Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: VMWare :: bu-1801.htm

ESX Service Console update for net-snmp
VMSA-2010-0003 ESX Service Console update for net-snmp
VMSA-2010-0003 ESX Service Console update for net-snmp

Hash: SHA1

- -------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2010-0003
Synopsis:          ESX Service Console update for net-snmp
Issue date:        2010-02-16
Updated on:        2010-02-16 (initial release of advisory)
CVE numbers:       CVE-2009-1887
- -------------------------------------------------------------------------

1. Summary

   Update for Service Console package net-snmp

2. Relevant releases

   VMware ESX 3.5 without patch ESX350-201002401-SG

3. Problem Description

 a. Service Console package net-snmp updated

    This patch updates the service console package for net-snmp,
    net-snmp-utils, and net-snmp-libs to version
    net-snmp-5.0.9-2.30E.28. This net-snmp update fixes a divide-by-
    zero flaw in the snmpd daemon. A remote attacker could issue a
    specially crafted GETBULK request that could cause the snmpd daemon
    to fail.

    This vulnerability was introduced by an incorrect fix for

    The Common Vulnerabilities and Exposures Project ( has
    assigned the name CVE-2009-1887 to this issue.

    Note: After installing the previous patch for net-snmp
    (ESX350-200901409-SG), running the snmpbulkwalk command with the
    parameter -CnX results in no output, and the snmpd daemon stops.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  ================    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.0       ESX      not affected
    ESX            3.5       ESX      ESX350-201002401-SG
    ESX            3.0.3     ESX      affected, patch pending
    ESX            2.5.5     ESX      not affected

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

4. Solution

   Please review the patch/release notes for your product and version
   and verify the md5sum of your downloaded file.

   ESX 3.5
   md5sum: a91428cb6bc2da794f581aefd5eef010 

5. References

   CVE numbers 

- -------------------------------------------------------------------------
6. Change log

2010-02-16  VMSA-2010-0003
Initial security advisory after release of patches for ESX 3.5
on 2010-02-16.

- ------------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements: 

This Security Advisory is posted to the following lists:

  * security-announce at
  * bugtraq at
  * full-disclosure at

E-mail:  security at
PGP key at: 

VMware Security Center 

VMware security response policy 

General support life cycle policy 

VMware Infrastructure support life cycle policy 

Copyright 2010 VMware Inc.  All rights reserved.
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Mozilla - 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH