Vulnerability  oval:org.mitre.oval:def:5759
VMware ESX Openwsman Lets Local Users Gain Root Privileges  

Buffer overflow in the openwsman management service in VMware ESXi 3.5 and ESX 3.5 allows remote authenticated users to gain privileges via an "invalid Content-Length."
Create Date: 2008-06-10 Last Update Date: 2010-05-17

Affected Platforms/Products

Affected Products (CPE + CVE references)
Platforms: unix (from OVAL definitions)
  • VMWare ESX Server 3
  • VMWare ESX Server 2

References

Criteria

The system is vulnerable
IF : Any one of the following are true
IF : All of the following are true VMWare ESX Server 3.0.2 meets CVE-2008-2097
Prerequisites (Extended Definitions)
VMWare ESX Server 3.0.2 is installed oval:org.mitre.oval:def:5613
IF : Any one of the following are true All patches must be installed to not be vulnerable
IF : Patch ESX-1004727 is not installed
esx : patch_test :  Patch ESX-1004727 is not installed 
None of the objects listed below must exist on the system (Existence check)
ESX : Patch 
patch_number : 1004727
IF : Patch ESX-1004821 is not installed
esx : patch_test :  Patch ESX-1004821 is not installed 
None of the objects listed below must exist on the system (Existence check)
ESX : Patch 
patch_number : 1004821
IF : Patch ESX-1004216 is not installed
esx : patch_test :  Patch ESX-1004216 is not installed 
None of the objects listed below must exist on the system (Existence check)
ESX : Patch 
patch_number : 1004216
IF : Patch ESX-1004726 is not installed
esx : patch_test :  Patch ESX-1004726 is not installed 
None of the objects listed below must exist on the system (Existence check)
ESX : Patch 
patch_number : 1004726
IF : Patch ESX-1004722 is not installed
esx : patch_test :  Patch ESX-1004722 is not installed 
None of the objects listed below must exist on the system (Existence check)
ESX : Patch 
patch_number : 1004722
IF : Patch ESX-1004724 is not installed
esx : patch_test :  Patch ESX-1004724 is not installed 
None of the objects listed below must exist on the system (Existence check)
ESX : Patch 
patch_number : 1004724
IF : Patch ESX-1004719 is not installed
esx : patch_test :  Patch ESX-1004719 is not installed 
None of the objects listed below must exist on the system (Existence check)
ESX : Patch 
patch_number : 1004719
IF : Patch ESX-1004219 is not installed
esx : patch_test :  Patch ESX-1004219 is not installed 
None of the objects listed below must exist on the system (Existence check)
ESX : Patch 
patch_number : 1004219
IF : All of the following are true VMWare ESX Server 3.0.1 meets CVE-2008-2097
Prerequisites (Extended Definitions)
VMWare ESX Server 3.0.1 is installed oval:org.mitre.oval:def:5367
IF : Any one of the following are true All patches must be installed to not be vulnerable
IF : Patch ESX-1004186 is not installed
esx : patch_test :  Patch ESX-1004186 is not installed 
None of the objects listed below must exist on the system (Existence check)
ESX : Patch 
patch_number : 1004186
IF : Patch ESX-1004728 is not installed
esx : patch_test :  Patch ESX-1004728 is not installed 
None of the objects listed below must exist on the system (Existence check)
ESX : Patch 
patch_number : 1004728
IF : Patch ESX-1004725 is not installed
esx : patch_test :  Patch ESX-1004725 is not installed 
None of the objects listed below must exist on the system (Existence check)
ESX : Patch 
patch_number : 1004725
IF : Patch ESX-1004721 is not installed
esx : patch_test :  Patch ESX-1004721 is not installed 
None of the objects listed below must exist on the system (Existence check)
ESX : Patch 
patch_number : 1004721
IF : Patch ESX-1004723 is not installed
esx : patch_test :  Patch ESX-1004723 is not installed 
None of the objects listed below must exist on the system (Existence check)
ESX : Patch 
patch_number : 1004723
IF : Patch ESX-1004190 is not installed
esx : patch_test :  Patch ESX-1004190 is not installed 
None of the objects listed below must exist on the system (Existence check)
ESX : Patch 
patch_number : 1004190
IF : Patch ESX-1004189 is not installed
esx : patch_test :  Patch ESX-1004189 is not installed 
None of the objects listed below must exist on the system (Existence check)
ESX : Patch 
patch_number : 1004189
IF : All of the following are true VMWare ESX Server 2.5.5 meets CVE-2008-2097
IF : VMWare ESX Server 2.5.5 build 57619 or higher is installed
esx : version_test :  VMWare ESX Server 2.5.5 build 57619 or higher is installed 
At least one of the objects listed below must exist on the system (Existence check)
ESX : Version The single version object.
release (equals) 2.5.5 (datatype=version)
build (equals) 57619 (datatype=int)
esx : version_state 
IF : VMWare ESX Server 2.5.5 upgrade patch 8 is not installed
esx : patch_test :  VMWare ESX Server 2.5.5 upgrade patch 8 is not installed 
None of the objects listed below must exist on the system (Existence check)
ESX : Patch 
patch_number : 90521
IF : All of the following are true VMWare ESX Server 2.5.4 meets CVE-2008-2097
IF : VMWare ESX Server 2.5.4 build 32233 or higher is installed
esx : version_test :  VMWare ESX Server 2.5.4 build 32233 or higher is installed 
At least one of the objects listed below must exist on the system (Existence check)
ESX : Version The single version object.
release (equals) 2.5.4 (datatype=version)
build (equals) 32233 (datatype=int)
esx : version_state 
IF : VMWare ESX Server 2.5.4 upgrade patch 19 is not installed
esx : patch_test :  VMWare ESX Server 2.5.4 upgrade patch 19 is not installed 
None of the objects listed below must exist on the system (Existence check)
ESX : Patch 
patch_number : 90520

Quick Help

Other Help Topics
Data Types
What is an Object?
What is a State?
What is a Test?
Other Help Topics
Regular Expression Patterns
Some object or state definitions are defined as regular expression patterns, you should interpret the regexp pattern while evaluating them.

OVAL Definitions By Referenced Objects

How does it work?   User agreement and privacy statement   About & Contact
CVE is a registred trademark of the MITRE Corporation and the authoritive source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritive source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritive source of OVAL content is MITRE's OVAL web site.
Warning: This site and all data are provided as is. It is not guaranteed that all information is accurate and complete. Use any information provided on this site at your own risk. By using this site you accept that you know that these data are provided as is and not guaranteed to be accurate, correct or complete. All trademarks appearing on this site are the property of their respective owners in the US or other countries. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss. PLEASE SEE nvd.nist.gov and oval.mitre.org for more details about OVAL language and definitions.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor/web site owner/maintainer be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Use of OVAL and all related data is subject to terms of use defined by Mitre at http://oval.mitre.org/oval/about/termsofuse.html