VMware
 

Knowledge Base

Search the Knowledge Base:
Products:
Search In:
 

ESX Server 3.0.0, Patch Bundle ESX-5754280: Buffer Overflow Security Issue

Details

Security Fixes

This bundle is a group of patches to resolve two possible security issues. They are as follows:

  • An internal security audit revealed a double free condition. It might be possible for an attacker to influence the operation of the system. In most circumstances, this influence will be limited to denial of service or information leakage, but it is theoretically possible for an attacker to insert arbitrary code into a running program. This code would be executed with the permissions of the vulnerable program. There are no known exploits for this issue.

The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2007-1270 to this issue.

  • An internal security audit revealed a potential buffer overflow condition. There are no known vulnerabilities, but such vulnerabilities may be used to elevate privileges or to crash the application and thus cause a denial of service.

The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2007-1271 to this issue.

The following patches are contained within this bundle:

  • ESX-131737
  • ESX-1870154
  • ESX-392718
  • ESX-4197945
  • ESX-4921691
  • ESX-5752668
  • ESX-7052426
  • ESX-9976400
Note: All the patches in this bundle must be applied for the security fixes described above to be complete.

Solution

Applicability

The patches in this bundle are for ESX Server 3.0.0 only. For the related bundle for ESX Server 3.0.1, refer to http://kb.vmware.com/kb/6431040.

Download Instructions

Download and verify the patch bundle as follows:

  1. Download patch ESX-5754280 from http://www.vmware.com/download/vi/vi3_patches.html.
  2. Log into the ESX Server service console as root.
  3. Create a local depot directory.

    # mkdir /var/updates

    Note: VMware recommends that you use the updates directory.

  4. Change your working directory to /var/updates.

    # cd /var/updates

  5. Download the tar file into the /var/updates directory.
  6. Verify the integrity of the downloaded tar file.

    # md5sum ESX-5754280.tgz

    The md5 checksum output should match the following:

    82b3c7e18dd1422f30c4aa9e477c6a27 ESX-5754280.tgz

  7. Extract the compressed tar archive.

    # tar -xvzf ESX-5754280.tgz

  8. Change to the newly created directory, /var/updates/ESX-5754280.

    # cd ESX-5754280

Installation Instructions

For ESX Server versions 3.x, patches are installed using the esxupdate utility on the ESX Server host. This patch bundle makes use of esxupdate and a script that helps you to install multiple patches. With the script, you may still choose to install all or only a few of the patches contained within the bundle, or you might choose to use esxupdate without the script. For installation instructions for each method, please see the following sections.

For more information on using esxupdate, refer to the Patch Management for ESX Server 3 tech note at http://www.vmware.com/pdf/esx3_esxupdate.pdf.

Note: All virtual machines on the host must be either shut down or migrated using VMotion before applying the patch. A reboot of the ESX Server host is not required.

Installing the Patches Using the install_patches Script

Install all the patch updates using the install_patches script command provided in the patch tar file. The install_patches script will prompt you to decide if you want to apply all or some of the patches from the patch bundle. After you have downloaded and extracted the archive, and if you are in the directory you created above, start the script as follows:

# ./install_patches

When the script has completed all of the patch installations, it will prompt you whether you want to reboot the ESX Server host.

Installing the Patches Individually Using esxupdate

After you have downloaded and extracted the archive, if you are in the bundle's main directory, you will need to change to the directory of the patch you want to install as follows:

# cd ESX-xxxxxx

The full path will now be something like /var/updates/ESX-5754280/ESX-xxxxxx, where ESX-xxxxxx is the patch number you want to install. To install the update, issue the following command:

# esxupdate update

If you want to run esxupdate from a different directory, you must specify the path in the command:

# esxupdate -r file://<directory>/ESX-xxxxxx update

For example, if the host is called depot:

# esxupdate –r file:///depot/var/updates/ESX-xxxxxx update

During the update process, logs appear on the terminal. You can specify the verbosity of esxupdate logs by using the -v option as shown below:

# esxupdate -v 10 -r file://<directory>/ESX-xxxxxx update

Keywords

esx300;esxpatch CVE-2007-1270, CVE-2007-1271

Feedback

Rating: 1 - Lowest 2 3 4 5 - Highest (0 Ratings)   

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (2000 or fewer characters)
Submit
Rating: 1 - Lowest 2 3 4 5 - Highest (0 Ratings)   
Actions
  • KB Article: 5754280
  • Updated: Aug 14, 2009
  • Products:
    VMware ESX
  • Product Versions:
    VMware ESX 3.0.x