TUCoPS :: Web :: Servers :: bt1610.txt

VMware GSX Server and ESX Server OpenSSL vulnerability patches 




-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



Description

- -----------



These VMware server products use a version of OpenSSL for securing remote 

management connections that has known vulnerabilities that can expose 

systems to denial of service attacks: 



 - VMware GSX Server 2.5.1 (for Windows and Linux systems) build 5336 and 

   earlier 

 - VMware ESX Server 2.0 build 5257 and earlier 

 - VMware ESX Server 1.5.2 (all versions) 





Details/Impact

- --------------



Certain ASN.1 encodings and tag values can cause stack corruption and out 

of bounds reads in OpenSSL that can be exploited in denial of service 

attacks. For details, see 



www.openssl.org/news/secadv_20030930.txt 

cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545 

cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543 

cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544 



VMware GSX Server 2.5.1 (for Windows and Linux systems) build 5336, 

VMware ESX Server 2.0 build 5257 and ESX Server 1.5.2 (all versions) 

install OpenSSL version 0.9.7b as part of the Management Interface, 

Remote Console, and Scripting API packages. OpenSSL version 0.9.7b is 

subject to the above vulnerabilities.





Resolutions

- -----------



VMware has made OpenSSL patches available to correct the reported 

vulnerabilities. These patches update GSX Server and ESX Server systems 

and remote console clients with OpenSSL version 0.9.7c.



VMware stongly urges GSX Server and ESX Server customers to apply the 

OpenSSL patches as soon as possible.  



GSX Server patch installation instructions are at:

http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=1164



ESX Server patch installation instructions are at:

http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=1167





- ------------------

This document is clear signed with PGP.  



VMware has the PGP public key available at



http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=1039



Some mail programs cause changes to mail messages and content, which may result

in an indication that the PGP signature for this message is not valid.  This

may also occur if this message is forwarded through another email distribution

list that changes the "From" field.  Please try to save the message into a file

and then running PGP on it.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.2.2 (MingW32)



iD8DBQE/oqbVLsZLrftG15MRAmQDAJwNXNs2ETQY6iKTF5rsm0WtvDq5AQCgsxhB

fy2fFZbfBWrOgS3LmMi5/gE=

=ived

-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH