VMware ESXi, Patch ESXe350-200808501-I-SG: Firmware Update

Details

Release Date: 18-Sep-2008
Document Last Updated: 18-Sep-2008

Download Size:
203MB
Download Filename:
ESXe350-200808501-O-SG.zip
md5sum:
3670ee124277927877f76e6ec9c6dc17

Note: The three ESXi patches for Firmware "I", VMware Tools "T," and the VI Client "C" are contained in a single offline "O" download file.

Product Versions	ESXi 3.5
Patch Classification	Security
ESX Server Host Reboot Required	Yes
Maintenance Mode Required, Power Off or Migrate Virtual Machines	Yes
PRs Fixed	313635 281594 191289 194539 199556 203696 216256 230338 246079 259640 269269 275238 275088 275700 276036 279765 295948 306389 253840
Affected Hardware	IBM AS/400 Mainframe Intel PRO/1000 gigabit Ethernet device driver (e1000) version 12.4 and 13.0 Broadcom RemotePHY Broadcom 5706 Dell PowerEdge blade servers HP BladeSystem BL465c G1 IBM FC storage arrays
Affected Software	IBM Systems Network Architecture (SNA) Microsoft Host Integration Services (HIS) RHEL 4.7 beta
Related CVE numbers	CVE-2008-2234, CVE-2007-5269

Solution

Summaries and Symptoms

This patch fixes the following security issues:

Security update to the Openwsman component of ESXi to fix the issue described in SUSE Security Announcement SUSE-SA:2008:041, "Two remote buffer overflows while decoding the HTTP basic authentication header (CVE-2008-2234)."

Note: ESXi is not affected by the other issue described in that security announcement, "A possible SSL session replay attack affecting the client (depending on the configuration) (CVE-2008-2233)."
Several flaws were discovered in the way libpng handled various PNG image chunks. An attacker could create a carefully-crafted PNG image file in such a way that it causes an application linked with libpng to crash when the file is manipulated. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5269 to the security issue fixed in this update.

This patch also fixes the following issues:

The following problem occurs in a NIC team, when beaconing is enabled. If the down state of one uplink causes all uplinks to go down, transmit path (Tx) traffic flows through all uplinks. This patch lets ESX choose from uplinks that are up, instead of sending traffic on all uplinks.
Using HTTP to access a datastore file whose name contains any of the characters * .? \\ does not work correctly.
This patch fixes an issue where the software iSCSI initiator did not handle authentication failures as expected.
Fixed a race condition in hostd that could potentially lead to a crash while performing a large number of VMotion jobs.
Add support for virtual machines to work with SNA/DLC and NetBEUI network protocols.

The following hardware and software is affected:
- IBM AS/400 Mainframe
- Microsoft Host Integration Services (HIS)
- IBM Systems Network Architecture (SNA)
Broadcast and multicast packets become duplicated in a virtual machine configuration where two NICs are teamed, promiscuous mode is enabled, and load balancing is set to use the source port ID.
Connecting or disconnecting virtual serial ports unexpectedly shuts down virtual machines. This issue occurs when there are two serial ports on the same virtual machine and they are connected to each other using the same socket.
32-bit Windows virtual machines exhibit various problems when configured with versions 12.4 and 13.0 of the Intel PRO/1000 gigabit Ethernet device driver (e1000). The problems include possible guest or host crashes due to memory corruption.
Update network load-balancing algorithm to match specifications document.
This patch includes a fix to better support Broadcom RemotePHY backplanes on Dell PowerEdge blade servers.
DRS development and performance improvement. This change prevents unexpected migration behavior.
File system performance optimization. A cache holding file system data is undersized for some environments. Its size is increased.
Enablement for IBM FC storage arrays.
When installing Red Hat Enterprise Linux 4.7 Beta in graphical mode or text mode on a virtual machine, moving the mouse cursor results in "Unknown key pressed" error messages and causes the installation to fail.
On HP servers with ESXi, resolves an issue that intermittently prevents the HP CRU driver from loading. Symptom: Advanced memory information as viewed in HP System Insight Manager might not update as expected.
The bnx2 driver using the Broadcom 5706 chip running on the HP BladeSystem BL465c G1 does not report link status changes when the cable is pulled or the switch port is shutdown.
Reduces snapshot delete time for a virtual machine's virtual disk on NFS datastores.

Important: Refer to Enabling the Snapshot Delete Fix under Deployment Considerations for caveats and specific instructions for enabling this fix.

Additional Details for CVE-2008-2234

Openwsman is a system management platform that implements the Web Services Management protocol (WS-Management). It is installed and running by default on ESXi.

The Openwsman 2.0.0 management service on ESXi is vulnerable to the issue described by CVE-2008-2234, "Two remote buffer overflows while decoding the HTTP basic authentication header." Users without valid login credentials could potentially exploit this vulnerability.

Openwsman before 2.0.0 is not vulnerable to this issue. The ESXi 3.5 patch ESXe350-200808201-O-UG updated Openwsman to version 2.0.0. That patch is installed as part of the ESXi Update 2 release.

Version Information

You can determine what build is running via the console screen on the host or by connecting with the VI client. In the VI Client, the build number can be seen if the host is selected at the top of the right window pane. The vulnerable build numbers are 103909 and 110271.

Workaround

If you cannot apply this patch, you can stop the wsman service as a workaround. Contact your support vendor for help performing this task.

Deployment Considerations

Enabling the Snapshot Delete Fix

The snapshot delete fix should be enabled only under the following conditions:

The ESXi host is using NFS as a datastore for running virtual machines.
Snapshots are used for virtual machines on the NFS datastore.
The NFS.lockdisable=1 option was used previously to reduce snapshot delete time.

To enable the fix (after applying the patch):

Install the VIMA virtual appliance with RCLI. For information, see http://www.vmware.com/support/developer/vima/. When you use the vSphere Client to deploy vMA to an ESX/ESXi host, you can enter the following URL in the Deploy from URL field of the wizard: http://www.vmware.com/go/importvma/vma4.ovf
Using the RCLI, copy the config file to /tmp or any other writable directory:

# vifs.pl --get /host/vmware_config /tmp
Modify the file by adding the line:

prefvmx.consolidateDeleteNFSLocks = "TRUE"
Transfer it to the ESXi server using the command:

# vifs.pl --put /tmp/vmware_config /host/vmware_config

Note: Third party virtual machine management agents might lose read access to the base virtual disk during snapshot delete operations.

Patch Download and Installation

The typical way to apply patches to ESXi hosts is through the VMware Update Manager. For details, see the VMware Update Manager Administration Guide.

ESXi hosts can also be updated by downloading the most recent "O" (offline) patch bundle from http://support.vmware.com/selfsupport/download/ and installing the bundle using VMware Infrastructure Update or by using the vihostupdate command through the Remote Command Line Interface (RCLI). For details, see the ESX Server 3i Configuration Guide and the ESX Server 3i Embedded Setup Guide (Chapter 10, Maintaining ESX Server 3i and the VI Client) or the ESX Server 3i Installable Setup Guide (Chapter 11, Maintaining ESX Server 3i and the VI Client).

Note: ESXi hosts do not reboot automatically when you patch with the offline bundle.

Feedback

Actions

KB Article: 1005818
Updated: Aug 14, 2009

Products:
VMware ESXi
Product Versions:
VMware ESXi 3.5.x Embedded
VMware ESXi 3.5.x Installable

Knowledge Base

Search the Knowledge Base: