VMware Security Advisory VMSA-2012-0016 Review

VMware has release,the 15 November 2012, one security advisory VMSA-2012-0016 concerning VMware vSphere API and ESX service console.

VMware vSphere API denial of service vulnerability

The VMware vSphere API is affected by one vulnerability, CVE-2012-5703, with a 5.0 CVSS base score. The vulnerability was discovered and privately reported by Sebastián Tullo of Core Security Technologies. ESXi and ESX 4.1 are affected by this vulnerability.

VMware vSphere API denial of service vulnerability

ESX 4.1 bind-libs and bind-utils packages have been updated in order to fix multiples vulnerabilities. CVE-2012-1033 has a 5.0 CVSS base score  , CVE-2012-1667 has a 8.5 CVSS base score and CVE-2012-3817 has a 7.8 CVSS base score. ESX 4.0 is affected and the patch will be released further.

Update to ESX service console python packages

ESX 4.1 python and python-libs packages have been updated in order to fix multiples vulnerabilities. CVE-2011-4940 has a 2.6 CVSS base score, CVE-2011-4944 has a 1.9 CVSS base score and CVE-2012-1150 has a 5.0 CVSS base score. ESX 4.0 is affected but no patch is planned.

Update to ESX service console expat package

ESX 4.1 expat package has been updated in order to fix two vulnerabilities. CVE-2012-0876 has a 4.3 CVSS base score and CVE-2012-1148 has a 5.0 CVSS base score. ESX 4.0 is affected but no patch is planned.

Update to ESX service console nspr and nss packages

ESX 4.1 nspr and nss packages have been updated in order to fix two vulnerabilities. CVE-2012-0441 has a 5.0 CVSS base score and this patch also resolves a certificate trust issue caused by a fraudulent DigiNotar root certificate. ESX 4.0 is affected and the patch will be released further.