VMware ESX Server 3.5, Patch ESX350-200802406-SG: Updated aacraid Driver (1003449)
Release Date: 3/10/2008
Document Last Updated: 3/10/2008
This patch fixes a flaw in how the aacraid SCSI driver checked IOCTL command permissions. This flaw can allow a local user on the service console to cause a denial of service or gain privileges. Thanks to Adaptec for reporting this issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-4308 to this issue.
Patch bundles ESX350-200802403-BG and ESX350-200802409-BG must be installed prior to installing this patch. The esxupdate utility will check to ensure ESX350-200802403-BG and ESX350-200802409-BG are installed before proceeding with installation of this patch.
Patch Download and Installation
To automatically download and install patches on your ESX Server 3.5 hosts, use the VMware Update Manager. For more information, see the Update Manager Administration Guide at http://www.vmware.com/pdf/vi3_vum_10_admin_guide.pdf.
To manually update ESX Server 3.5 hosts, download the most recent patch bundle from http://www.vmware.com/download/vi/vi3_patches_35.html and install the bundle using esxupdate on the service console. For more information about using esxupdate, see the ESX Server 3 Patch Management Guide at http://www.vmware.com/pdf/vi3_35/esx_3/r35/vi3_35_25_esxupdate.pdf.