[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2011-0003
Synopsis:          Third party component updates for VMware vCenter
                   Server, vCenter Update Manager, ESXi and ESX
Issue date:        2011-02-10
Updated on:        2011-02-10 (initial release of advisory)
CVE numbers:       --- Apache Tomcat ---
                   CVE-2009-2693 CVE-2009-2901 CVE-2009-2902
                   CVE-2009-3548 CVE-2010-2227 CVE-2010-1157
                   --- Apache Tomcat Manager ---
                   CVE-2010-2928
                   --- cURL ---
                   CVE-2010-0734
                   --- COS Kernel ---
                   CVE-2010-1084 CVE-2010-2066 CVE-2010-2070
                   CVE-2010-2226 CVE-2010-2248 CVE-2010-2521
                   CVE-2010-2524 CVE-2010-0008 CVE-2010-0415
                   CVE-2010-0437 CVE-2009-4308 CVE-2010-0003
                   CVE-2010-0007 CVE-2010-0307 CVE-2010-1086
                   CVE-2010-0410 CVE-2010-0730 CVE-2010-1085
                   CVE-2010-0291 CVE-2010-0622 CVE-2010-1087
                   CVE-2010-1173 CVE-2010-1437 CVE-2010-1088
                   CVE-2010-1187 CVE-2010-1436 CVE-2010-1641
                   CVE-2010-3081
                   --- Microsoft SQL Express ---
                   CVE-2008-5416 CVE-2008-0085 CVE-2008-0086
                   CVE-2008-0107 CVE-2008-0106
                   --- OpenSSL ---
                   CVE-2010-0740 CVE-2010-0433
                   CVE-2010-3864 CVE-2010-2939
                   --- Oracle (Sun) JRE ---
                   CVE-2009-3555 CVE-2010-0082 CVE-2010-0084
                   CVE-2010-0085 CVE-2010-0087 CVE-2010-0088
                   CVE-2010-0089 CVE-2010-0090 CVE-2010-0091
                   CVE-2010-0092 CVE-2010-0093 CVE-2010-0094
                   CVE-2010-0095 CVE-2010-0837 CVE-2010-0838
                   CVE-2010-0839 CVE-2010-0840 CVE-2010-0841
                   CVE-2010-0842 CVE-2010-0843 CVE-2010-0844
                   CVE-2010-0845 CVE-2010-0846 CVE-2010-0847
                   CVE-2010-0848 CVE-2010-0849 CVE-2010-0850
                   CVE-2010-0886 CVE-2010-3556 CVE-2010-3566
                   CVE-2010-3567 CVE-2010-3550 CVE-2010-3561
                   CVE-2010-3573 CVE-2010-3565 CVE-2010-3568
                   CVE-2010-3569 CVE-2010-1321 CVE-2010-3548
                   CVE-2010-3551 CVE-2010-3562 CVE-2010-3571
                   CVE-2010-3554 CVE-2010-3559 CVE-2010-3572
                   CVE-2010-3553 CVE-2010-3549 CVE-2010-3557
                   CVE-2010-3541 CVE-2010-3574
                   --- pam_krb5 ---
                   CVE-2008-3825 CVE-2009-1384
- ------------------------------------------------------------------------

1. Summary

   Update 1 for vCenter Server 4.1, vCenter Update Manager 4.1, vSphere
   Hypervisor (ESXi) 4.1, ESXi 4.1, addresses several security issues.


2. Relevant releases

   vCenter Server 4.1 without Update 1,

   vCenter Update Manager 4.1 without Update 1,

   ESXi 4.1 without patch ESXi410-201101201-SG,

   ESX 4.1 without patch ESX410-201101201-SG.


3. Problem Description

 a. vCenter Server and vCenter Update Manager update Microsoft
    SQL Server 2005 Express Edition to Service Pack 3

    Microsoft SQL Server 2005 Express Edition (SQL Express)
    distributed with vCenter Server 4.1 Update 1 and vCenter Update
    Manager 4.1 Update 1 is upgraded from  SQL Express Service Pack 2
    to SQL Express Service Pack 3, to address multiple security
    issues that exist in the earlier releases of Microsoft SQL Express.

