check-circle-line exclamation-circle-line close-line

VMware ESXi 6.0, Patch Release ESXi600-201903001

Release Date: March 28, 2019

Download Filename:

ESXi600-201903001.zip

Build:

13003896

Download Size:

363.7 MB

md5sum:

ef7eb35d3b83398935346fe8fa8879a3

sha1checksum:

7cea8adb34eff84507d124f4548f0a13d57dd393

Host Reboot Required: Yes

Virtual Machine Migration or Shutdown Required: Yes

Bulletins

Bulletin ID Category Severity
ESXi600-201903401-SG Security Critical

Rollup Bulletin

This rollup bulletin contains the latest VIBs with all the fixes since the initial release of ESXi 6.0.

Bulletin ID Category Severity
ESXi600-201903001 Security Critical

Image Profiles

VMware patch and update releases contain general and critical image profiles. Application of the general release image profile applies to new bug fixes.

Image Profile Name
ESXi-6.0.0-20190304001-standard
ESXi-6.0.0-20190304001-no-tools

For more information about the individual bulletins, see the Download Patches page and the Resolved Issues section.

Patch Download and Installation

The typical way to apply patches to ESXi hosts is through the VMware vSphere Update Manager. For details, see the Installing and Administering VMware vSphere Update Manager.

ESXi hosts can be updated by manually downloading the patch ZIP file from the VMware download page and installing the VIB by using the esxcli software vib command. Additionally, the system can be updated using the image profile and the esxcli software profile command.

For more information, see the vSphere Command-Line Interface Concepts and Example Guide and the vSphere Upgrade Guide.

Resolved Issues

The resolved issues are grouped as follows.

ESXi600-201903401-SG
Patch Category Security
Patch Severity Critical
Host Reboot Required Yes
Virtual Machine Migration or Shutdown Required Yes
Affected Hardware N/A
Affected Software N/A
VIBs Included
  • VMware_bootbank_esx-base_6.0.0-3.113.13003896
  • VMware_bootbank_vsan_6.0.0-3.113.12980971
  • VMware_bootbank_vsanhealth_6.0.0-3000000.3.0.3.113.12980972
PRs Fixed  2312647
Related CVE numbers N/A

This patch updates the esx-base, vsan and vsanhealth VIBs to resolve the following issue:

  • ESXi contains an out-of-bounds read/write vulnerability and a Time-of-check Time-of-use (TOCTOU) vulnerability in the virtual USB UHCI (Universal Host Controller Interface). These issues may allow a guest to execute code on the host. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2019-5518 (out-of-bounds read/write) and CVE-2019-5519 (TOCTOU) to these issues. See VMSA-2019-0005 for further information.

ESXi-6.0.0-20190304001-standard
Profile Name ESXi-6.0.0-20190304001-standard
Build For build information, see the top of the page.
Vendor VMware, Inc.
Release Date March 28, 2019
Acceptance Level PartnerSupported
Affected Hardware N/A
Affected Software N/A
Affected VIBs
  • VMware_bootbank_esx-base_6.0.0-3.113.13003896
  • VMware_bootbank_vsan_6.0.0-3.113.12980971
  • VMware_bootbank_vsanhealth_6.0.0-3000000.3.0.3.113.12980972
PRs Fixed 2312647
Related CVE numbers N/A

This patch updates the following issue:

  • ESXi contains an out-of-bounds read/write vulnerability and a Time-of-check Time-of-use (TOCTOU) vulnerability in the virtual USB UHCI (Universal Host Controller Interface). These issues may allow a guest to execute code on the host. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2019-5518 (out-of-bounds read/write) and CVE-2019-5519 (TOCTOU) to these issues. See VMSA-2019-0005 for further information.

ESXi-6.0.0-20190304001-no-tools
Profile Name ESXi-6.0.0-20190304001-no-tools
Build For build information, see the top of the page.
Vendor VMware, Inc.
Release Date March 28, 2019
Acceptance Level PartnerSupported
Affected Hardware N/A
Affected Software N/A
Affected VIBs
  • VMware_bootbank_esx-base_6.0.0-3.113.13003896
  • VMware_bootbank_vsan_6.0.0-3.113.12980971
  • VMware_bootbank_vsanhealth_6.0.0-3000000.3.0.3.113.12980972
PRs Fixed 2312647
Related CVE numbers N/A

This patch updates the following issue:

  • ESXi contains an out-of-bounds read/write vulnerability and a Time-of-check Time-of-use (TOCTOU) vulnerability in the virtual USB UHCI (Universal Host Controller Interface). These issues may allow a guest to execute code on the host. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2019-5518 (out-of-bounds read/write) and CVE-2019-5519 (TOCTOU) to these issues. See VMSA-2019-0005 for further information.