ID

VAR-200707-0675

CVE

CVE-2008-1447

TITLE

Multiple DNS implementations vulnerable to cache poisoning

DESCRIPTION

The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug.". ISC (Internet Systems Consortiuim) BIND generates cryptographically weak DNS query IDs which could allow a remote attacker to poison DNS caches. Deficiencies in the DNS protocol and common DNS implementations facilitate DNS cache poisoning attacks. Multiple vendors' implementations of the DNS protocol are prone to a DNS-spoofing vulnerability because the software fails to securely implement random values when performing DNS queries. Successfully exploiting this issue allows remote attackers to spoof DNS replies, allowing them to redirect network traffic and to launch man-in-the-middle attacks. This issue affects Microsoft Windows DNS Clients and Servers, ISC BIND 8 and 9, and multiple Cisco IOS releases; other DNS implementations may also be vulnerable. =========================================================== Ubuntu Security Notice USN-627-1 July 22, 2008 dnsmasq vulnerability CVE-2008-1447 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: dnsmasq-base 2.41-2ubuntu2.1 After a standard system upgrade you need to restart Dnsmasq to effect the necessary changes. Details follow: Dan Kaminsky discovered weaknesses in the DNS protocol as implemented by Dnsmasq. The first issue can be exploited by enticing pdnsd to send a query to a malicious DNS server, or using the port randomization weakness, and might lead to a Denial of Service. Workaround ========== Port randomization can be enabled by setting the "query_port_start" option to 1024 which would resolve the CVE-2008-1447 issue. Among other things, successful attacks can lead to misdirected web traffic and email rerouting. This update changes Debian's dnsmasq packages to implement the recommended countermeasure: UDP query source port randomization. This change increases the size of the space from which an attacker has to guess values in a backwards-compatible fashion and makes successful attacks significantly more difficult. This update also switches the random number generator to Dan Bernstein's SURF. For the stable distribution (etch), this problem has been fixed in version 2.35-1+etch4. Packages for alpha will be provided later. For the unstable distribution (sid), this problem has been fixed in version 2.43-1. We recommend that you upgrade your dnsmasq package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Stable updates are available for amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4.dsc Size/MD5 checksum: 596 3834461c89e55467b4b65ed4ac209e81 http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35.orig.tar.gz Size/MD5 checksum: 252901 ad1fafeaf3442685cfe16613e0f8b777 http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4.diff.gz Size/MD5 checksum: 19202 4ced7768f49198bd43bbbd24f2a3d3e4 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_amd64.deb Size/MD5 checksum: 188278 8fb55f694db9fdfccaa86d134e937777 arm architecture (ARM) http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_arm.deb Size/MD5 checksum: 181746 4caf23f31de937b817e12ade7d132eac hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_hppa.deb Size/MD5 checksum: 190490 66730e785683655b058d11aa70346be4 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_i386.deb Size/MD5 checksum: 184546 1fbdd71e81a1e05d68b0f88eaeb00b10 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_ia64.deb Size/MD5 checksum: 223758 011f283b71ef0f9e07d5a9dce25db505 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_mips.deb Size/MD5 checksum: 189846 5c67cca2eaedc1dff80c5fd05aa1d33f mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_mipsel.deb Size/MD5 checksum: 191824 dfd87d69a7751f1e6ef2d0f1ede052ff powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_powerpc.deb Size/MD5 checksum: 186890 93701abcca5421beddab015a7f35af99 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_s390.deb Size/MD5 checksum: 186396 6f19f6c8d803c3d57e01e73fe1e11886 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_sparc.deb Size/MD5 checksum: 182910 f360078c14f715e90e60124b4ede2be9 These files will probably be moved into the stable distribution on its next update. In IP NAT filtering in Sun Solaris 10 and OpenSolaris series products, when a DNS server runs NAT, it incorrectly changes the original address of the data packet. And spoof the address returned by the DNS response. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200812-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Ruby: Multiple vulnerabilities Date: December 16, 2008 Bugs: #225465, #236060 ID: 200812-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been discovered in Ruby that allow for attacks including arbitrary code execution and Denial of Service. Background ========== Ruby is an interpreted object-oriented programming language. The elaborate standard library includes an HTTP server ("WEBRick") and a class for XML parsing ("REXML"). Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-lang/ruby < 1.8.6_p287-r1 >= 1.8.6_p287-r1 Description =========== Multiple vulnerabilities have been discovered in the Ruby interpreter and its standard libraries. Drew Yao of Apple Product Security discovered the following flaws: * Arbitrary code execution or Denial of Service (memory corruption) in the rb_str_buf_append() function (CVE-2008-2662). * Arbitrary code execution or Denial of Service (memory corruption) in the rb_ary_stor() function (CVE-2008-2663). * Memory corruption via alloca in the rb_str_format() function (CVE-2008-2664). * Memory corruption ("REALLOC_N") in the rb_ary_splice() and rb_ary_replace() functions (CVE-2008-2725). * Memory corruption ("beg + rlen") in the rb_ary_splice() and rb_ary_replace() functions (CVE-2008-2726). Furthermore, several other vulnerabilities have been reported: * Tanaka Akira reported an issue with resolv.rb that enables attackers to spoof DNS responses (CVE-2008-1447). * Akira Tagoh of RedHat discovered a Denial of Service (crash) issue in the rb_ary_fill() function in array.c (CVE-2008-2376). * Several safe level bypass vulnerabilities were discovered and reported by Keita Yamaguchi (CVE-2008-3655). * Christian Neukirchen is credited for discovering a Denial of Service (CPU consumption) attack in the WEBRick HTTP server (CVE-2008-3656). * A fault in the dl module allowed the circumvention of taintness checks which could possibly lead to insecure code execution was reported by "sheepman" (CVE-2008-3657). * Tanaka Akira again found a DNS spoofing vulnerability caused by the resolv.rb implementation using poor randomness (CVE-2008-3905). * Luka Treiber and Mitja Kolsek (ACROS Security) disclosed a Denial of Service (CPU consumption) vulnerability in the REXML module when dealing with recursive entity expansion (CVE-2008-3790). Impact ====== These vulnerabilities allow remote attackers to execute arbitrary code, spoof DNS responses, bypass Ruby's built-in security and taintness checks, and cause a Denial of Service via crash or CPU exhaustion. Workaround ========== There is no known workaround at this time. Resolution ========== All Ruby users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.8.6_p287-r1" References ========== [ 1 ] CVE-2008-1447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 [ 2 ] CVE-2008-2376 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2376 [ 3 ] CVE-2008-2662 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2662 [ 4 ] CVE-2008-2663 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2663 [ 5 ] CVE-2008-2664 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2664 [ 6 ] CVE-2008-2725 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2725 [ 7 ] CVE-2008-2726 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2726 [ 8 ] CVE-2008-3655 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3655 [ 9 ] CVE-2008-3656 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3656 [ 10 ] CVE-2008-3657 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3657 [ 11 ] CVE-2008-3790 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3790 [ 12 ] CVE-2008-3905 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3905 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200812-17.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . * Carlos Carvalho reported that dnsmasq in the 2.43 version does not properly handle clients sending inform or renewal queries for unknown DHCP leases, leading to a crash (CVE-2008-3350). Furthermore, an attacker could generate invalid DHCP traffic and cause a Denial of Service. (These vulnerabilities were reported by Keita Yamaguchi.) == DoS vulnerability in WEBrick == An error exists in the usage of regular expressions in "WEBrick::HTTPUtils.split_header_value()". This can be exploited to consume large amounts of CPU via a specially crafted HTTP request. (This vulnerability was reported by Christian Neukirchen.) == Lack of taintness check in dl == An error in "DL" can be exploited to bypass security restrictions and call potentially dangerous