    Customers using other database solutions need not update for
    these issues.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2008-5416, CVE-2008-0085, CVE-2008-0086,
    CVE-2008-0107 and CVE-2008-0106 to the issues addressed in MS SQL
    Express Service Pack 3.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        4.1       Windows  Update 1
    vCenter        4.0       Windows  affected, patch pending
    VirtualCenter  2.5       Windows  affected, no patch planned

    Update Manager 4.1       Windows  Update 1
    Update Manager 4.0       Windows  affected, patch pending
    Update Manager 1.0       Windows  affected, no patch planned

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            any       ESX      not affected

  * Hosted products are VMware Workstation, Player, ACE, Fusion.

 b. vCenter Apache Tomcat Management Application Credential Disclosure

    The Apache Tomcat Manager application configuration file contains
    logon credentials that can be read by unprivileged local users.

    The issue is resolved by removing the Manager application in
    vCenter 4.1 Update 1.

    If vCenter 4.1 is updated to vCenter 4.1 Update 1 the logon
    credentials are not present in the configuration file after the
    update.

    VMware would like to thank Claudio Criscione of Secure Networking
    for reporting this issue to us.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2010-2928 to this issue.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        4.1       Windows  Update 1
    vCenter        4.0       Windows  not affected
    VirtualCenter  2.5       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            any       ESX      not affected

  * hosted products are VMware Workstation, Player, ACE, Fusion.

 c. vCenter Server and ESX, Oracle (Sun) JRE is updated to version
    1.6.0_21

    Oracle (Sun) JRE update to version 1.6.0_21, which addresses
    multiple security issues that existed in earlier releases of
    Oracle (Sun) JRE.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the following names to the security issues fixed in
    Oracle (Sun) JRE 1.6.0_19: CVE-2009-3555, CVE-2010-0082,
    CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088,
    CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092,
    CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837,
    CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841,
    CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845,
    CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849,
    CVE-2010-0850.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the following name to the security issue fixed in
    Oracle (Sun) JRE 1.6.0_20: CVE-2010-0886.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        4.1       Windows  Update 1
    vCenter        4.0       Windows  not applicable **
    VirtualCenter  2.5       Windows  not applicable **

    Update Manager 4.1       Windows  not applicable **
    Update Manager 4.0       Windows  not applicable **
    Update Manager 1.0       Windows  not applicable **


    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.1       ESX      ESX410-201101201-SG
    ESX            4.0       ESX      not applicable **
    ESX            3.5       ESX      not applicable **
    ESX            3.0.3     ESX      not applicable **

  * hosted products are VMware Workstation, Player, ACE, Fusion.
 ** this product uses the Oracle (Sun) JRE 1.5.0 family

d. vCenter Update Manager Oracle (Sun) JRE is updated to version
   1.5.0_26

    Oracle (Sun) JRE update to version 1.5.0_26, which addresses
    multiple security issues that existed in earlier releases of
    Oracle (Sun) JRE.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the following names to the security issues fixed in
    Oracle (Sun) JRE 1.5.0_26: CVE-2010-3556, CVE-2010-3566,
    CVE-2010-3567, CVE-2010-3550, CVE-2010-3561, CVE-2010-3573,
    CVE-2010-3565,CVE-2010-3568, CVE-2010-3569,  CVE-2009-3555,
    CVE-2010-1321, CVE-2010-3548, CVE-2010-3551, CVE-2010-3562,
    CVE-2010-3571, CVE-2010-3554, CVE-2010-3559, CVE-2010-3572,
    CVE-2010-3553, CVE-2010-3549, CVE-2010-3557, CVE-2010-3541,
    CVE-2010-3574.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        4.1       Windows  not applicable **
    vCenter        4.0       Windows  affected, patch pending
    VirtualCenter  2.5       Windows  affected, no patch planned

    Update Manager 4.1       Windows  Update 1
    Update Manager 4.0       Windows  affected, patch pending
    Update Manager 1.0       Windows  affected, no patch planned

