Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   VMware ESXi Vendors:   VMware
(VMware Issues Fix for ESX) Libxml2 Hash Table Collision Bug Lets Remote Users Deny Service
SecurityTracker Alert ID:  1027248
SecurityTracker URL:
CVE Reference:   CVE-2012-0841   (Links to External Site)
Date:  Jul 13 2012
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): ESXi 5.0
Description:   A vulnerability was reported in Libxml2. A remote user can cause denial of service conditions. VMware ESX is affected.

A remote user can send a specially crafted message to cause the target XML service to consume excessive CPU resources by causing hash table collisions.

Juraj Somorovsky reported this vulnerability.

Impact:   A remote user can consume excessive CPU resources on the target system.
Solution:   VMware has issued a fix for ESXi, which is affected by this vulnerability.

The VMware advisory is available at:

Cause:   State error

Message History:   This archive entry is a follow-up to the message listed below.
Feb 22 2012 Libxml2 Hash Table Collision Bug Lets Remote Users Deny Service

 Source Message Contents

Subject:  [Security-announce] VMSA-2012-0012 VMware ESXi update to third party library

Hash: SHA1

                   VMware Security Advisory

Advisory ID:   VMSA-2012-0012
Synopsis:        VMware ESXi update to third party library
Issue date:     2012-07-12
Updated on:   2012-07-12 (initial advisory)
CVE number:  CVE-2010-4008, CVE-2010-4494, 
                        CVE-2011-0216, CVE-2011-1944,
                        CVE-2011-2821, CVE-2011-2834,
                        CVE-2011-3905, CVE-2011-3919,

1. Summary

   VMware ESXi update addresses several security issues.

2. Relevant releases

   ESX 5.0 without patch ESXi500-201207101-SG
3. Problem Description

 a. ESXi update to third party component libxml2

    The libxml2 third party library has been updated which addresses 
    multiple security issues
    The Common Vulnerabilities and Exposures project (
    has assigned the names CVE-2010-4008, CVE-2010-4494, CVE-2011-0216,
    CVE-2011-1944, CVE-2011-2821, CVE-2011-2834, CVE-2011-3905,
    CVE-2011-3919 and CVE-2012-0841 to these issues. 

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.
    VMware       Product   Running    Replace with/
    Product        Version   on               Apply Patch
    ==========  ========  ========   =================
    vCenter        any           Windows  not affected    
    hosted *      any           any             not affected        
    ESXi             5.0            any             ESXi500-201207101-SG
    ESXi	          4.1            any             patch pending
    ESXi	          4.0            any             patch pending
    ESXi	          3.5            any             patch pending
    ESX              any           any             not applicable  
 * hosted products are VMware Workstation, Player, ACE, Fusion.

   Note: "patch pending" means that the product is affected, 
             but no patch is currently available. The advisory will be
             updated when a patch is available.

  4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   ESXi 5.0

   md5sum: 01196c5c1635756ff177c262cb69a848
   sha1sum: 85936f5439100cd5fb55c7add574b5b3b937fe86

   ESXi500-201207001 contains ESXi500-201207101-SG
5. References


6. Change log

   2012-07-12 VMSA-2012-0012   
   Initial security advisory in conjunction with the release of a patch
   for ESXi 5.0 on 2012-07-12.


7. Contact

E-mail list for product security notifications and announcements:

This Security Advisory is posted to the following lists:

  * security-announce at
  * bugtraq at
  * full-disclosure at

E-mail:  security at
PGP key at:

VMware Security Advisories

VMware security response policy

General support life cycle policy

VMware Infrastructure support life cycle policy

Copyright 2012 VMware Inc.  All rights reserved.

Version: PGP Desktop 10.2.0 (Build 2599)
Charset: utf-8

Security-announce mailing list

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC