181 replies to this topic

[AplusWebMaster]

FYI...

VMSA-2013-0001 VMware vSphere security updates... third party libraries
- https://www.vmware.c...-2013-0001.html
2013-01-31
CVE numbers: vSphere authentication CVE-2013-1405
- libxml2 CVE-2011-3102, CVE-2012-2807
- bind (service console) CVE-2012-4244
- xslt (service console) CVE-2011-1202, CVE-2011-3970, CVE-2012-2825, CVE-2012-2870, CVE-2012-2871
Summary: VMware vSphere security updates for the authentication service and third party libraries
Relevant releases:
vCenter Server 4.1 without Update 3a
vSphere Client 4.1 without Update 3a
ESXi 4.1 without patch ESXi410-201301401-SG
ESX 4.1 without patches ESX410-201301401-SG, ESX410-201301402-SG,
ESX410-201301403-SG, and ESX410-201301405-SG
Problem Description: VMware vSphere client-side authentication memory corruption vulnerability...
Download link:
https://downloads.vm...are_vsphere/4_1
Release Notes:
https://www.vmware.c..._rel_notes.html ...

Edited by AplusWebMaster, 01 February 2013 - 04:36 AM.

[AplusWebMaster]

FYI...

VMSA-2013-0002 Workstation, Fusion, and View 'VMCI.SYS' Driver Flaw...
- http://www.securityt....com/id/1028100
CVE Reference: CVE-2013-1406
Feb 8 2013
Impact: Root access via local system, User access via local system
Fix Available: Yes Vendor Confirmed: Yes
Version(s): Workstation 8.x prior to 8.0.5, Workstation 9.0; Fusion 4.x prior to 4.1.4 and 5.x prior to 5.0.2; View 4.x prior to 4.6.2, 5.x prior to 5.1.2 ...
Solution: The vendor has issued a fix (Workstation 8.0.5, 9.0.1; Fusion 4.1.4, 5.0.2; View 4.6.2, 5.1.2).

VMSA-2013-0002 ESX/ESXi 'VMCI.SYS' Driver Flaw...
- http://www.securityt....com/id/1028101
CVE Reference: CVE-2013-1406
Feb 8 2013
Impact: Root access via local system, User access via local system
Fix Available: Yes Vendor Confirmed: Yes
Version(s): ESX/ESXi 4.0, 4.1, ESXi 5.0, 5.1
Solution: The vendor has issued a fix.
ESXi 5.1: ESXi510-201212102-SG, ESXi 5.0: ESXi500-201212102-SG, ESXi 4.1: ESXi410-201211402-BG, ESXi 4.0: ESXi400-201302402-SG. ESX 4.1: ESX410-201211401-SG, ESX 4.0: ESX400-201302401-SG
...The vendor's advisory is available at:
- http://www.vmware.co...-2013-0002.html

VMSA-2013-0001.1
- https://www.vmware.c...-2013-0001.html
2013-02-07 VMSA-2013-0001.1
Updated security advisory to include vCenter 4.0 Update 4b and patches for ESX 4.0.

Edited by AplusWebMaster, 08 February 2013 - 06:36 PM.

[AplusWebMaster]

FYI...

VMSA-2013-0003 - VMware vCenter Server, ESXi and ESX security issues
- http://www.vmware.co...-2013-0003.html
2013-02-21
Summary: VMware has updated VMware vCenter Server, ESXi and ESX to address a vulnerability in the Network File Copy (NFC) Protocol. This update also addresses multiple security vulnerabilities in third party libraries used by VirtualCenter, ESX and ESXi...
References:
vSphere NFC - CVE-2013-1659
OpenSSL - CVE-2012-2110
JRE - http://www.oracle.co...012-366318.html ...
Change log:
2013-02-21 VMSA-2013-0003
Initial security advisory in conjunction with the release of VirtualCenter 2.5 U6c and ESX 3.5 patches on 2013-02-21...
___

- http://www.securityt....com/id/1028202

- http://www.securityt....com/id/1028200

- http://www.securityt....com/id/1028199
___

VMSA-2013-0001.2
- https://www.vmware.c...-2013-0001.html
2013-02-21 VMSA-2013-0001.2
Updated security advisory to include vCenter 2.5 Update U6c and patches for ESX 3.5 released on 2013-02-21.

VMSA-2012-0018.1
- https://www.vmware.c...-2012-0018.html
2013-02-21 VMSA-2012-0018.1
Updated security advisory to add section 3d, which documents CVE-2012-6326.

- http://h-online.com/-1808480
22 Feb 2013

Edited by AplusWebMaster, 25 February 2013 - 04:10 AM.

[AplusWebMaster]

FYI...

VMSA-2013-0004 - VMware ESXi security update for third party library
- https://secunia.com/advisories/52844/
Release Date: 2013-03-29
Criticality level: Highly critical
Impact: System access
Where: From remote ...
Operating System: VMware ESX Server 4.x, VMware ESXi 4.x, VMware ESXi 5.x
CVE Reference: https://web.nvd.nist...d=CVE-2012-5134 - 6.8
For more information see: https://secunia.com/SA48000/
... vulnerability is reported in ESXi versions 5.1, 5.0, 4.1, and 4.0 and ESX versions 4.1 and 4.0.
Solution: Apply patches if available.
Original Advisory: http://www.vmware.co...-2013-0004.html
2013-03-28 - "... ESXi userworld libxml2 library has been updated to resolve a security issue..."
- https://www.vmware.c...download.portal
___

VMSA-2013-0001.3
- https://www.vmware.c...-2013-0001.html
2013-03-28 VMSA-2013-0001.3
Updated security advisory for issue... due to ESXi 5.0 update released on 2013-03-28.

Edited by AplusWebMaster, 29 March 2013 - 11:07 PM.

[AplusWebMaster]

FYI...

VMSA-2013-0005 - VMware vFabric Postgres security updates
- https://secunia.com/advisories/52906/
Release Date: 2013-04-05
Impact: Security Bypass, Brute force, DoS
Where: From local network
CVE Reference(s): CVE-2013-1899, CVE-2013-1900, CVE-2013-1901
For more information: https://secunia.com/SA52837/
... vulnerabilities are reported in versions 9.2.2 and prior and versions 9.1.6 and prior.
Solution: Update to version 9.2.4 or 9.1.9.
Original Advisory:
- http://www.vmware.co...-2013-0005.html
2013-04-04
CVE numbers: CVE-2013-1899, CVE-2013-1900, CVE-2013-1901
Summary: VMware vFabric Postgres releases address several security vulnerabilities
Relevant Releases:
VMware vFabric Postgres 9.2.2 and earlier
VMware vFabric Postgres 9.1.6 and earlier...
The most serious of these issues, CVE-2013-1899, allows for remote deletion of files from the vFabric Postgres data directory. In case vFabric Postgres is not listening for external incoming traffic the issue cannot be exploited remotely.
Mitigation: Disallowing incoming external traffic will mitigate the issue for CVE-2013-1899. Details can be found in http://www.postgresq...connection.html ...

Release notes:
vFabric Postgres 9.2.4 | 4 Apr 2013
https://www.vmware.c...ease-notes.html
vFabric Postgres 9.1.9 | 4 Apr 2013
https://www.vmware.c...ease-notes.html

- https://blogs.vmware...c-postgres.html

- http://www.postgresq...bout/news/1456/
2013-04-04

[AplusWebMaster]

FYI...

VMSA-2013-0006 VMware security updates ...
- https://www.vmware.c...-2013-0006.html
2013-04-25
Summary: VMware has updated vCenter Server Appliance (vCSA) and vCenter Server running on Windows to address multiple security vulnerabilities.
Relevant Releases: vCenter Server 5.1 without Update 1 ...
CVE numbers: CVE-2013-3107, CVE-2013-3079, CVE-2013-3080
--- tomcat ---
CVE-2012-5885, CVE-2012-5886, CVE-2012-5887, CVE-2012-2733,
CVE-2012-4534, CVE-2012-3546, CVE-2012-4431
--- JRE --- See references ...
Change log: 2013-04-25 VMSA-2013-0006
Initial security advisory in conjunction with the release of VMware vSphere 5.1 Update 1 on 2013-04-25...
Download link:
https://downloads.vm...are_vsphere/5_1
Release Notes:
http://www.vmware.co...ease-notes.html

- https://secunia.com/advisories/53180/
Release Date: 2013-04-26
Criticality level: Highly critical
Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, DoS, System access
Where: From remote...
For more information:
https://secunia.com/SA50949/
https://secunia.com/SA51138/
https://secunia.com/SA51425/
Solution: Update to version 5.1 Update 1...

