VMware Security Advisory VMSA-2012-0013 Review

VMware has release,the 30 August 2012, one security advisory VMSA-2012-0013 concerning VMware vSphere and vCOps updates to third-party libraries.

vCenter and ESX update to JRE 1.6.0 Update 31

Oracle Java used in vCenter and ESX are updated to JRE 1.6.0 Update 31 how fix multiple vulnerabilities patched during Oracle Java SE CPU of February 2012. Oracle Java SE CPU of Jun 2012 is still not pushed to be updated, with 14 vulnerabilities and 9 of these 14 vulnerabilities have a CVSS base score upper to 7.0. Also known exploit for vulnerability CVE-2012-1723 is still active. Also CVE-2012-0547 fixed the 30 August 2012 Oracle Security alert is not fixed, but CVSS base score of this vulnerability is 0.0.

vCenter 4.1 and ESX 4.1 are affected by this update, but no patch are available for vCenter 5.0 and Update Manager 5.0, the patches are pending.

vCenter Update Manager update to JRE 1.5.0 Update 36

Oracle Java used in vCenter and ESX are update to JRE 1.5.0 Update 36 how fix multiple vulnerabilities patched during Oracle Java SE CPU of Jun 2012. Update Manager 4.1 is affected by this update, but no patch are available for vCenter 4.0, VirtualCenter 2.5, Update Manager 4.0, ESX 4.0 and ESX 3.5, the patches are pending.

Update to ESX/ESXi userworld OpenSSL library

OpenSSL library used in ESX and ESXi are updated from version 0.9.8p to version 0.9.8t to resolve nine security issues. Two of these nine security issues have a CVSS base score upper to 7.0. ESXi 4.1 and ESX 4.1 are affected by this update, but no patch are available for ESXi 5.0, ESXi 4.0, ESXi 3.5, ESX 4.0 and ESX 3.5, the patches are pending.

Update to ESX service console OpenSSL RPM

OpenSSL RPM used in ESX is updated to version 0.9.8e-22.el5_8.3 to resolve a security issue. This security issue, CVE-2012-2110, has a CVSS base score of 7.5. ESX 4.1 is affected by this update, but no patch is available for ESX 4.0, the patch is pending.

Update to ESX service console kernel

kernel used in ESX is updated to resolve 14 security issues. 3 of these 14 security issues have a CVSS base score upper to 7.0, and CVE-2011-1833 and CVE-2011-3209 have an unknown CVSS base score. ESX 4.1 is affected by this update, but no patch is available for ESX 4.0, the patch is pending.

Update to ESX service console Perl RPM

Perl RPM used by ESX is updated to perl-5.8.8.32.1.8999.vmw to three multiple security issues. 1 of these 3 security issues has a CVSS base core of 7.5. ESX 4.1 is affected by this update, but no patch is available for ESX 4.0, the patch is pending.

Update to ESX service console libxml2 RPM

libxml2 RPM used by ESX is updated to libxml2-2.6.26-2.1.15.el5_8.2 and libxml2-python-2.6.26-2.1.15.el5_8.2 to resolve a security issue. This security issue, CVE-2012-0841, has an unknown CVSS base score. ESX 4.1 is affected by this update, but no patch is available for ESX 4.0, the patch is pending.

Update to ESX service console glibc RPM

glibc RPM used by ESX is updated to version glibc-2.5-81.el5_8.1 to resolve six security issues. CVE-2009-5029, CVE-2011-4609 and CVE-2012-0864 have an unknown CVSS base score. ESX 4.1 is affected by this update, but no patch is available for ESX 4.0, the patch is pending.

Update to ESX service console GnuTLS RPM

GnuTLS RPM used by ESX is updated to version 1.4.1-7.el5_8.2 to resolve three multiple security issues. ESX 4.1 is affected by this update, but no patch is available for ESX 4.0, the patch is pending.

Update to ESX service console popt, rpm, rpm-libs, and rpm-python RPMS

popt, rpm, rpm-libs and rpm-python used in ESX are updated to resolve three multiple security issues. ESX 4.1 is affected by this update, but no patch is available for ESX 4.0, the patch is pending.

Vulnerability in third-party Apache Struts component

Apache Strust used in vCOps to version 2.3.4 to resolve five multiple security issues. 2 of these 5 security issues have a CVSS base score of 9.3 with active exploits. vCOps 5.0.x and 1.0.x are affected by this patch.