VMware released an advisory that addresses vulnerabilities in open source components in its VMware vCenter 4.1, VMware vCenter Update Manager 4.1, VMware ESX and ESXi, and VMware vCOps 5.0.2 or earlier.
Among the upgraded components are OpenSSL, Perl, libxm2 and the Linux kernel.
The holes in vCenter and vCenter Update Manager and vCOps can all all go away by updating to vCenter Server 4.1 Update 3.
VMware has also updated the previous advisories VMSA-2012-0005 and VMSA-2012-0012.1 with information about this new update. Patches are pending for the earlier ESX 4.0.
vCenter 4.1 and ESX 4.1’s Java 1.6 refreshed to Java 1.6.0 Update 31 from February’s Oracle CPU. The latest version of Java 1.6 is update 35, released last week, so the update misses June’s Java security update and last week’s Java update. The latter update does, though, have a CVSS score of 0.0 as it is not exploitable.
Patches for the same problem are pending for vCenter 5.0 and Update Manager 5.0. vCenter Update Manager 4.1 has had its Java 1.5 updated to Oracle’s June CPU release, update 36, though patches are pending for vCenter 4.0, VirtualCenter 2.5, Update Manager 4.0, ESX 4.0 and ESX 3.5.