Sign up for Security
Advisories

Enter your email address:


VMSA-2009-0002.2

VirtualCenter Update 4 and ESX patch update Tomcat to version 5.5.27

VMware Security Advisory
Advisory ID: VMSA-2009-0002.2
Synopsis: VirtualCenter Update 4 and ESX patch update Tomcat to version 5.5.27
Issue date: 2009-02-23
Updated on: 2009-11-20
CVE numbers: CVE-2008-1232 CVE-2008-1947 CVE-2008-2370
1. Summary
Updated VMware VirtualCenter Update 4 and ESX patch update Tomcat packages.
2. Relevant Releases
VirtualCenter 2.5 before Update 4 ESX 3.5 without patch ESX350-200910403-SG
3. Problem Description
a. Update for VirtualCenter and ESX patch update Apache Tomcat version to 5.5.27
Update for VirtualCenter and ESX patch update the Tomcat package to version 5.5.27 which addresses multiple security issues that existed in the previous version of Apache Tomcat.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-1232, CVE-2008-1947 and CVE-2008-2370 to these issues.
The following table lists what action remediates the vulnerability (column 4) if a solution is available.

VMware
Product

Product
Version
Running on Replace with/
Apply Path
=========== =========== =========== ===========
vCenter 4.0 Windows see VMSA-2009-0016
VirtualCenter 2.5 Windows VirtualCenter 2.5 Update 4
VirtualCenter 2.0.2 Windows affected, patch pending
Workstation any any not affected
Player any any not affected
ACE any Windows not affected
Server 2.x any affected, patch pending
Server 1.x any not affected
Fusion any Mac OS/X not affected
ESXi any ESXi not affected
ESX 4.0 ESX see VMSA-2009-0016
ESX 3.5 ESX ESX350-200910403-SG
ESX 3.0.3 ESX affected, patch pending
ESX 3.0.2 ESX affected, end of life
ESX 2.5.5 ESX not affected

** Tomcat will be updated to version 6.0.20 in the next update release
Note: These vulnerabilities can be exploited remotely only if the attacker has access to the Service Console network.
Security best practices provided by VMware recommend that the Service Console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices.
The currently installed version of Tomcat depends on your patch deployment history.
4. Solution
Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file.
VirtualCenter
-------------
VMware VirtualCenter 2.5 Update 4
http://www.vmware.com/download/download.do?downloadGroup=VC250U4
DVD iso image
md5sum: 4304334ed7662b6a43646e6dde0956d2
Zip file
md5sum: 1306cb9b25e28a06bab84257d7cbf38f
Release Notes
http://www.vmware.com/support/vi3/doc/vi3_vc25u4_rel_notes.html
ESX 3.5
-------
ESX350-200910403-SG
http://download3.vmware.com/software/vi/ESX350-200910403-SG.zip
md5sum: 0e90be5bd6aa986dc2356563e809a54f
sha1sum: a5968cf6db78e28d79a4fd0b4df172cadf0f7129
http://kb.vmware.com/kb/1013126
6. Change Log
2009-02-23 VMSA-2009-0002
Initial security advisory after release of VirtualCenter 2.5 Update 4 on 2009-02-23.
2009-10-16 VMSA-2009-0002.1
Updated after release of ESX 3.5 patch 18 on 2009-10-16.
2009-11-20 VMSA-2009-0002.2
Updated after release of vCenter and ESX Update 1 on 2009-11-19.
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
  • security-announce at lists.vmware.com
  • bugtraq at securityfocus.com
  • full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at:
http://kb.vmware.com/kb/1055
VMware Security Center
http://www.vmware.com/security
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2009 VMware Inc. All rights reserved.