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.1       ESX      not applicable **
    ESX            4.0       ESX      affected, patch pending
    ESX            3.5       ESX      affected, no patch planned
    ESX            3.0.3     ESX      affected, no patch planned

  * hosted products are VMware Workstation, Player, ACE, Fusion.
 ** this product uses the Oracle (Sun) JRE 1.6.0 family

 e. vCenter Server and ESX Apache Tomcat updated to version 6.0.28

    Apache Tomcat updated to version 6.0.28, which addresses multiple
    security issues that existed in earlier releases of Apache Tomcat

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the following names to the security issues fixed in
    Apache Tomcat 6.0.24: CVE-2009-2693, CVE-2009-2901, CVE-2009-2902,i
    and CVE-2009-3548.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the following names to the security issues fixed in
    Apache Tomcat 6.0.28: CVE-2010-2227, CVE-2010-1157.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        4.1       Windows  Update 1
    vCenter        4.0       Windows  affected, patch pending
    VirtualCenter  2.5       Windows  not applicable **

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.1       ESX      ESX410-201101201-SG
    ESX            4.0       ESX      affected, patch pending
    ESX            3.5       ESX      not applicable **
    ESX            3.0.3     ESX      not applicable **

  * hosted products are VMware Workstation, Player, ACE, Fusion.
 ** this product uses the Apache Tomcat 5.5 family

 f. vCenter Server third party component OpenSSL updated to version
    0.9.8n

    The version of the OpenSSL library in vCenter Server is updated to
    0.9.8n.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2010-0740 and CVE-2010-0433 to the
    issues addressed in this version of OpenSSL.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        4.1       Windows  Update 1
    vCenter        4.0       Windows  affected, patch pending
    VirtualCenter  2.5       Windows  affected, no patch planned

    hosted *       any       any      not applicable

    ESXi           any       ESXi     not applicable

    ESX            any       ESX      not applicable

  * hosted products are VMware Workstation, Player, ACE,  Fusion.

 g. ESX third party component OpenSSL updated to version 0.9.8p

    The version of the ESX OpenSSL library is updated to 0.9.8p.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2010-3864 and CVE-2010-2939 to the
    issues addressed in this update.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        any       Windows  not applicable

    hosted *       any       any      not applicable
    ESXi           4.1       ESXi     ESXi410-201101201-SG
    ESXi           4.0       ESXi     affected, patch pending
    ESXi           3.5       ESXi     affected, patch pending

    ESX            4.1       ESX      ESX410-201101201-SG
    ESX            4.0       ESX      affected, patch pending
    ESX            3.5       ESX      affected, patch pending
    ESX            3.0.3     ESX      affected, patch pending

  * hosted products are VMware Workstation, Player, ACE, Fusion.

 h. ESXi third party component cURL updated

    The version of cURL library in ESXi is updated.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2010-0734 to the issues addressed in
    this update.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           4.1       ESXi     ESXi410-201101201-SG
    ESXi           4.0       ESXi     affected, patch pending
    ESXi           3.5       ESXi     affected, patch pending

    ESX            any       ESX      not applicable

  * hosted products are VMware Workstation, Player, ACE, Fusion.

 i. ESX third party component pam_krb5 updated

    The version of pam_krb5 library is updated.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2008-3825 and CVE-2009-1384 to the
    issues addressed in the update.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.1       ESX      ESX410-201101201-SG
    ESX            4.0       ESX      not affected
    ESX            3.5       ESX      not affected
    ESX            3.0.3     ESX      not affected

  * hosted products are VMware Workstation, Player, ACE, Fusion.

 j. ESX third party update for Service Console kernel

    The Service Console kernel is updated to include kernel version
    2.6.18-194.11.1.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2010-1084, CVE-2010-2066, CVE-2010-2070,
    CVE-2010-2226, CVE-2010-2248, CVE-2010-2521, CVE-2010-2524,
    CVE-2010-0008, CVE-2010-0415, CVE-2010-0437, CVE-2009-4308,
    CVE-2010-0003, CVE-2010-0007, CVE-2010-0307, CVE-2010-1086,
    CVE-2010-0410, CVE-2010-0730, CVE-2010-1085, CVE-2010-0291,
    CVE-2010-0622, CVE-2010-1087, CVE-2010-1173, CVE-2010-1437,
    CVE-2010-1088, CVE-2010-1187, CVE-2010-1436, CVE-2010-1641, and
    CVE-2010-3081 to the issues addressed in the update.

    Note: This update also addresses the 64-bit compatibility mode
    stack pointer underflow issue identified by CVE-2010-3081. This
    issue was patched in an ESX 4.1 patch prior to the release of
    ESX 4.1 Update 1.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.1       ESX      ESX410-201101201-SG
    ESX            4.0       ESX      affected, patch pending
    ESX            3.5       ESX      not applicable
    ESX            3.0.3     ESX      not applicable

  * hosted products are VMware Workstation, Player, ACE, Fusion.


4. Solution

   Please review the patch/release notes for your product and version
   and verify the checksum of your downloaded file.

   VMware vCenter Server 4.1 Update 1 and modules
   ----------------------------------------------

http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0
   Release Notes:
   http://downloads.vmware.com/support/pubs/vs_pages/vsp_pubs_esx41_vc41.html

   File type: .iso
   md5sum: 729cf247aa5d33ceec431c86377eee1a
   sha1sum: c1e10a5fcbc1ae9d13348d43541d574c563d66f0

   File type: .zip
   md5sum: fd1441bef48a153f2807f6823790e2f0
   sha1sum: 31737a816ed1c08ab3a505fb6db2483f49ad7c19

   VMware vSphere Client
   File type: .exe
   md5sum: cb6aa91ada1289575355d79e8c2a9f8e
   sha1sum: f9e3d8eb83196ae7c31aab554e344a46b722b1e4

   ESXi 4.1 Installable Update 1
   -----------------------------

http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0
   Release Notes:

http://downloads.vmware.com/support/vsphere4/doc/vsp_esxi41_u1_rel_notes.html
   http://kb.vmware.com/kb/1027919

   File type: .iso
   MD5SUM: d68d6c2e040a87cd04cd18c04c22c998
   SHA1SUM: bbaacc0d34503822c14f6ccfefb6a5b62d18ae64

   ESXi 4.1 Update 1 (upgrade ZIP from ESXi 4.1)
   File type: .zip
   MD5SUM: 2f1e009c046b20042fae3b7ca42a840f
   SHA1SUM: 1c9c644012dec657a705ddd3d033cbfb87a1fab1

   ESXi 4.1 Update 1 (upgrade ZIP from ESXi 4.0)
   File type: .zip
   MD5SUM: 67b924618d196dafaf268a7691bd1a0f
   SHA1SUM: 9d74b639e703259d9e49c0341158e0d4e45de516 	

   ESXi 4.1 Update 1 (upgrade ZIP from ESXi 3.5)
   File type: .zip
   MD5SUM: a6024b9f6c6b7b2c629696afc6d07cf4
   SHA1SUM: b3841de1a30617ac68d5a861882aa72de3a93488 	

   VMware Tools CD image for Linux Guest OSes
   File type: .iso
   MD5SUM: dad66fa8ece1dd121c302f45444daa70
   SHA1SUM: 56535a2cfa7799607356c6fd0a7d9f041da614af 	

   VMware vSphere Client
   File type: .exe
   MD5SUM: cb6aa91ada1289575355d79e8c2a9f8e
   SHA1SUM: f9e3d8eb83196ae7c31aab554e344a46b722b1e4

   ESXi Installable Update 1 contains the following security bulletins:
   ESXi410-201101201-SG.