- https://secunia.com/advisories/53218/
Release Date: 2013-04-26
Criticality level: Highly critical
Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, DoS, System access
Where: From remote...
... vulnerabilities are caused due to a bundled vulnerable version of Java.
For more information: https://secunia.com/SA50949/
The vulnerabilities are reported in the following products and versions:
* vCenter Server version 5.0
* vCenter Server version 4.1
* Update Manager version 5.1
* Update Manager version 5.0
* ESX version 4.1
Solution: Apply patch if available...

Edited by AplusWebMaster, 26 April 2013 - 10:00 AM.

[AplusWebMaster]

FYI...

VMSA-2013-0007 - VMware ESX third party update for Service Console package sudo
- https://www.vmware.c...-2013-0007.html
2013-05-30
CVE numbers:
- https://web.nvd.nist...d=CVE-2012-2337 - 7.2 (HIGH)
- https://web.nvd.nist...d=CVE-2012-3440 - 5.6
ESXi and ESX
- https://www.vmware.c...download.portal
ESX 4.0
File: ESX400-201305001.zip
md5sum: c9ac91d3d803c7b7cb9df401c20b91c0
sha1sum: 7f5cef274c709248daa56d8c0e6fcc1ba86ae411
- https://kb.vmware.com/kb/2044240
ESX400-201305001 contains ESX400-201305402-SG ...

- https://secunia.com/advisories/53663/
Release Date: 2013-05-31
Impact: Security Bypass, Manipulation of data
Where: From local network...
For more information:
- https://secunia.com/SA49219/
- https://secunia.com/SA50178/
The security issue and the vulnerability are reported in versions 4.0 and 4.1.
Original Advisory: http://www.vmware.co...-2013-0007.html
___

VMSA-2013-0001.5
- https://www.vmware.c...-2013-0001.html
Change log: VMSA-2013-0001.5
Updated security advisory in conjunction with the release of ESX 4.0 patches on 2013-05-30.

VMSA-2013-0004.3
- https://www.vmware.c...-2013-0004.html
Change log: VMSA-2013-0004.3
Updated security advisory in conjunction with the release of ESX 4.0 patch on 2013-05-30

Edited by AplusWebMaster, 01 June 2013 - 12:37 PM.

[AplusWebMaster]

FYI...

VMSA-2013-0008 - VMware vCenter Chargeback Manager Remote Code Execution
- https://www.vmware.c...-2013-0008.html
2013-06-11 (initial advisory)
CVE numbers: https://web.nvd.nist...d=CVE-2013-3520 - 7.5 (HIGH)
Summary: The vCenter Chargeback Manager contains a critical vulnerability that allows for remote code execution...
Download link:
https://downloads.vm..._chargeback/2_5
Release Notes:
https://www.vmware.c...ease_notes.html
___

- http://www.securityt....com/id/1028653
CVE Reference: CVE-2013-3520
Jun 11 2013
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): Chargeback Manager prior to 2.5.1...
Vendor URL: https://www.vmware.c...-2013-0008.html

Edited by AplusWebMaster, 21 June 2013 - 09:29 AM.

[AplusWebMaster]

FYI...

VMware VMSA-2013-0009 - VMware ESX and ESXi updates to third party libraries
- http://www.vmware.co...-2013-0009.html
2013-07-31
CVE numbers:
--- OpenSSL ---
CVE-2013-0169, CVE-2013-0166
--- libxml2 (COS and userworld) ---
CVE-2013-0338
--- GnuTLS (COS) ---
CVE-2013-2116
--- Kernel (COS) ---
CVE-2013-0268, CVE-2013-0871
Summary: VMware has updated several third party libraries in ESX and ESXi to address multiple security vulnerabilities.
Relevant Releases:
VMware ESXi 4.1 without patch ESXi410-201307001
VMware ESX 4.1 without patch ESX410-201307001...
- https://secunia.com/advisories/54339
Release Date: 2013-08-01
- https://secunia.com/advisories/54345
Release Date: 2013-08-01

[AplusWebMaster]

FYI...

