VMware ESX 3.5, Patch ESX350-200808401-BG: Security and Other Updates to VMkernel, hostd, and Other RPMs

Solution

Summaries and Symptoms

This patch fixes the following security issue:

Several flaws were discovered in the way libpng handled various PNG image chunks. An attacker could create a carefully-crafted PNG image file in such a way that it causes an application linked with libpng to crash when the file is manipulated. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5269 to the security issue fixed in this update.

This patch also includes fixes for the following issues:

Some ESX hosts stopped responding for between two and five minutes during a rescan operation. On occasion, the host completely stopped responding. The diagnosis of this issue is described in detail in KB 10229.
The following problem occurs in a NIC team, when beaconing is enabled. If the down state of one uplink causes all uplinks to go down, transmit path (Tx) traffic flows through all uplinks. This patch lets ESX choose from uplinks that are up, instead of sending traffic on all uplinks.
Using HTTP to access a datastore file whose name contains any of the characters * .? \\ does not work correctly.
Fixed a race condition in hostd that could potentially lead to a crash while performing a large number of VMotion jobs.
Add support for virtual machines to work with SNA/DLC and NetBEUI network protocols.

The following hardware and software is affected:
- IBM AS/400 Mainframe
- Microsoft Host Integration Services (HIS)
- IBM Systems Network Architecture (SNA)
Broadcast and multicast packets become duplicated in a virtual machine configuration where two NICs are teamed, promiscuous mode is enabled, and load balancing is set to use the source port ID.

Note: After setting the vSwitch to Promiscous mode to Accept, you must change the setting for /proc/vmware/config/net/AllowPromiscFilters to 1 by entering the command:

echo 1 >> /proc/vmware/config/Net/AllowPromiscFilters

Double-check the setting is enabled. Enter the commmand:

cat /proc/vmware/config/Net/AllowPromiscFilters

The output returned should look like this:

AllowPromiscFilters (Block duplicate multicast/broadcast packet in a teamed environment when the virtual switch is set to Promiscuous mode.) [0-1: default = 0]: 1

Important: Do not open any /proc files using an editor. Always use the echo command to change /proc settings.
Decrease the frequency of VMFS2 file system checks from the ESX 3.5.x system, when it is shared by ESX 2.5.4 hosts. This fix prevents the ESX 3.5 system from causing excessive reservations on a VMFS2 volume.

Note: To benefit from this fix, all ESX servers that share VMFS2 volumes must be configured for the same time zone.
Connecting or disconnecting virtual serial ports unexpectedly shuts down virtual machines. This issue occurs when there are two serial ports on the same virtual machine and they are connected to each other using the same socket.
32-bit Windows virtual machines exhibit various problems when configured with versions 12.4 and 13.0 of the Intel PRO/1000 gigabit Ethernet device driver (e1000). The problems include possible guest or host crashes due to memory corruption.
Provide a new command-line option (-y) to the esxcfg_nas command for adding and mounting NFS with read-only access.
Update network load-balancing algorithm to match specifications document.
DRS development and performance improvement. This change prevents unexpected migration behavior.
File system performance optimization. A cache holding file system data is undersized for some environments. Its size is increased.
Enablement for IBM DS5100 and IBM DS5300 FC storage arrays.
When installing Red Hat Enterprise Linux 4.7 Beta in graphical mode or text mode on a virtual machine, moving the mouse cursor results in "Unknown key pressed" error messages and causes the installation to fail.
Reduces snapshot delete time for a virtual machine's virtual disk on NFS datastores.

Important: Refer to Enabling the Snapshot Delete Fix under Deployment Considerations for caveats and specific instructions for enabling this fix.

Deployment Considerations

Dependencies

ESX350-200808401-BG requires the installation of ESX 3.5 U2 refresh bundle ESX350-200808201-UG, irrespective of whether the ESX 3.5 U2 hot fix ESX350-200806812-BG is currently installed or not. Make sure that ESX 3.5 U2 refresh bundle ESX350-200808201-UG is available in the local depot before installation.

If you are using esxupdate , you must install 2nd-level dependencies before installing this patch. For details, see Patch Installation Using esxupdate Fails Because 2nd-Level Dependency Is Not Installed (KB 1007060).

Enabling the Snapshot Delete Fix

The snapshot delete fix should be enabled only under the following conditions:

The ESX host is using NFS as a datastore for running virtual machines.
Snapshots are used for virtual machines on the NFS datastore.
The NFS.lockdisable=1 option was used previously to reduce snapshot delete time.

To enable the fix (after applying the patch), edit the /etc/vmware/config file and add the following line:
prefvmx.consolidateDeleteNFSLocks = "TRUE"

Note: Third party virtual machine management agents might lose read access to the base virtual disk during snapshot delete operations.

Patch Download and Installation

See the VMware Update Manager Administration Guide for instructions on using Update Manager to download and install patches to automatically update ESX Server 3.5 hosts.

To update ESX Server 3.5 hosts when not using Update Manager, download the most recent patch bundle from http://www.vmware.com/download/vi/vi3_patches_35.html and install the bundle using esxupdate from the command line of the host. For more information, see the ESX Server 3 Patch Management Guide.

Feedback

Actions

KB Article: 1005807
Updated: Oct 27, 2009

Products:
VMware ESX
Product Versions:
VMware ESX 3.5.x

Knowledge Base

Search the Knowledge Base: