Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides

Search the VMware Knowledge Base (KB)

View by Article ID

VMware ESXi 3.5 Patch ESXe350-201302401-I-SG: Updates Firmware (2042543)

Details

Release date: February 21, 2013

Download Size 236.3 MB Download Filename ESXe350-201302401-O-SG.zip md5sum a2c5f49bc865625b3796c41c202d1696 sha1sum 12d25011d9940ea40d45f77a4e5bcc7e7b0c0cee Note: The three ESXi patches for Firmware "I", VMware Tools "T," and the VI Client "C" are contained in a single offline "O" download file.	Product	ESXi 3.5
	Build Information	988599
	Patch Classification	Security
	Virtual Machine Migration or Reboot Required	Yes
	Host Reboot Required	Yes
	PRs Fixed	840392, 951693, 961933
	Affected Hardware	N/A
	Affected Software	N/A
	Related CVE numbers	CVE-2013-1405, CVE-2013-1659

Solution

Summaries and Symptoms

This patch adds the following enhancements or addresses the following issues:

Oracle (Sun) JRE is updated to version 1.5.0_38, which addresses multiple security issues that existed in earlier releases of Oracle (Sun) JRE. Oracle has documented the CVE identifiers that are addressed in JRE 1.5.0_38 in the Oracle Java SE Critical Patch Update Advisory of October 2012 at http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html
VMware vCenter Server, ESXi contains a vulnerability in the handling of the Network File Copy (NFC) protocol. To exploit this vulnerability, an attacker must modify the NFC traffic between vCenter Server and the client or ESXi and the client. Exploitation of the issue may lead to code execution.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1659 to this issue.
This patch resolves a vulnerability with the vSphere Client in its handling of the management authentication protocol. To exploit this vulnerability, an attacker must convince vSphere Client to interact with a malicious server. Exploitation of this issue might lead to code execution on the system where the vSphere Client is installed. To reduce the possibility of exploitation, deploy the vSphere Client in an isolated management network.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1405 to this issue.

Deployment Considerations

None beyond the required patch bundles and reboot information listed in the table, above.

Patch Download and Installation

Note: All virtual machines on the ESXi host must be either shut down or migrated using vMotion before applying the patch. You must reboot the ESXi host after applying this patch.

The typical way to apply patches to ESXi hosts is through the vCenter Update Manager. See the vCenter Update Manager Administration Guide.
You can also update ESXi hosts by downloading the most recent O (offline) patch bundle from http://support.vmware.com/selfsupport/download/ and installing the bundle using VMware Infrastructure Update or by using the vihostupdate command through the Remote Command-Line Interface (RCLI). See the ESX Server 3i Configuration Guide and the ESX Server 3i Embedded Setup Guide or the ESX Server 3i Installable Setup Guide.

Note: ESXi hosts do not reboot automatically when you patch with the offline bundle.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

1 2 3 4 5
0 Ratings

1 2 3 4 5
0 Ratings

Actions

Bookmark Document

KB:

Did this article help you?
This article resolved my issue. This article did not resolve my issue. This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)