VMSA-2013-0010 - VMware Workstation host privilege escalation vuln
- http://www.vmware.co...-2013-0010.html
Issue date: 2013-08-22
CVE numbers: CVE-2013-1662
Summary: VMware Workstation addresses a vulnerability in the vmware-mount component which could result in a privilege escalation on linux-based host machines.
Relevant releases:
VMware Workstation 9.x, 8.x
VMware Player 5.x, 4.x...
- https://www.vmware.c...loadworkstation

- https://secunia.com/advisories/54580/
Release Date: 2013-08-23
Where: Local system
Impact: Privilege escalation
... vulnerability affects only installations running on Debian-based Linux platforms.
Original Advisory: VMware (VMSA-2013-0010):
http://www.vmware.co...-2013-0010.html

[AplusWebMaster]

FYI...

VMSA-2013-0011 - VMware ESXi and ESX address an NFC Protocol Unhandled Exception
- http://www.vmware.co...-2013-0011.html
2013-08-29
Synopsis: VMware ESXi and ESX address an NFC Protocol Unhandled Exception
CVE numbers: CVE-2013-1661
"Summary: VMware has updated VMware ESXi and ESX to address a vulnerability in an unhandled exception in the NFC protocol handler..."
- https://www.vmware.c...download.portal

- http://www.securityt....com/id/1028966
CVE Reference: CVE-2013-1661
Aug 30 2013
Impact: Denial of service via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): ESX/ESXi 4.0, 4.1, ESXi 5.0, 5.1
Impact: A remote user can cause denial of service conditions.
Solution: The vendor has issued a fix...

- https://secunia.com/advisories/54614/
Release Date: 2013-08-30
Where: From local network
Impact: DoS
Solution Status: Vendor Patch
Operating System: VMware ESX Server 4.x, VMware ESXi 4.x, VMware ESXi 5.x
CVE Reference: CVE-2013-1661
... weakness is reported in VMware ESXi versions 4.0, 4.1, 5.0, and 5.1 and VMware ESX versions 4.0 and 4.1.
Solution: Apply patches.
Original Advisory: VMware (VMSA-2013-0011)...

- https://isc.sans.edu...l?storyid=16472
Last Updated: 2013-08-30 11:48:31

Edited by AplusWebMaster, 06 October 2013 - 12:59 PM.

[AplusWebMaster]

FYI...

VMSA-2013-0012 - VMware vSphere updates address multiple vulnerabilities
- http://www.vmware.co...-2013-0012.html
2013-10-17 - "Summary: VMware has updated vCenter Server, vCenter Server Appliance (vCSA),
vSphere Update Manager (VUM), ESXi and ESX to address multiple security vulnerabilities..."
CVE numbers: CVE-2013-5970, CVE-2013-5971

- https://secunia.com/advisories/55226/
Release Date: 2013-10-18
Criticality: Highly Critical
Where: From remote
Impact: Security Bypass, Spoofing, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access...
... vulnerabilities are caused due to a bundled vulnerable version of Java.
For more information: https://secunia.com/SA53846/
The vulnerabilities are reported in the following products and versions:
* vCenter Server versions 4.1, 5.0, and 5.1
* Update Manager versions 5.0 and 5.1
* ESX version 4.1
Original Advisory: http://www.vmware.co...-2013-0012.html
___

VMSA-2013-0006.1 - VMware security updates for vCenter Server
- http://www.vmware.co...-2013-0006.html
Updated on: 2013-10-17 - "Summary: VMware has updated vCenter Server Appliance (vCSA) and vCenter Server running on Windows to address multiple security vulnerabilities..."
CVE numbers:
CVE-2013-3107, CVE-2013-3079, CVE-2013-3080
--- tomcat ---
CVE-2012-5885, CVE-2012-5886, CVE-2012-5887, CVE-2012-2733,
CVE-2012-4534, CVE-2012-3546, CVE-2012-4431
--- JRE ---