functions. (This vulnerability was reported by Tanaka Akira.) Affected packages: Pardus 2008: ruby, all before 1.8.7_p72-16-4 ruby-mode, all before 1.8.7_p72-16-4 Pardus 2007: ruby, all before 1.8.7_p72-16-13 ruby-mode, all before 1.8.7_p72-16-4 Resolution ========== There are update(s) for ruby, ruby-mode. You can update them via Package Manager or with a single command from console: Pardus 2008: pisi up ruby ruby-mode Pardus 2007: pisi up ruby ruby-mode References ========== * http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 * http://secunia.com/advisories/31430/ ------------------------------------------------------------------------ -- Pınar Yanardağ http://pinguar.org _______________________________________________ Full-Disclosure - We believe in it. Release Date: 2008-07-16 Last Updated: 2010-12-15 ----------------------------------------------------------------------------- Potential Security Impact: Remote DNS cache poisoning Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX running BIND. References: CVE-2008-1447 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23, B.11.31 running BIND v9.3.2 or BIND v9.2.0, HP-UX B.11.11 running BIND v8.1.2 BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2008-1447 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following software updates / patch to resolve the vulnerabilities for BIND v9.2.0 and BIND v9.3.2. Customers running BIND v8.1.2 on HP-UX B.11.11 should upgrade to BIND v9.2.0 or BIND v9.3.2 and apply the updates listed below. A new BIND v9.2.0 depot is available to address an issue encountered on HP-UX B.11.11. The new depot is available by contacting HP Support. The BIND v9.3.2 updates are available for download from: http://software.hp.com The patch PHNE_37865 is available from: http://itrc.hp.com HP-UX Release / Action B.11.11 running v8.1.2 / Upgrade to BIND v9.2.0 or BIND v9.3.2 and apply the updates listed below, remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. HP-UX Release / BIND Depot name / Action B.11.11 running v9.2.0 / BIND920V15.depot / Remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. HP-UX Release / Action B.11.23 running v9.2.0 / Install PHNE_37865 or subsequent; Remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. HP-UX Release / Action B.11.11 running v9.3.2 / Install revision C.9.3.2.7.0 or subsequent; Remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. B.11.23 running v9.3.2 / Install revision C.9.3.2.7.0 or subsequent; Remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. B.11.31 running v9.3.2 / Install revision C.9.3.2.3.0 or subsequent; Remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. Note: Remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. Note: Firewall configurations may need to be adjusted to allow DNS queries from random source ports to pass. In addition, firewalls that forward DNS queries must not replace the random source ports. MANUAL ACTIONS: Yes - NonUpdate Remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. Check firewall settings. For B.11.11 running v8.1.2, upgrade to BIND v9.2.0 or BIND v9.3.2 and apply the updates For B.11.11 running v9.2.0 install BIND920v15.depot PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all HP-issued Security Bulletins and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa AFFECTED VERSIONS For BIND v8.1.2 HP-UX B.11.11 ============= InternetSrvcs.INETSVCS-RUN action: upgrade to BIND v9.2.0 or BIND v9.3.2 and apply the updates, remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. For BIND v9.3.2 HP-UX B.11.11 ============= BindUpgrade.BIND-UPGRADE action: install revision C.9.3.2.7.0 or subsequent, remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. URL: http://software.hp.com HP-UX B.11.23 ============= BindUpgrade.BIND-UPGRADE BindUpgrade.BIND2-UPGRADE action: install revision C.9.3.2.7.0 or subsequent, remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. URL: http://software.hp.com HP-UX B.11.31 ============= NameService.BIND-AUX NameService.BIND-RUN action: install revision C.9.3.2.7.0 or subsequent, remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. URL: http://software.hp.com For BIND v9.2.0 HP-UX B.11.11 ============= BINDv920.INETSVCS-BIND action: install revision B.11.11.01.015 or subsequent, remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. URL Contact HP Support for information on where to download depot. HP-UX B.11.23 ============= InternetSrvcs.INETSVCS-INETD InternetSrvcs.INETSVCS-RUN InternetSrvcs.INETSVCS2-RUN action: install patch PHNE_37865 or subsequent, remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. URL: http://itrc.hp.com END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 16 July 2008 Initial release Version:2 (rev.2) - 19 July 2008 Added BIND v9.2.0 depot information Version:3 (rev.3) - 06 August 2008 Updated patch location, revised BIND v9.2.0 depot information, added BIND v8.1.2 Version:4 (rev.4) - 08 August 2008 Updated manual actions to include named.conf and firewall configuration setings Version:5 (rev.5) - 12 October 2010 Updated version for BIND v9.2.0 depot for B.11.11 Version:6 (rev.6) - 15 December 2010 Reformat v9.2.0 recommendation for clarity. Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. At this time, it is not possible to implement the recommended countermeasures in the GNU libc stub resolver. The following workarounds are available: 1. Install a local BIND 9 resoler on the host, possibly in forward-only mode. (Other caching resolvers can be used instead.) 2. Rely on IP address spoofing protection if available. Successful attacks must spoof the address of one of the resolvers, which may not be possible if the network is guarded properly against IP spoofing attacks (both from internal and external sources). This DSA will be updated when patches for hardening the stub resolver are available. Dan Kaminsky identified a practical vector of DNS response spoofing and cache poisoning, exploiting the limited entropy in a DNS transaction ID and lack of UDP source port randomization in many DNS implementations. Scott Kitterman noted that python-dns is vulnerable to this predictability, as it randomizes neither its transaction ID nor its source port. Taken together, this lack of entropy leaves applications using python-dns to perform DNS queries highly susceptible to response forgery. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: Red Hat update for bind SECUNIA ADVISORY ID: SA26195 VERIFY ADVISORY: http://secunia.com/advisories/26195/ CRITICAL: Moderately critical IMPACT: Spoofing WHERE: >From remote OPERATING SYSTEM: Red Hat Enterprise Linux (v. 5 server) http://secunia.com/product/13652/ Red Hat Enterprise Linux Desktop (v. 5 client) http://secunia.com/product/13653/ Red Hat Enterprise Linux Desktop Workstation (v. 5 client) http://secunia.com/product/13651/ RedHat Enterprise Linux AS 2.1 http://secunia.com/product/48/ RedHat Enterprise Linux AS 3 http://secunia.com/product/2534/ RedHat Enterprise Linux AS 4 http://secunia.com/product/4669/ RedHat Enterprise Linux ES 2.1 http://secunia.com/product/1306/ RedHat Enterprise Linux ES 3 http://secunia.com/product/2535/ RedHat Enterprise Linux ES 4 http://secunia.com/product/4668/ RedHat Enterprise Linux WS 3 http://secunia.com/product/2536/ RedHat Enterprise Linux WS 2.1 http://secunia.com/product/1044/ RedHat Enterprise Linux WS 4 http://secunia.com/product/4670/ RedHat Linux Advanced Workstation 2.1 for Itanium http://secunia.com/product/1326/ DESCRIPTION: Red Hat has issued an update for bind. For more information: SA26152 SOLUTION: Updated packages are available from Red Hat Network. http://rhn.redhat.com ORIGINAL ADVISORY: http://rhn.redhat.com/errata/RHSA-2007-0740.html OTHER REFERENCES: SA26152: http://secunia.com/advisories/26152/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2008-0014 Synopsis: Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX address information disclosure, privilege escalation and other security issues. Issue date: 2008-08-29 Updated on: 2008-08-29 (initial release of advisory) CVE numbers: CVE-2008-2101 CVE-2007-5269 CVE-2008-1447 CVE-2008-3691 CVE-2008-3692 CVE-2008-3693 CVE-2008-3694 CVE-2008-3695 CVE-2007-5438 CVE-2008-3696 CVE-2008-3697 CVE-2008-3698 CVE-2008-1806 CVE-2008-1807 CVE-2008-1808 CVE-2007-5503 - -------------------------------------------------------------------------- 1. Summary Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX address information disclosure, privilege escalation and other security issues. 