Sign up for Security
Advisories

Enter your email address:


VMSA-2008-0002.1

Updated Tomcat and Java JRE packages for VirtualCenter 2.5, VirtualCenter 2.0.2, ESX 3.5, ESX 3.0.2, and ESX 3.0.1.

VMware Security Advisory
Advisory ID: VMSA-2008-0002.1
Synopsis: Updated Tomcat and Java JRE packages for VirtualCenter 2.5, VirtualCenter 2.0.2, ESX 3.5, ESX 3.0.2, and ESX 3.0.1.
Issue date: 2008-01-07
Updated on: 2008-04-15
CVE numbers: CVE-2005-2090 CVE-2006-7195
CVE-2007-0450 CVE-2007-3004
1. Summary
Updated Tomcat and Java JRE packages for VirtualCenter 2.0, VirtualCenter 2.5, ESX 3.5, ESX 3.0.2, and ESX 3.0.1.
2. Relevant releases
VirtualCenter Management Server 2.0

VirtualCenter Management Server 2.5 update 1

ESX 3.5 without patch ESX350-200803215-UG

ESX 3.0.2 without patch ESX-1002434

ESX 3.0.1 without patch ESX-1003176
3. Problem description
Updated ESX and VirtualCenter fixes the following application vulnerabilities
a. Tomcat Server Security Update
This release of VirtualCenter Server updates the Tomcat Server package from 5.5.17 to 5.5.25, which addresses multiple security issues that existed in the earlier releases of Tomcat Server.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-2090, CVE-2006-7195, and CVE-2007-0450 to these issues.
b. JRE Security Update
This release of VirtualCenter Server updates the JRE package from 1.5.0_7 to 1.5.0_12, which addresses a security issue that existed in the earlier release of JRE.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-3004 to this issue.

NOTE: These vulnerabilities can be exploited remotely only if the attacker has access to the service console network.

Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see www.vmware.com/resources/techresources/726 for more information on VMware security best practices.
4. Solution
Please review the Patch notes for your product and version and verify the md5sum of your downloaded file.

VMware VirtualCenter 2.5 Update 1 Release Notes
www.vmware.com/support/vi3/doc/vi3_esx35u1_vc25u1_rel_notes.html

VirtualCenter CD image
md5sum: 0b5da72003e5627ae12669c2d43821e5

VirtualCenter as Zip
md5sum: 9146aa4743c0a56e37921f62fb898a64

VMware VirtualCenter 2.0.2 Update 2 Release Notes
www.vmware.com/support/vi3/doc/releasenotes_vc202u2.html

VirtualCenter CD image
md5sum d7d98a5d7f8afff32cee848f860d3ba7

VirtualCenter as Zip
md5sum 3b42ec350121659e10352ca2d76e212b

ESX 3.5
download3.vmware.com/software/esx/ESX350-200803215-UG.zip
md5sum: 225f16bbcf74f4312f0038d1dd018b27
kb.vmware.com/kb/1003723

ESX 3.0.2 ESX-1002434
download3.vmware.com/software/vi/ESX-1002434.tgz
md5sum: 2f52251f6ace3d50934344ef313539d5
kb.vmware.com/kb/1002434

ESX 3.0.1 ESX-1003176
download3.vmware.com/software/vi/ESX-1003176.tgz
md5sum: 5674ca0dcfac90726014cc316444996e
kb.vmware.com/kb/1003176
6. Change log
2008-01-07 VMSA-2008-0002

Initial release

2008-04-15 VMSA-2008-0002.1

Added patch information for ESX 3.5 patch release on 2008-03-10 and for VirtualCenter 2.5 update 1 release on 2008-04-10
7. Contact
E-mail list for product security notifications and announcements:
lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at: kb.vmware.com/kb/1055

Security web site
www.vmware.com/security

VMware security response policy
www.vmware.com/support/policies/security_response.html

General support life cycle policy
www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
www.vmware.com/support/policies/eos_vi.html