VMSA-2013-0009.1 - VMware vSphere, ESX and ESXi updates to third party libraries
- http://www.vmware.co...-2013-0009.html
Updated on: 2013-10-17 - "Summary: VMware has updated several third party libraries in vCenter Server, ESX and ESXi to address multiple security vulnerabilities..."
CVE numbers:
--- OpenSSL ---
CVE-2013-0169, CVE-2013-0166
--- libxml2 (COS and userworld) ---
CVE-2013-0338
--- GnuTLS (COS) ---
CVE-2013-2116
--- Kernel (COS) ---
CVE-2013-0268, CVE-2013-0871
___

- https://isc.sans.edu...l?storyid=16847
Last Updated: 2013-10-18 10:41:39 UTC

Edited by AplusWebMaster, 18 October 2013 - 02:56 PM.

[AplusWebMaster]

FYI...

VMSA-2013-0013 - VMware Workstation host privilege escalation vuln
- http://www.vmware.co...-2013-0013.html
2013-11-14
CVE-2013-5972
1. Summary: VMware has updated VMware Workstation and VMware Player to address a
vulnerability that could result in an escalation of privilege on Linux-based host machines.
2. Relevant releases: VMware Workstation for Linux 9.x prior to version 9.0.3 VMware Player for Linux 5.x prior to version 5.0.3...

- http://www.securityt....com/id/1029350
CVE Reference: CVE-2013-5972
Nov 15 2013
Impact: Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Workstation for Linux 9.x prior to 9.0.3; Player for Linux 5.x prior to 5.0.3...
Solution: The vendor has issued a fix (5.0.3, 9.0.3)...
 

[AplusWebMaster]

FYI...

VMSA-2013-0014 - VMware Workstation, Fusion, ESXi and ESX patches
- http://www.vmware.co...-2013-0014.html
2013-12-03
CVE number: https://web.nvd.nist...d=CVE-2013-3519 - 6.9
Summary: VMware Workstation, Fusion, ESXi and ESX patches address a vulnerability in the LGTOSYNC.SYS driver which could result in a privilege escalation on older Windows-based Guest Operating Systems.
Relevant releases:
VMware Workstation 9.x prior to version 9.0.3
VMware Player 5.x prior to version 5.0.3
VMware Fusion 5.x prior to version 5.0.4
VMware ESXi 5.1 without patch ESXi510-201304102
VMware ESXi 5.0 without patch ESXi500-201303102
VMware ESXi 4.1 without patch ESXi410-201301402
VMware ESXi 4.0 without patch ESXi400-201305401
VMware ESX 4.1 without patch ESX410-201301401
VMware ESX 4.0 without patch ESX400-201305401 ...

- http://www.securityt....com/id/1029430
CVE-2013-3519
Dec 4 2013
Impact: Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Workstation 9.x, Fusion 5.x ...
Solution: The vendor has issued a fix (Workstation 9.0.3, Fusion 5.0.3 on Windows, Fusion 5.0.4 on OS X)...

- http://www.securityt....com/id/1029429
CVE-2013-3519
Dec 4 2013
Impact: Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): ESX/ESXi 4.0, 4.1, ESXi 5.0, 5.1 ...
 

Edited by AplusWebMaster, 04 December 2013 - 10:11 PM.

[AplusWebMaster]

FYI...

VMSA-2013-0015 - VMware ESX updates to third party libraries
- http://www.vmware.co...-2013-0015.html
2013-12-05
CVE numbers:
--- kernel (service console) ---
CVE-2012-2372, CVE-2012-3552, CVE-2013-2147, CVE-2013-2164, CVE-2013-2206, CVE-2013-2224, CVE-2013-2234, CVE-2013-2237, CVE-2013-2232
--- nss and nspr (service console) ---
CVE-2013-0791, CVE-2013-1620
Summary: VMware has updated several third party libraries in ESX that address multiple security vulnerabilities.
Relevant releases: VMware ESX 4.1 without patch ESX410-201312001
Problem Description: Update to ESX service console kernel
The ESX service console kernel is updated to resolve multiple security issues.
- Update to ESX service console NSPR and NSS
This patch updates the ESX service console Netscape Portable Runtime (NSPR) and Network Security Services (NSS) RPMs to resolve multiple security issues...

- http://kb.vmware.com...ernalId=2061209
Dec 05, 2013