VMware ESX 3.5, Patch ESX350-200808413-SG: Security Update to cim-smwg for the Openwsman Component of the Service Console (1006878)
Release Date: 18-Sep-2008
Document Last Updated: 18-Sep-2008
Summaries and Symptoms
Note: ESX is not affected by the other issue described in that security announcement, "A possible SSL session replay attack affecting the client (depending on the configuration) (CVE-2008-2233)."
Openwsman is a system management platform that implements the Web Services Management protocol (WS-Management). It is installed and running by default. It is used in the ESX service console.
Additional Details for CVE-2008-2234
Openwsman before 2.0.0 is not vulnerable to this issue. The ESX 3.5 patch ESX350-200808205-UG updated Openwsman to version 2.0.0. That patch is installed as part of the ESX Upgrade 2 release, or the patch can be installed individually.
http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices.
If you cannot apply this patch, you can stop the wsman service as a workaround.
From the service console issue the command:
# service wsman stop
Make Sure ESX350-200808205-UG Exists in Your Depot
ESX350-200808413-SG requires the installation of ESX 3.5 U2 refresh bundle ESX350-200808205-UG, irrespective of whether the ESX 3.5 U2 hot fix bundle ESX350-200806812-BG is currently installed or not. Make sure that ESX 3.5 U2 refresh bundle ESX350-200808205-UG is available in the local depot before installation.
Stop Openwsman Service Before Installation
Log in to the service console as root.
Stop the Openwsman service:
service wsman stop
Install this patch.
Restart the Openwsman service:
service wsman start
Related esxupdate Issue
If you are using esxupdate , see Patch Installation Using esxupdate Fails Because 2nd-Level Dependency Is Not Installed (KB 1007060).
Patch Download and Installation
See the VMware Update Manager Administration Guide for instructions on using Update Manager to download and install patches to automatically update ESX Server 3.5 hosts.
To update ESX Server 3.5 hosts when not using Update Manager, download the most recent patch bundle from http://support.vmware.com/selfsupport/download/ and install the bundle using esxupdate from the command line of the host. For more information, see the ESX Server 3 Patch Management Guide.