VMware ESXi 4.0, Patch ESXi400-201104401-SG: Updates Firmware (1037259)
Release date: April 28, 2011
|Build Information||See KB 1037261.|
|Host Reboot Required||Yes|
|Virtual Machine Migration or Shutdown Required||Yes|
|PRs Fixed||702120, 702107|
|Related CVE numbers||CVE-2011-1785|
Summaries and Symptoms
This patch updates the Certificate Revocation List (CRL) to revoke an RSA key that HP uses for code-signing certain software components. HP server contains a new key pair and has re-signed the affected software components with the new key.
On an HP system, if you apply this patch and then restart the ESXi system, you must update the software components to the version signed with the new key. If you do not restart the system, it continues to work with the currently installed and loaded software. However, the ESXi system rejects software signed with the revoked key and logs a warning if the system loads any kernel module signed with the revoked key. This might cause certain HP features to fail.
By sending malicious network traffic to an ESXi system, an attacker might exhaust the available sockets and prevent further connections to the system. In this scenario, a system becomes inaccessible, its virtual machines continue to run and have network connectivity but a reboot of the ESXi system might be required in order to be able to connect to the machine again.
socket() returns -1 (Cannot allocate memory)
An error message similar to the following might be written to the VMkernel log file:
socreate(type=2, proto=17) failed with error 55
The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2011-1785 to this issue.
None beyond the required patch bundles and reboot information listed in the table above.
Patch Download and Installation
The typical way to apply patches to ESXi systems is through the VMware Update Manager. For details, see the VMware vCenter Update Manager Administration Guide.