2. Relevant releases VMware Workstation 6.0.4 and earlier, VMware Workstation 5.5.7 and earlier, VMware Player 2.0.4 and earlier, VMware Player 1.0.7 and earlier, VMware ACE 2.0.4 and earlier, VMware ACE 1.0.6 and earlier, VMware Server 1.0.6 and earlier, VMware ESX 3.0.3 without patches ESX303-200808404-SG, ESX303-200808403-SG ESX303-200808406-SG. VMware ESX 3.0.2 without patches ESX-1005109, ESX-1005113, ESX-1005114. VMware ESX 3.0.1 without patches ESX-1005108, ESX-1005112, ESX-1005111, ESX-1004823, ESX-1005117. NOTE: Hosted products VMware Workstation 5.x, VMware Player 1.x, and VMware ACE 1.x will reach end of general support 2008-11-09. Customers should plan to upgrade to the latest version of their respective products. Extended support (Security and Bug fixes) for ESX 3.0.2 ends on 10/29/2008 and Extended support for ESX 3.0.2 Update 1 ends on 8/8/2009. Users should plan to upgrade to ESX 3.0.3 and preferably to the newest release available. Extended Support (Security and Bug fixes) for ESX 3.0.1 has ended on 2008-07-31. The 3.0.1 patches are released in August because there was no patch release in July. 3. Problem Description I Security Issues a. Setting ActiveX killbit Starting from this release, VMware has set the killbit on its ActiveX controls. Setting the killbit ensures that ActiveX controls cannot run in Internet Explorer (IE), and avoids security issues involving ActiveX controls in IE. See the Microsoft KB article 240797 and the related references on this topic. Security vulnerabilities have been reported for ActiveX controls provided by VMware when run in IE. Under specific circumstances, exploitation of these ActiveX controls might result in denial-of- service or can allow running of arbitrary code when the user browses a malicious Web site or opens a malicious file in IE browser. An attempt to run unsafe ActiveX controls in IE might result in pop-up windows warning the user. Note: IE can be configured to run unsafe ActiveX controls without prompting. VMware recommends that you retain the default settings in IE, which prompts when unsafe actions are requested. Earlier, VMware had issued knowledge base articles, KB 5965318 and KB 9078920 on security issues with ActiveX controls. To avoid malicious scripts that exploit ActiveX controls, do not enable unsafe ActiveX objects in your browser settings. As a best practice, do not browse untrusted Web sites as an administrator and do not click OK or Yes if prompted by IE to allow certain actions. VMware would like to thank Julien Bachmann, Shennan Wang, Shinnai, and Michal Bucko for reporting these issues to us. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the names CVE-2008-3691, CVE-2008-3692, CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, CVE-2007-5438, and CVE-2008-3696 to the security issues with VMware ActiveX controls. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation 6.x Windows 6.0.5 build 109488 or later Workstation 6.x Linux not affected Workstation 5.x Windows 5.5.8 build 108000 or later Workstation 5.x Linux not affected Player 2.x Windows 2.0.5 build 109488 or later Player 2.x Linux not affected Player 1.x Windows 1.0.8 build or later Player 1.x Linux not affected ACE 2.x Windows 2.0.5 build 109488 or later ACE 1.x Windows 1.0.7 build 108880 or later Server 1.x Windows 1.0.7 build 108231 or later Server 1.x Linux not affected Fusion 1.x Mac OS/X not affected ESXi 3.5 ESXi not affected ESX any ESX not affected b. VMware ISAPI Extension Denial of Service The Internet Server Application Programming Interface (ISAPI) is an API that extends the functionality of Internet Information Server (IIS). VMware uses ISAPI extensions in its Server product. One of the ISAPI extensions provided by VMware is vulnerable to a remote denial of service. By sending a malformed request, IIS might shut down. IIS 6.0 restarts automatically. However, IIS 5.0 does not restart automatically when its Startup Type is set to Manual. VMware would like to thank the Juniper Networks J-Security Security Research Team for reporting this issue to us. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-3697 to this issue. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation 6.x Windows not affected Workstation 6.x Linux not affected Workstation 5.x Windows not affected Workstation 5.x Linux not affected Player 2.x Windows not affected Player 2.x Linux not affected Player 1.x Windows not affected Player 1.x Linux not affected ACE 2.x Windows not affected ACE 1.x Windows not affected Server 1.x Windows 1.0.7 build 108231 or later Server 1.x Linux not affected Fusion 1.x Mac OS/X not affected ESXi 3.5 ESXi not affected ESX any ESX not affected c. OpenProcess Local Privilege Escalation on Host System This release fixes a privilege escalation vulnerability in host systems. Exploitation of this vulnerability allows users to run arbitrary code on the host system with elevated privileges. VMware would like to thank Sun Bing from McAfee, Inc. for reporting this issue to us. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-3698 to this issue. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation 6.x Windows not affected Workstation 6.x Linux not affected Workstation 5.x Windows 5.5.8 build 108000 or later Workstation 5.x Linux not affected Player 2.x Windows not affected Player 2.x Linux not affected Player 1.x Windows 1.0.8 build 109488 or later Player 1.x Linux not affected ACE 2.x Windows not affected ACE 1.x Windows 1.0.7 build 108880 or later Server 1.x Windows 1.0.7 build 108231 or later Server 1.x Linux not affected Fusion 1.x Mac OS/X not affected ESXi 3.5 ESXi not affected ESX any ESX not affected d. Update to Freetype FreeType 2.3.6 resolves an integer overflow vulnerability and other vulnerabilities that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted file. This release updates FreeType to 2.3.7. The Common Vulnerabilities and Exposures Project (cve.mitre.com) has assigned the names CVE-2008-1806, CVE-2008-1807, and CVE-2008-1808 to the issues resolved in Freetype 2.3.6. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation 6.x Windows not affected Workstation 6.x Linux 6.0.5 build 109488 or later Workstation 5.x Windows not affected Workstation 5.x Linux 5.5.8 build 108000 or later Player 2.x Windows not affected Player 2.x Linux 2.0.5 build 109488 or later Player 1.x Windows not affected Player 1.x Linux 1.0.8 build 108000 or later ACE 2.x Windows not affected ACE 1.x Windows not affected Server 1.x Windows not affected Server 1.x Linux 1.0.7 build 108231 or later Fusion 1.x Mac OS/X affected, patch pending ESXi 3.5 ESXi not affected ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 3.0.2 ESX not affected ESX 3.0.1 ESX not affected ESX 2.5.5 ESX affected, patch pending ESX 2.5.4 ESX affected, patch pending e. Update to Cairo Cairo 1.4.12 resolves an integer overflow vulnerability that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted PNG file. This release updates Cairo to 1.4.14. The Common Vulnerabilities and Exposures (cve.mitre.com) has assigned the name CVE-2007-5503 to this issue. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation 6.x Windows not affected Workstation 6.x Linux 6.0.5 build 109488 or later Workstation 5.x Windows not affected Workstation 5.x Linux not affected Player 2.x Windows not affected Player 2.x Linux 2.0.5 build 109488 or later Player 1.x Windows not affected Player 1.x Linux not affected ACE 2.x Windows not affected ACE 1.x Windows not affected Server 1.x Windows not affected Server 1.x Linux not affected Fusion 1.x Mac OS/X affected, patch pending ESXi 3.5 ESXi not affected ESX any ESX not affected f. VMware Consolidated Backup(VCB) command-line utilities may expose sensitive information VMware Consolidated Backup command-line utilities accept the user password through the -p command-line option. Users logged into the service console could gain access to the username and password used by VCB command-line utilities when such commands are running. This patch resolves this issue by providing an alternative way of passing the password used by VCB command-line utilities. The following options are recommended for passing the password: 1. The password is specified in /etc/backuptools.conf (PASSWORD=xxxxx), and -p is not used in the command line. /etc/backuptools.conf file permissions are read/write only for root. 2. No password is specified in /etc/backuptools.conf and the -p option is not used in the command line. The user will be prompted to enter a password. ESX is not affected unless you use VCB. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-2101 to this issue. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= =================== VirtualCenter any Windows not affected hosted * any any not affected ESXi 3.5 ESXi not affected ESX 3.5 ESX ESX350-200806203-UG ESX 3.0.3 ESX ESX303-200808403-SG ESX 3.0.2 ESX ESX-1004824 ESX 3.0.1 ESX ESX-1004823 ESX 2.5.5 ESX not affected ESX 2.5.4 ESX not affected * hosted products are VMware Workstation, Player, ACE, Server, Fusion g. Third Party Library libpng Updated to 1.2.29 Several flaws were discovered in the way third party library libpng handled various PNG image chunks. An attacker could create a carefully crafted PNG image file in such a way that it causes an application linked with libpng to crash when the file is manipulated. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5269 to this issue. NOTE: There are multiple patches required to remediate the issue. