VMware ESX 3.5, Patch ESX350-200808413-SG: Security Update to cim-smwg for the Openwsman Component of the Service Console

Details

Release Date: 18-Sep-2008
Document Last Updated: 18-Sep-2008

Download Size: 
2.1MB 
Download Filename: 
ESX350-200808413-SG.zip 
md5sum: 
2a683d099c28315475db53bd459dcc07


Product VersionsESX 3.5
Patch ClassificationSecurity
SupersedesESX350-200802414-BG
ESX350-200805508-SG
RequiresESX350-200808205-UG
ESX350-200808408-BG
Virtual Machine Migration or Shutdown RequiredNo
Host Reboot RequiredNo; stop Openwsman service before installing patch
PRs Fixed313635
Affected HardwareN/A
Affected SoftwareN/A
RPMs Includedcim-smwg
Related CVE numbersCVE-2008-2234
VMware Security AdvisoryVMSA-2008-0015

Solution

Summaries and Symptoms

Security update to the Openwsman component of the ESX service console to fix the issue described in SUSE Security Announcement SUSE-SA:2008:041, "Two remote buffer overflows while decoding the HTTP basic authentication header (CVE-2008-2234)."

Note: ESX is not affected by the other issue described in that security announcement, "A possible SSL session replay attack affecting the client (depending on the configuration) (CVE-2008-2233)."

Openwsman is a system management platform that implements the Web Services Management protocol (WS-Management). It is installed and running by default. It is used in the ESX service console.

Additional Details for CVE-2008-2234

The Openwsman 2.0.0 management service on ESX 3.5 is vulnerable to the issue described by CVE-2008-2234, "Two remote buffer overflows while decoding the HTTP basic authentication header." Users without valid login credentials could potentially exploit this vulnerability.

Openwsman before 2.0.0 is not vulnerable to this issue. The ESX 3.5 patch ESX350-200808205-UG updated Openwsman to version 2.0.0. That patch is installed as part of the ESX Upgrade 2 release, or the patch can be installed individually.
 
Note: This vulnerability can be exploited remotely only if the attacker has access to the service console network. Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices.

Version Information

To check if a vulnerable version of Openwsman is installed on your system, issue the following command from the service console:
 
# rpm -ql cim-smwg
 
The vulnerable version is cim-smwg-1.0.0.1-103202.

Workaround

If you cannot apply this patch, you can stop the wsman service as a workaround.

From the service console issue the command:

# service wsman stop

This workaround is not persistent and will be undone after the next reboot.

Deployment Considerations

Make Sure ESX350-200808205-UG Exists in Your Depot

ESX350-200808413-SG requires the installation of ESX 3.5 U2 refresh bundle ESX350-200808205-UG, irrespective of whether the ESX 3.5 U2 hot fix bundle ESX350-200806812-BG is currently installed or not. Make sure that ESX 3.5 U2 refresh bundle ESX350-200808205-UG is available in the local depot before installation.

Stop Openwsman Service Before Installation

Before installing this patch through the esxupdate utility or Update Manager, you must stop the Openwsman service and restart it after applying the patch.
 
Note: If the Openwsman service is not stopped before installing this patch, the service will not be in a running state after installation. The ESX host will require a reboot.
  1. Log in to the service console as root.

  2. Stop the Openwsman service:

    service wsman stop

  3. Install this patch.

  4. Restart the Openwsman service
    1. service wsman start

    Related esxupdate Issue

    Based on VMware KB 1006878
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Hardware and firmware requirements for 64-bit guest operating systems

PurposeThis article explains the host machine hardware and firmware requirements for installing...

Logging in to the vCenter Server 5.0 Web Client fails with the error: unable to connect to vCenter Inventory Service

DetailsAfter upgrading from vCenter Server 4.1 to 5.0, you experience these symptoms:Cannot log...

Multiple network entries in vCenter Server 5.0.x after migrating virtual machines from a virtual switch to a virtual distributed switch

SymptomsAfter migrating virtual machines from a virtual switch to a virtual Distributed...

Minimum requirements for the VMware vCenter Server 5.x Appliance

PurposeIf you are using the VMware vCenter Server Appliance, beginning with vSphere 5.0 you can...