VMware GSX Server and ESX Server OpenSSL vulnerability patches

From: VMware (vmware-security-alert_at_vmware.com)
Date: 10/31/03

  • Next message: Oliver Karow: "DoS in Plug and Play Web Server Proxy Server"
    Date: 31 Oct 2003 18:58:59 -0000
    To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    Hash: SHA1

    - -----------

    These VMware server products use a version of OpenSSL for securing remote
    management connections that has known vulnerabilities that can expose
    systems to denial of service attacks:

     - VMware GSX Server 2.5.1 (for Windows and Linux systems) build 5336 and
     - VMware ESX Server 2.0 build 5257 and earlier
     - VMware ESX Server 1.5.2 (all versions)

    - --------------

    Certain ASN.1 encodings and tag values can cause stack corruption and out
    of bounds reads in OpenSSL that can be exploited in denial of service
    attacks. For details, see


    VMware GSX Server 2.5.1 (for Windows and Linux systems) build 5336,
    VMware ESX Server 2.0 build 5257 and ESX Server 1.5.2 (all versions)
    install OpenSSL version 0.9.7b as part of the Management Interface,
    Remote Console, and Scripting API packages. OpenSSL version 0.9.7b is
    subject to the above vulnerabilities.

    - -----------

    VMware has made OpenSSL patches available to correct the reported
    vulnerabilities. These patches update GSX Server and ESX Server systems
    and remote console clients with OpenSSL version 0.9.7c.

    VMware stongly urges GSX Server and ESX Server customers to apply the
    OpenSSL patches as soon as possible.

    GSX Server patch installation instructions are at:

    ESX Server patch installation instructions are at:

    - ------------------
    This document is clear signed with PGP.

    VMware has the PGP public key available at


    Some mail programs cause changes to mail messages and content, which may result
    in an indication that the PGP signature for this message is not valid. This
    may also occur if this message is forwarded through another email distribution
    list that changes the "From" field. Please try to save the message into a file
    and then running PGP on it.
    Version: GnuPG v1.2.2 (MingW32)

    -----END PGP SIGNATURE-----

  • Next message: Oliver Karow: "DoS in Plug and Play Web Server Proxy Server"

    Relevant Pages

    • Re: VMWare (GSX or ESX) VS Win4Lin
      ... > Win4Lin with VMWare. ... VMWare's higher end products (esx and gsx Server) are hardly ... comparable to Win4Lin, ... If you go with ESX Server, it is the base OS. ...
    • Re: [fw-wiz] Web server security?
      ... > interface for pluggable security modules. ... I'm unlikely to do a major kernel version upgrade on my only personal Web ... server until I'm comfortable with 2.6. ... Apache and OpenSSL. ...
    • [opensuse] Re: Virtualization in reverse
      ... It's called ESX Server. ... Typically server products or large desktop individualisation ... VMware Workstation). ...
    • [EXPL] Openssl-Too-Open: Apache / OpenSSL Remote Exploit
      ... openssl-too-open is a remote exploit for the KEY_ARG overflow in OpenSSL ... The CLIENT_HELLO message contains a list of the ciphers the client ... The server replies with a SERVER_HELLO message, ... The client sends a CLIENT_FINISHED message with a copy of the connection ...
    • [ MDVSA-2014:158 ] openssl
      ... Affected: Business Server 1.0 ... Multiple vulnerabilities has been discovered and corrected in openssl: ... can be exploited through a Denial of Service attack. ... Updated Packages: ...