VMware
 

Knowledge Base

Search the Knowledge Base:
Products:
Search In:
 

VMware ESX 3.5, Patch ESX350-200808413-SG: Security Update to cim-smwg for the Openwsman Component of the Service Console

Details

Release Date: 18-Sep-2008
Document Last Updated: 18-Sep-2008

Download Size:
2.1MB
Download Filename:
ESX350-200808413-SG.zip
md5sum:
2a683d099c28315475db53bd459dcc07


Product Versions ESX 3.5
Patch Classification Security
Supersedes ESX350-200802414-BG
ESX350-200805508-SG
Requires ESX350-200808205-UG
ESX350-200808408-BG
Virtual Machine Migration or Shutdown Required No
Host Reboot Required No; stop Openwsman service before installing patch
PRs Fixed 313635
Affected Hardware N/A
Affected Software N/A
RPMs Included cim-smwg
Related CVE numbers CVE-2008-2234
VMware Security Advisory VMSA-2008-0015

Solution

Summaries and Symptoms

Security update to the Openwsman component of the ESX service console to fix the issue described in SUSE Security Announcement SUSE-SA:2008:041, "Two remote buffer overflows while decoding the HTTP basic authentication header (CVE-2008-2234)."

Note: ESX is not affected by the other issue described in that security announcement, "A possible SSL session replay attack affecting the client (depending on the configuration) (CVE-2008-2233)."

Openwsman is a system management platform that implements the Web Services Management protocol (WS-Management). It is installed and running by default. It is used in the ESX service console.

Additional Details for CVE-2008-2234

The Openwsman 2.0.0 management service on ESX 3.5 is vulnerable to the issue described by CVE-2008-2234, "Two remote buffer overflows while decoding the HTTP basic authentication header." Users without valid login credentials could potentially exploit this vulnerability.

Openwsman before 2.0.0 is not vulnerable to this issue. The ESX 3.5 patch ESX350-200808205-UG updated Openwsman to version 2.0.0. That patch is installed as part of the ESX Upgrade 2 release, or the patch can be installed individually.
 
Note: This vulnerability can be exploited remotely only if the attacker has access to the service console network. Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices.

Version Information

To check if a vulnerable version of Openwsman is installed on your system, issue the following command from the service console:
 
# rpm -ql cim-smwg
 
The vulnerable version is cim-smwg-1.0.0.1-103202.

Workaround

If you cannot apply this patch, you can stop the wsman service as a workaround.

From the service console issue the command:

# service wsman stop

This workaround is not persistent and will be undone after the next reboot.

Deployment Considerations

Make Sure ESX350-200808205-UG Exists in Your Depot

ESX350-200808413-SG requires the installation of ESX 3.5 U2 refresh bundle ESX350-200808205-UG, irrespective of whether the ESX 3.5 U2 hot fix bundle ESX350-200806812-BG is currently installed or not. Make sure that ESX 3.5 U2 refresh bundle ESX350-200808205-UG is available in the local depot before installation.

Stop Openwsman Service Before Installation

Before installing this patch through the esxupdate utility or Update Manager, you must stop the Openwsman service and restart it after applying the patch.
 
Note: If the Openwsman service is not stopped before installing this patch, the service will not be in a running state after installation. The ESX host will require a reboot.
  1. Log in to the service console as root.

  2. Stop the Openwsman service:

    service wsman stop

  3. Install this patch.

  4. Restart the Openwsman service:

    service wsman start

Related esxupdate Issue

If you are using esxupdate , see Patch Installation Using esxupdate Fails Because 2nd-Level Dependency Is Not Installed (KB 1007060).

Patch Download and Installation

See the VMware Update Manager Administration Guide for instructions on using Update Manager to download and install patches to automatically update ESX Server 3.5 hosts.

To update ESX Server 3.5 hosts when not using Update Manager, download the most recent patch bundle from http://support.vmware.com/selfsupport/download/ and install the bundle using esxupdate from the command line of the host. For more information, see the ESX Server 3 Patch Management Guide.

Feedback

Rating: 1 - Lowest 2 3 4 5 - Highest (0 Ratings)   

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (2000 or fewer characters)
Submit
Rating: 1 - Lowest 2 3 4 5 - Highest (0 Ratings)   
Actions
  • KB Article: 1006878
  • Updated: Aug 14, 2009
  • Products:
    VMware ESX
  • Product Versions:
    VMware ESX 3.5.x