Summaries and Symptoms

This patch updates the following issues:

• The libPNG library is updated to libpng-1.6.30.

• ESXi hosts with virtual machines using vmxnet3 virtual NICs might fail, if a transmission queue index, passed by a guest driver, is greater than the configured number of transmission queues and is equal or less than eight, which might result in invalid memory access or a null pointer reference. This patch fixes the issue by validating values passed by guest drivers against the configured number of transmission queues.

• OpenSSL is updated to version 1.0.2l.

• Hostd might run out of memory due to a vNIC link flap, because if multiple virtual machines connected to a distributed virtual switch generate frequent vNIC flaps, this might result in a large number of events posted to hostd that might exceed its memory limit.

• This release resolves a vulnerability in the ESXi Embedded Host Client that might allow for stored cross-site scripting (XSS). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4940 to this issue.

Patch Download and Installation

The typical way to apply patches to ESXi hosts is through the VMware vSphere Update Manager. For details, see the Installing and Administering VMware vSphere Update Manager.

ESXi hosts can be updated by manually downloading the patch ZIP file from the VMware download page and installing the VIB by using the esxcli software vib command. Additionally, the system can be updated using the image profile and the esxcli software profile command. For details, see the vSphere Command-Line Interface Concepts and Examples and the vSphere Upgrade Guide.