This patch updates the Certificate Revocation List (CRL) to revoke an RSA key that HP uses for code-signing certain software components. HP server contains a new key pair and has re-signed the affected software components with the new key. On an HP system, if you apply this patch and then restart the ESXi system, you must update the software components to the version signed with the new key. If you do not restart the system, it continues to work with the currently installed and loaded software. However, the ESXi system rejects software signed with the revoked key and logs a warning if the system loads any kernel module signed with the revoked key. This might cause certain HP features to fail.
This patch also resolves an issue where the ESXi system might lose connection with the vCenter Server intermittently due to socket exhaustion. By sending malicious network traffic to an ESXi system, an attacker might exhaust the available sockets and prevent further connections to the system. In this scenario, a system becomes inaccessible, its virtual machines continue to run and have network connectivity but a reboot of the ESXi system might be required in order to be able to connect to the machine again.
The ESXi system might intermittently lose connectivity caused by applications that do not correctly close sockets. If this occurs, an error message similar to the following might be written to the vpxa log file: socket() returns -1 (Cannot allocate memory) An error message similar to the following might be written to the VMkernel log file: socreate(type=2, proto=17) failed with error 55 The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2011-1785 to this issue.
Deployment Considerations
None beyond the required patch bundles and reboot information listed in the table above.
