TUCoPS :: VMWare :: bu-1801.htm

ESX Service Console update for net-snmp
VMSA-2010-0003 ESX Service Console update for net-snmp
VMSA-2010-0003 ESX Service Console update for net-snmp

Hash: SHA1

- -------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2010-0003
Synopsis:          ESX Service Console update for net-snmp
Issue date:        2010-02-16
Updated on:        2010-02-16 (initial release of advisory)
CVE numbers:       CVE-2009-1887
- -------------------------------------------------------------------------

1. Summary

   Update for Service Console package net-snmp

2. Relevant releases

   VMware ESX 3.5 without patch ESX350-201002401-SG

3. Problem Description

 a. Service Console package net-snmp updated

    This patch updates the service console package for net-snmp,
    net-snmp-utils, and net-snmp-libs to version
    net-snmp-5.0.9-2.30E.28. This net-snmp update fixes a divide-by-
    zero flaw in the snmpd daemon. A remote attacker could issue a
    specially crafted GETBULK request that could cause the snmpd daemon
    to fail.

    This vulnerability was introduced by an incorrect fix for

    The Common Vulnerabilities and Exposures Project (cve.mitre.org) has
    assigned the name CVE-2009-1887 to this issue.

    Note: After installing the previous patch for net-snmp
    (ESX350-200901409-SG), running the snmpbulkwalk command with the
    parameter -CnX results in no output, and the snmpd daemon stops.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  ================    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.0       ESX      not affected
    ESX            3.5       ESX      ESX350-201002401-SG
    ESX            3.0.3     ESX      affected, patch pending
    ESX            2.5.5     ESX      not affected

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

4. Solution

   Please review the patch/release notes for your product and version
   and verify the md5sum of your downloaded file.

   ESX 3.5
   md5sum: a91428cb6bc2da794f581aefd5eef010

5. References

   CVE numbers

- -------------------------------------------------------------------------
6. Change log

2010-02-16  VMSA-2010-0003
Initial security advisory after release of patches for ESX 3.5
on 2010-02-16.

- ------------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055 

VMware Security Center

VMware security response policy

General support life cycle policy

VMware Infrastructure support life cycle policy

Copyright 2010 VMware Inc.  All rights reserved.
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH