Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

VMware ESXi 5.0 Patch Image Profile ESXi-5.0.0-20120504001-standard (2019863)

Details

Release date: May 3, 2012
 
 

Profile Name
ESXi-5.0.0-20120504001-standard
Build
For build information, see KB 2019857.
Vendor
VMware, Inc.
Release Date
May 3, 2012
Acceptance Level
PartnerSupported
Affected Hardware
N/A
Affected Software
N/A
Affected VIBs
esx-base
PRs Fixed
866125, 871714, 871887
Related CVE numbers
CVE-2012-2448, CVE-2012-2449, CVE-2012-2450

 

For information on patch and update classification, see KB 2014447 .

Solution

Summaries and Symptoms

This patch contains fixes for the following security issues:

ESXi NFS traffic parsing vulnerability

Due to a flaw in the handling of NFS traffic it is possible to overwrite memory. This vulnerability may allow a user with access to the network to execute code on the ESXi host without authentication. The issue is not present in cases where there is no NFS traffic.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2448 to this issue.

The following paragraphs detail workarounds and mitigating controls that might be available to remove the potential for exploiting the issue and to reduce the exposure that the issue poses.

Workaround: None identified.

Mitigation:

  • Connect only to trusted NFS servers.
  • Segregate the NFS network
  • Harden your NFS server.

 

VMware floppy device out-of-bounds memory write

 

Due to a flaw in the virtual floppy configuration it is possible to perform an out-of-bounds memory write. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2449 to this issue.

The following paragraphs detail workarounds and mitigating controls that might be available to remove the potential for exploiting the issue and to reduce the exposure that the issue poses.

Workaround: Remove the virtual floppy device from the list of virtual I/O devices. The VMware hardening guides recommend removing unused virtual I/O devices in general.

Mitigation: Do not allow untrusted root users access to your virtual machines. Root or Administrator level permissions are required to exploit this vulnerability.

 

VMware SCSI device unchecked memory write

 

Due to a flaw in the SCSI device registration it is possible to perform an unchecked write into memory. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2450 to this issue.

The following paragraphs detail workarounds and mitigating controls that might be available to remove the potential for exploiting the issue and to reduce the exposure that the issue poses.

Workaround: Remove the virtual SCSI controller from the list of virtual I/O devices. The VMware hardening guides recommend removing unused virtual I/O devices in general.

Mitigation: Do not allow untrusted root users access to your virtual machines. Root or Administrator level permissions are required to exploit this issue.

 

Deployment Considerations
 
None beyond the required patch bundles and reboot information listed in the table above.
 
Patch Download and Installation

An ESXi system can be updated using the image profile, by using the esxcli software profile command. For details, see the vSphere Command-Line Interface Concepts and Examples and the vSphere Upgrade Guide.For information about image profiles and how it applies to ESXi 5.0 hosts, see Image Profiles of ESXi 5.0 Hosts (KB 2009231). ESXi hosts can also be updated by manually downloading the patch ZIP file from the VMware download page and installing the VIB by using the esxcli software vib command.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 2 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 2 Ratings
Actions
KB: