747486a6a261e4f
sha1sum: 8e494b450f539ed65729205333dc3598d6ba87f8
http://kb.vmware.com/kb/2053393
ESXi 4.0
------------------
File: ESXi400-201310001.zip
md5sum: 3075bce1b19a52b053a5dc18d06d40e0
sha1sum: 19952da0dd9f81ea299cb8ae6c462f11566b56e0
http://kb.vmware.com/kb/2059496
ESX 4.0
------------------
File: ESX400-201310001.zip
md5sum: 9d47cf815ed142a17f97002379b5e386
sha1sum: 91082ec4263333f9b996883cb53dbe9aab7a88b5
http://kb.vmware.com/kb/2059490
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0338
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2116
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0871
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0268
6. Change log
2013-07-31 VMSA-2013-0009
Initial security advisory in conjunction with the release of ESX 4.1 patches on 2013-07-31.
2013-10-17 VMSA-2013-0009.1
Updated security advisory in conjunction with the release of vCenter Server 5.0 Update 3 and ESXi 5.0 Update 3 on 2013-10-17
2013-10-24 VMSA-2013-0009.2
Updated security advisory in conjunction with the release of ESX 4.0 patches on 2013-10-24
2014-01-16 VMSA-2014-0009.3
Updated security advisory in conjunction with the release of vSphere 5.1 Update 2 2014-01-16
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
- security-announce at lists.vmware.com
- bugtraq at securityfocus.com
- full-disclosure at lists.grok.org.uk
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2013 VMware Inc. All rights reserved.