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= =================== VirtualCenter any Windows not affected hosted * any any not affected ESXi 3.5 ESXi affected, patch pending ESX 3.5 ESX affected, patch pending ESX 3.0.3 ESX ESX303-200808404-SG ESX303-200808403-SG ESX 3.0.2 ESX ESX-1005109 ESX-1005114 ESX-1005113 ESX 3.0.1 ESX ESX-1005112 ESX-1005108 ESX-1005111 ESX 2.5.5 ESX affected, patch pending ESX 2.5.4 ESX affected, patch pending * hosted products are VMware Workstation, Player, ACE, Server, Fusion II ESX Service Console rpm updates a. update to bind This update upgrades the service console rpms for bind-utils and bind-lib to version 9.2.4-22.el3. Version 9.2.4.-22.el3 addresses the recently discovered vulnerability in the BIND software used for Domain Name resolution (DNS). VMware doesn't install all the BIND packages on ESX Server and is not vulnerable by default to the reported vulnerability. Of the BIND packages, VMware only ships bind-util and bind-lib in the service console and these components by themselves cannot be used to setup a DNS server. Bind-lib and bind-util are used in client DNS applications like nsupdate, nslookup, etc. VMware explicitly discourages installing applications like BIND on the service console. In case the customer has installed BIND, and the DNS server is configured to support recursive queries, their ESX Server system is affected and they should replace BIND with a patched version. Note: ESX Server will use the DNS server on the network it is on, so it is important to patch that DNS server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-1447 to this issue. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= =================== VirtualCenter any Windows not affected hosted * any any not affected ESXi 3.5 ESXi not affected ESX 3.5 ESX patch pending ESX 3.0.3 ESX ESX303-200808406-SG ESX 3.0.2 ESX ESX-1006356 ESX 3.0.1 ESX ESX-1005117 ESX 2.5.5 ESX patch pending ESX 2.5.4 ESX patch pending * hosted products are VMware Workstation, Player, ACE, Server, Fusion 4. Solution Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file. VMware Workstation 6.0.5 ------------------------ http://www.vmware.com/download/ws/ Release notes: http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html Windows binary md5sum: 46b4c54f0493f59f52ac6c2965296859 RPM Installation file for 32-bit Linux md5sum: 49ebfbd05d146ecc43262622ab746f03 tar Installation file for 32-bit Linux md5sum: 14ac93bffeee72528629d4caecc5ef37 RPM Installation file for 64-bit Linux md5sum: 0a856f1a1a31ba3c4b08bcf85d97ccf6 tar Installation file for 64-bit Linux md5sum: 3b459254069d663e9873a661bc97cf6c VMware Workstation 5.5.8 ------------------------ http://www.vmware.com/download/ws/ws5.html Release notes: http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html Windows binary: md5sum: 745c3250e5254eaf6e65fcfc4172070f Compressed Tar archive for 32-bit Linux md5sum: 65a454749d15d4863401619d7ff5566e Linux RPM version for 32-bit Linux md5sum: d80adc73b1500bdb0cb24d1b0733bcff VMware Player 2.0.5 and 1.0.8 ----------------------------- http://www.vmware.com/download/player/ Release notes Player 1.x: http://www.vmware.com/support/player/doc/releasenotes_player.html Release notes Player 2.0 http://www.vmware.com/support/player2/doc/releasenotes_player2.html 2.0.5 Windows binary md5sum: 60265438047259b23ff82fdfe737f969 VMware Player 2.0.5 for Linux (.rpm) md5sum: 3bc81e203e947e6ca5b55b3f33443d34 VMware Player 2.0.5 for Linux (.tar) md5sum: f499603d790edc5aa355e45b9c5eae01 VMware Player 2.0.5 - 64-bit (.rpm) md5sum: 85bc2f11d06c362feeff1a64ee5a6834 VMware Player 2.0.5 - 64-bit (.tar) md5sum: b74460bb961e88817884c7e2c0f30215 1.0.8 Windows binary md5sum: e5f927304925297a7d869f74b7b9b053 Player 1.0.8 for Linux (.rpm) md5sum: a13fdb8d72b661cefd24e7dcf6e2a990 Player 1.0.8 for Linux (.tar) md5sum: 99fbe861253eec5308d8c47938e8ad1e VMware ACE 2.0.5 ---------------- http://www.vmware.com/download/ace/ Release notes 2.0: http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html ACE Manager Server Virtual Appliance Virtual Appliance for the ACE Management Server md5sum: 41e7349f3b6568dffa23055bb629208d ACE for Window 32-bit and 64-bit Main installation file for Windows 32-bit and 64-bit host (ACE Option Page key required for enabling ACE authoring) md5sum:46b4c54f0493f59f52ac6c2965296859 ACE Management Server for Windows ACE Management Server installation file for Windows md5sum:33a015c4b236329bcb7e12c82271c417 ACE Management Server for Red Hat Enterprise Linux 4 ACE Management Server installation file for Red Hat Enterprise Linux 4 md5sum:dc3bd89fd2285f41ed42f8b28cd5535f ACE Management Server for SUSE Enterprise Linux 9 ACE Management Server installation file for SUSE Enterprise Linux 9 md5sum:2add6a4fc97e1400fb2f94274ce0dce0 VMware ACE 1.0.7 ---------------- http://www.vmware.com/download/ace/ Release notes: http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html md5sum: 42d806cddb8e9f905722aeac19740f33 VMware Server 1.0.7 ------------------- http://www.vmware.com/download/server/ Release notes: http://www.vmware.com/support/server/doc/releasenotes_server.html VMware Server for Windows 32-bit and 64-bit md5sum: 2e2ee5ebe08ae48eac5e661cad01acf6 VMware Server Windows client package md5sum: ce7d906a5a8de37cbc20db4332de1adb VMware Server for Linux md5sum: 04f201122b16222cd58fc81ca814ff8c VMware Server for Linux rpm md5sum: 6bae706df040c35851823bc087597d8d Management Interface md5sum: e67489bd2f23bcd4a323d19df4e903e8 VMware Server Linux client package md5sum: 99f1107302111ffd3f766194a33d492b ESX --- ESX 3.5.0 patch ESX350-200806203-UG (VCB) http://download3.vmware.com/software/esx/ESX350-200806203-UG.zip md5sum: 3bd512dc8aa2b276f7cfd19080d193c9 http://kb.vmware.com/kb/1005896 ESX 3.0.3 patch ESX303-200808403-SG (libpng) http://download3.vmware.com/software/vi/ESX303-200808403-SG.zip md5sum: 5f1e75631e53c0e9e013acdbe657cfc7 http://kb.vmware.com/kb/1006034 ESX 3.0.3 patch ESX303-200808404-SG (libpng) http://download3.vmware.com/software/vi/ESX303-200808404-SG.zip md5sum: 65468a5b6ba105cfde1dd444d77b2df4 http://kb.vmware.com/kb/1006035 ESX 3.0.3 patch ESX303-200808406-SG (bind) http://download3.vmware.com/software/vi/ESX303-200808406-SG.zip md5sum: a11273e8d430e5784071caff673995f4 http://kb.vmware.com/kb/1006357 ESX 3.0.3 patch (VCB) ESX 3.0.2 patch ESX-1005109 (libpng) http://download3.vmware.com/software/vi/ESX-1005109.tgz md5sum: 456d74d94317f852024aed5d3852be09 http://kb.vmware.com/kb/1005109 ESX 3.0.2 patch ESX-1005113 (libpng) http://download3.vmware.com/software/vi/ESX-1005113.tgz md5sum: 5d604f2bfd90585b9c8679f5fc8c31b7 http://kb.vmware.com/kb/1005113 ESX 3.0.2 patch ESX-1005114 (libpng) http://download3.vmware.com/software/vi/ESX-1005114.tgz md5sum: 3b6d33b334f0020131580fdd8f9b5365 http://kb.vmware.com/kb/1005114 ESX 3.0.2 patch ESX-1004824 (VCB) http://download3.vmware.com/software/vi/ESX-1004824.tgz md5sum: c72b0132c9f5d7b4cb1b9e47748a9c5b http://kb.vmware.com/kb/1004824 ESX 3.0.2 patch ESX-1006356 (bind) http://download3.vmware.com/software/vi/ESX-1006356.tgz md5sum: f0bc9d0b641954145df3986cdb1c2bab http://kb.vmware.com/kb/1006356 ESX 3.0.1 patch ESX-1005111 (libpng) http://download3.vmware.com/software/vi/ESX-1005111.tgz md5sum: 60e1be9b41070b3531c06f9a0595e24c http://kb.vmware.com/kb/1005111 ESX 3.0.1 patch ESX-1005112 (libpng) http://download3.vmware.com/software/vi/ESX-1005112.tgz md5sum: ad645cef0f9fa18bb648ba5a37074732 http://kb.vmware.com/kb/1005112 ESX 3.0.1 patch ESX-1005108 (libpng) http://download3.vmware.com/software/vi/ESX-1005108.tgz md5sum: aabc873d978f023c929ccd9a54588ea5 http://kb.vmware.com/kb/1005108 ESX 3.0.1 patch ESX-1004823 (VCB) http://download3.vmware.com/software/vi/ESX-1004823.tgz md5sum: 5ff2e8ce50c18afca76fb16c28415a59 http://kb.vmware.com/kb/1004823 ESX 3.0.1 patch ESX-1005117 (bind) http://download3.vmware.com/software/vi/ESX-1005117.tgz md5sum: 5271ecc6e36fb6f1fdf372e57891aa33 http://kb.vmware.com/kb/1005117 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5269 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3691 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3692 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3693 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3694 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3695 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5438 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3696 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3697 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3698 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1806 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1808 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5503 - ------------------------------------------------------------------------ 6. Change log 2008-08-29 VMSA-2008-0014 initial release - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2008 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIuI98S2KysvBH1xkRCJp7AJ9Mq0+CEdoQRLzPLSRbv5OLqXqUHACfUSRt bZpHL8qHcNwAiTVz6P3+W6E= =PQ58 -----END PGP SIGNATURE-----

AFFECTED PRODUCTS