a. vCenter and ESX update to JRE 1.6.0 Update 31

   The Oracle (Sun) JRE is updated to version 1.6.0_31, which    addresses multiple security issues. Oracle has documented the    CVE identifiers that are addressed by this update in the Oracle    Java SE Critical Patch Update Advisory of February 2012.

b. vCenter Update Manager update to JRE 1.5.0 Update 36

   The Oracle (Sun) JRE is updated to 1.5.0_36 to address multiple    security issues.  Oracle has documented the CVE identifiers that    are addressed in JRE 1.5.0_36 in the Oracle Java SE Critical    Patch Update Advisory for June 2012.

c. Update to ESX/ESXi userworld OpenSSL library

   The ESX/ESXi userworld OpenSSL library is updated from version    0.9.8p to version 0.9.8t to resolve multiple security issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2010-4180, CVE-2010-4252,    CVE-2011-0014, CVE-2011-4108, CVE-2011-4109, CVE-2011-4576,    CVE-2011-4577, CVE-2011-4619, and CVE-2012-0050 to these issues.

d. Update to ESX service console OpenSSL RPM

   The service console OpenSSL RPM is updated to version    0.9.8e-22.el5_8.3 to resolve a security issue.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2012-2110 to this issue.

e. Update to ESX service console kernel

   The ESX service console kernel is updated to resolve multiple    security issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2011-1833, CVE-2011-2484,    CVE-2011-2496, CVE-2011-3188, CVE-2011-3209, CVE-2011-3363,    CVE-2011-4110, CVE-2011-1020, CVE-2011-4132, CVE-2011-4324,    CVE-2011-4325, CVE-2012-0207, CVE-2011-2699, and CVE-2012-1583    to these issues.

f. Update to ESX service console Perl RPM

   The ESX service console Perl RPM is updated to    perl-5.8.8.32.1.8999.vmw to resolve multiple security issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2010-2761, CVE-2010-4410, and    CVE-2011-3597 to these issues.

g. Update to ESX service console libxml2 RPMs

   The ESX service console libmxl2 RPMs are updated to    libxml2-2.6.26-2.1.15.el5_8.2 and    libxml2-python-2.6.26-2.1.15.el5_8.2 to resolve a security    issue.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2012-0841 to this issue.

h. Update to ESX service console glibc RPM

   The ESX service console glibc RPM is updated to version    glibc-2.5-81.el5_8.1 to resolve multiple security issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-5029, CVE-2009-5064,    CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, and CVE-2012-0864    to these issue.

i. Update to ESX service console GnuTLS RPM

   The ESX service console GnuTLS RPM is updated to version    1.4.1-7.el5_8.2 to resolve multiple security issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2011-4128, CVE-2012-1569, and    CVE-2012-1573 to these issues.

j. Update to ESX service console popt, rpm, rpm-libs,    and rpm-python RPMS

   The ESX service console popt, rpm, rpm-libs, and rpm-python RPMS    are updated to the following versions to resolve multiple    security issues :
      - popt-1.10.2.3-28.el5_8
      - rpm-4.4.2.3-28.el5_8
      - rpm-libs-4.4.2.3-28.el5_8
      - rpm-python-4.4.2.3-28.el5_8

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2012-0060, CVE-2012-0061, and    CVE-2012-0815 to these issues.

k. Vulnerability in third-party Apache Struts component

   The version of Apache Struts in vCenter Operations has been    updated to 2.3.4 which addresses an arbitrary file overwrite    vulnerability. This vulnerability allows an attacker to create    a denial of service by overwriting arbitrary files without    authentication. The attacker would need to be on the same network    as the system where vCOps is installed.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the name CVE-2012-0393 to this issue.

   Note: Apache struts 2.3.4 addresses the following issues as well :
   CVE-2011-5057, CVE-2012-0391, CVE-2012-0392, CVE-2012-0394. It    was found that these do not affect vCOps.

   VMware would like to thank Alexander Minozhenko from ERPScan for    reporting this issue to us.

The remote host is affected by the vulnerability described in GLSA-201110-01 (OpenSSL: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in OpenSSL. Please review       the CVE identifiers referenced below for details.
  Impact :

    A context-dependent attacker could cause a Denial of Service, possibly       execute arbitrary code, bypass intended key requirements, force the       downgrade to unintended ciphers, bypass the need for knowledge of shared       secrets and successfully authenticate, bypass CRL validation, or obtain       sensitive information in applications that use OpenSSL.
  Workaround :

    There is no known workaround at this time.

OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol. (CVE-2010-4252)

New openssl packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix security issues.

The version of OpenSSL installed on the remote host is prior to 1.0.0c. It is, therefore, affected by multiple vulnerabilities as referenced in the 1.0.0c advisory.

  - OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the     J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and     successfully authenticate, by sending crafted values in each round of the protocol. (CVE-2010-4252)

  - OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled,     does not properly prevent modification of the ciphersuite in the session cache, which allows remote     attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to     discover a session identifier. (CVE-2010-4180)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote VMware ESXi 5.0 host is affected by Multiple Vulnerabilities :

  - An integer overflow condition exists in the
    __tzfile_read() function in the glibc library. An     unauthenticated, remote attacker can exploit this, via     a crafted timezone (TZ) file, to cause a denial of     service or the execution of arbitrary code.
    (CVE-2009-5029)

  - ldd in the glibc library is affected by a privilege     escalation vulnerability due to the omission of certain     LD_TRACE_LOADED_OBJECTS checks in a crafted executable     file. Note that this vulnerability is disputed by the     library vendor. (CVE-2009-5064)

  - A remote code execution vulnerability exists in the     glibc library due to an integer signedness error in the     elf_get_dynamic_info() function when the '--verify'     option is used. A remote attacker can exploit this by     using a crafted ELF program with a negative value for a     certain d_tag structure member in the ELF header.
    (CVE-2010-0830)

  - A flaw exists in OpenSSL due to a failure to properly     prevent modification of the ciphersuite in the session     cache when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is     enabled. A remote attacker can exploit this to force a     downgrade to an unintended cipher by intercepting the     network traffic to discover a session identifier.
    (CVE-2010-4180)

  - A flaw exists in OpenSSL due to a failure to properly     validate the public parameters in the J-PAKE protocol     when J-PAKE is enabled. A remote attacker can exploit     this, by sending crafted values in each round of the     protocol, to bypass the need for knowledge of the shared     secret. (CVE-2010-4252)

  - A out-of-bounds memory error exists in OpenSSL that     allows a remote attacker to cause a denial of service or     possibly obtain sensitive information by using a     malformed ClientHello handshake message. This is also     known as the 'OCSP stapling vulnerability'.
    (CVE-2011-0014)

  - A flaw exists in the addmntent() function in the glibc     library due to a failure to report the error status for     failed attempts to write to the /etc/mtab file. A local     attacker can exploit this to corrupt the file by using     writes from a process with a small RLIMIT_FSIZE value.
    (CVE-2011-1089)

  - A flaw exists in the png_set_text_2() function in the     file pngset.c in the libpng library due to a failure to     properly allocate memory. An unauthenticated, remote     attacker can exploit this, via a crafted text chunk in a     PNG image file, to trigger a heap-based buffer overflow,     resulting in denial of service or the execution of     arbitrary code. (CVE-2011-3048)

  - A flaw exists in the DTLS implementation in OpenSSL due     to performing a MAC check only if certain padding is     valid. A remote attacker can exploit this, via a padding     oracle attack, to recover the plaintext. (CVE-2011-4108)

  - A double-free error exists in OpenSSL when the     X509_V_FLAG_POLICY_CHECK is enabled. A remote attacker     can exploit this by triggering a policy check failure,     resulting in an unspecified impact. (CVE-2011-4109)

  - A flaw exists in OpenSSL in the SSL 3.0 implementation     due to improper initialization of data structures used     for block cipher padding. A remote attacker can exploit     this, by decrypting the padding data sent by an SSL     peer, to obtain sensitive information. (CVE-2011-4576)

  - A denial of service vulnerability exists in OpenSSL when     RFC 3779 support is enabled. A remote attacker can     exploit this to cause an assertion failure, by using an     X.509 certificate containing certificate extension data     associated with IP address blocks or Autonomous System     (AS) identifiers. (CVE-2011-4577)

  - A denial of service vulnerability exists in the RPC     implementation in the glibc library due to a flaw in the     svc_run() function. A remote attacker can exploit this,     via large number of RPC connections, to exhaust CPU     resources. (CVE-2011-4609)

  - A denial of service vulnerability exists in the Server     Gated Cryptography (SGC) implementation in OpenSSL due     to a failure to properly handle handshake restarts. A     remote attacker can exploit this, via unspecified     vectors, to exhaust CPU resources. (CVE-2011-4619)

  - A denial of service vulnerability exists in OpenSSL due     to improper support of DTLS applications. A remote     attacker can exploit this, via unspecified vectors     related to an out-of-bounds read error. Note that this     vulnerability exists because of an incorrect fix for     CVE-2011-4108. (CVE-2012-0050)

  - A security bypass vulnerability exists in the glibc     library due to an integer overflow condition in the     vfprintf() function in file stdio-common/vfprintf.c. An     attacker can exploit this, by using a large number of     arguments, to bypass the FORTIFY_SOURCE protection     mechanism, allowing format string attacks or writing to     arbitrary memory. (CVE-2012-0864)

  - A denial of service vulnerability exists in the glibc     library in the vfprintf() function in file     stdio-common/vfprintf.c due to a failure to properly     calculate a buffer length. An attacker can exploit this,     via a format string that uses positional parameters and     many format specifiers, to bypass the FORTIFY_SOURCE     format-string protection mechanism, thus causing stack     corruption and a crash. (CVE-2012-3404)

  - A denial of service vulnerability exists in the glibc     library in the vfprintf() function in file     stdio-common/vfprintf.c due to a failure to properly     calculate a buffer length. An attacker can exploit this,     via a format string with a large number of format     specifiers, to bypass the FORTIFY_SOURCE format-string     protection mechanism, thus triggering desynchronization     within the buffer size handling, resulting in a     segmentation fault and crash. (CVE-2012-3405)

  - A flaw exists in the glibc library in the vfprintf()     function in file stdio-common/vfprintf.c due to a     failure to properly restrict the use of the alloca()     function when allocating the SPECS array. An attacker     can exploit this, via a crafted format string using     positional parameters and a large number of format     specifiers, to bypass the FORTIFY_SOURCE format-string     protection mechanism, thus triggering a denial of     service or the possible execution of arbitrary code.
    (CVE-2012-3406)

  - A flaw exists in the glibc library due to multiple     integer overflow conditions in the strtod(), strtof(),     strtold(), strtod_l(), and other unspecified related     functions. A local attacker can exploit these to trigger     a stack-based buffer overflow, resulting in an     application crash or the possible execution of arbitrary     code. (CVE-2012-3480)

  - A privilege escalation vulnerability exists in the     Virtual Machine Communication Interface (VMCI) due to a     failure by control code to properly restrict memory     allocation. A local attacker can exploit this, via     unspecified vectors, to gain privileges. (CVE-2013-1406)

  - An error exists in the implementation of the Network     File Copy (NFC) protocol. A man-in-the-middle attacker     can exploit this, by modifying the client-server data     stream, to cause a denial of service or the execution     of arbitrary code. (CVE-2013-1659)

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party libraries :

  - Apache Struts
  - glibc
  - GnuTLS
  - JRE
  - kernel
  - libxml2
  - OpenSSL
  - Perl
  - popt and rpm

Versions of OpenSSL earlier than 0.9.8q and 1.0.0c are potentially affected by multiple vulnerabilities :

  - It may be possible to downgrade the ciphersuite to a weaker version by modifying the stored session cache cipher suite.

  - An error exists in the J-PAKE implementation which could lead to successful validation by someone with no knowledge of the shared secret.

Versions of OpenSSL earlier than 0.9.8q and 1.0.0c are potentially affected by multiple vulnerabilities :

  - It may be possible to downgrade the ciphersuite to a weaker version by modifying the stored session cache cipher suite.

  - An error exists in the J-PAKE implementation which could lead to successful validation by someone with no knowledge of the shared secret.
IAVA Reference : 2011-A-0160
IAVB Reference : 2012-B-0038
STIG Finding Severity : Category I

ID	Name	Product	Family	Published	Updated	Severity
61747	VMSA-2012-0013 : VMware vSphere and vCOps updates to third-party libraries	Nessus	VMware ESX Local Security Checks	8/31/2012	1/6/2021	critical
56425	GLSA-201110-01 : OpenSSL: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	10/10/2011	1/6/2021	critical
86330	F5 Networks BIG-IP : OpenSSL vulnerability (K17382)	Nessus	F5 Networks Local Security Checks	10/12/2015	3/10/2021	high
51063	Slackware 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / current : openssl (SSA:2010-340-01)	Nessus	Slackware Local Security Checks	12/8/2010	1/14/2021	high
51058	OpenSSL 1.0.0 < 1.0.0c Multiple Vulnerabilities	Nessus	Web Servers	12/7/2010	10/23/2024	critical
70885	ESXi 5.0 < Build 912577 Multiple Vulnerabilities (remote check)	Nessus	Misc.	11/13/2013	11/15/2018	high
89038	VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2012-0013) (remote check)	Nessus	Misc.	2/29/2016	1/6/2021	high
5720	OpenSSL < 0.9.8q / 1.0.0c Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	12/7/2010	3/6/2019	medium
801055	OpenSSL < 0.9.8q / 1.0.0c Multiple Vulnerabilities	Log Correlation Engine	Web Servers	12/7/2010		medium

Detections

Analytics

Plugins Search

critical

critical

high

high

critical

high

high

medium

medium