   ESX 4.1 Update 1
   ----------------

http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0
   Release Notes:

http://downloads.vmware.com/support/vsphere4/doc/vsp_esx41_u1_rel_notes.html
   http://kb.vmware.com/kb/1029353

   ESX 4.1 Update 1 (DVD ISO)
   File type: .iso
   md5sum: b9a275b419a20c7bedf31c0bf64f504e
   sha1sum: 2d85edcaca8218013585e1eab00bc80db6d96e11 	

   ESX 4.1 Update 1 (upgrade ZIP from ESX 4.1)
   File type: .zip
   md5sum: 2d81a87e994aa2b329036f11d90b4c14
   sha1sum: c2bfc0cf7ac03d24afd5049ddbd09a865aad1798 	

   Pre-upgrade package for ESX 4.0 to ESX 4.1 Update 1
   File type: .zip
   md5sum: 75f8cebfd55d8a81deb57c27def963c2
   sha1sum: 889c15aa8008fe0e29439d0ab3468c2beb1c4fe2 	

   ESX 4.1 Update 1 (upgrade ZIP from ESX 4.0)
   File type: .zip
   md5sum: 1dc9035cd10e7e60d27e7a7aef57b4c2
   sha1sum: e6d3fb65d83a3e263d0f634a3572025854ff8922 	

   VMware Tools CD image for Linux Guest OSes
   File type: .iso
   md5sum: dad66fa8ece1dd121c302f45444daa70
   sha1sum: 56535a2cfa7799607356c6fd0a7d9f041da614af 	

   VMware vSphere Client
   File type: .exe
   md5sum: cb6aa91ada1289575355d79e8c2a9f8e
   sha1sum: f9e3d8eb83196ae7c31aab554e344a46b722b1e4

   ESX410-Update01 contains the following security bulletins:
   ESX410-201101201-SG (COS kernel, pam_krb5, cURL, OpenSSL,
   Apache Tomcat, Oracle (Sun) JRE) | http://kb.vmware.com/kb/1027904
   ESX410-201101226-SG (glibc)      | http://kb.vmware.com/kb/1031330

   ESX410-Update01 also contains the following non-security bulletins
   ESX410-201101211-UG, ESX410-201101213-UG, ESX410-201101215-UG,
   ESX410-201101202-UG, ESX410-201101203-UG, ESX410-201101204-UG,
   ESX410-201101206-UG, ESX410-201101207-UG, ESX410-201101208-UG,
   ESX410-201101214-UG, ESX410-201101216-UG, ESX410-201101217-UG,
   ESX410-201101218-UG, ESX410-201101219-UG, ESX410-201101220-UG,
   ESX410-201101221-UG, ESX410-201101222-UG, ESX410-201101225-UG.

   To install an individual bulletin use esxupdate with the -b option.


5. References

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5416
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0085
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0086
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0107
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0106
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2928
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0082
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0084
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0085
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0087
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0088
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0089
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0090
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0091
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0092
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0093
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0094
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0095
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0837
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0838
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0839
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0840
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0841
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0842
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0843
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0844
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0845
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0846
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0847
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0848
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0849
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0850
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0886
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2693
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2901
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2902
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0740
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0433
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3864
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2939
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0734
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3825
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1384
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1084
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2066
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2070
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2226
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2248
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2521
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2524
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0008
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0415
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0437
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4308
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0003
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0007
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0307
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1086
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0410
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0730
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1085
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0291
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0622
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1087
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1173
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1437
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1088
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1187
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1436
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1641
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3081
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3556
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3566
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3567
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3550
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3561
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3573
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3565
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3568
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3569
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1321
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3548
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3551
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3562
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3571
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3554
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3559
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3572
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3553
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3549
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3557
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3541
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3574

- ------------------------------------------------------------------------
6. Change log

2011-02-10  VMSA-2011-0003
Initial security advisory in conjunction with the release of vCenter
Server 4.1 Update 1, vCenter Update Manager 4.1 Update 1, ESXi 4.1
Update 1, and ESX 4.1 Update 1 on 2011-02-10.

- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2011 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)

iEYEARECAAYFAk1U1eoACgkQS2KysvBH1xm3swCfeh4sWvPOubDT1K7QlRj3SjW9
dxYAmwbNLMR9IG/rKZDYh9hqcf4IldCX
=2pVj
-----END PGP SIGNATURE-----