Knowledge Base

Summaries and Symptoms

Includes updated VIM (Visual editor improved) packages for the service console that fix the following security issues:

• Input sanitization flaws in VIM keyword and tag handling. If you access a malicious tag or keyword in a document, it might be possible to run arbitrary code as the user running VIM. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-4101 to this issue.
  
• A heap-based overflow flaw in the VIM expansion of file name patterns with shell wildcards. A malicious file or directory name might cause VIM to fail or execute arbitrary code. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-3432 to this issue.
  
• Input sanitization flaws in VIM system functions. If you open a malicious file, it might be possible to run arbitrary code as the user running VIM. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-2712 to this issue.
  
• A format string flaw in the VIM help tag processor. If a user runs the helptags command on malicious data, it might be possible to run arbitrary code with the permissions of the user running VIM. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2007-2953 to this issue.

Deployment Considerations

None beyond the required patch bundles and reboot information listed in the table, above.

Patch Download and Installation

See the VMware Update Manager Administration Guide for instructions on using Update Manager to download and install patches to automatically update ESX Server 3.5 hosts.

To update ESX Server 3.5 hosts when not using Update Manager, download the most recent patch bundle from http://www.vmware.com/download/vi/vi3_patches_35.html and install the bundle using esxupdate from the command line of the host. For more information, see the ESX Server 3 Patch Management Guide.