VMware ESX Server 3.5, Patch ESX350-200802304-SG: Security Update to the Perl Package (1003206)
Release Date: 3/10/08
Document Last Updated: 3/10/08
This patch provides updates to the Perl package distributed with the service console for ESX Server 3.5. The update adresses an issue where the regular expression engine in Perl can be used to issue a specially crafted regular expression that allows the attacker to run arbitrary code with the permissions of the current Perl user.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5116 to this issue.
Note: This issue only affects the service console network, and is not a remote vulnerability for ESX Server hosts that have been set up with the security best practices provided by VMware. See http://www.vmware.com/resources/techresources/726 for more information on security best practices.
There are no symptoms for this security issue.
Patch bundle ESX350-200802403-BG must be installed prior to installing this patch. The esxupdate utility will check to ensure ESX350-200802403-BG is installed before proceeding with installation of this patch.
Patch Download and Installation
For information on using VMware Update Manager to automatically update ESX Server 3.5 hosts, see the VMware Update Manager Administration Guide for instructions on using Update Manager to download and install patches.
To update ESX Server 3.5 hosts when not using Update Manager, download the most recent patch bundle from http://www.vmware.com/download/vi/vi3_patches_35.html and install the bundle using the esxupdate tool from the command line of the host. For more information on using esxupdate to manage patches on ESX Server 3.5 hosts, see the ESX Server 3 Patch Management Guide.