VMSA-2009-0002.2

VirtualCenter Update 4 and ESX patch update Tomcat to version 5.5.27

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
  VMSA-2009-0002.2
VMware Security Advisory Synopsis:
  VirtualCenter Update 4 and ESX patch update Tomcat to version 5.5.27
VMware Security Advisory Issue date:
  2009-02-23
VMware Security Advisory Updated on:
  2009-11-20
VMware Security Advisory CVE numbers:
  CVE-2008-1232 CVE-2008-1947 CVE-2008-2370
1. Summary

Updated VMware VirtualCenter Update 4 and ESX patch update Tomcat packages.

2. Relevant Releases

VirtualCenter 2.5 before Update 4 ESX 3.5 without patch ESX350-200910403-SG

3. Problem Description

a. Update for VirtualCenter and ESX patch update Apache Tomcat version to 5.5.27
Update for VirtualCenter and ESX patch update the Tomcat package to version 5.5.27 which addresses multiple security issues that existed in the previous version of Apache Tomcat.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-1232, CVE-2008-1947 and CVE-2008-2370 to these issues.
The following table lists what action remediates the vulnerability (column 4) if a solution is available.

VMware Product ===========
Product Version ===========
Running on ===========
Replace with/ Apply Path ===========
VMware Product =========== vCenter
Product Version =========== 4.0
Running on =========== Windows
Replace with/ Apply Path =========== see VMSA-2009-0016
VMware Product =========== VirtualCenter
Product Version =========== 2.5
Running on =========== Windows
Replace with/ Apply Path =========== VirtualCenter 2.5 Update 4
VMware Product =========== VirtualCenter
Product Version =========== 2.0.2
Running on =========== Windows
Replace with/ Apply Path =========== affected, patch pending
VMware Product =========== Workstation
Product Version =========== any
Running on =========== any
Replace with/ Apply Path =========== not affected
VMware Product =========== Player
Product Version =========== any
Running on =========== any
Replace with/ Apply Path =========== not affected
VMware Product =========== ACE
Product Version =========== any
Running on =========== Windows
Replace with/ Apply Path =========== not affected
VMware Product =========== Server
Product Version =========== 2.x
Running on =========== any
Replace with/ Apply Path =========== affected, patch pending
VMware Product =========== Server
Product Version =========== 1.x
Running on =========== any
Replace with/ Apply Path =========== not affected
VMware Product =========== Fusion
Product Version =========== any
Running on =========== Mac OS/X
Replace with/ Apply Path =========== not affected
VMware Product =========== ESXi
Product Version =========== any
Running on =========== ESXi
Replace with/ Apply Path =========== not affected
VMware Product =========== ESX
Product Version =========== 4.0
Running on =========== ESX
Replace with/ Apply Path =========== see VMSA-2009-0016
VMware Product =========== ESX
Product Version =========== 3.5
Running on =========== ESX
Replace with/ Apply Path =========== ESX350-200910403-SG
VMware Product =========== ESX
Product Version =========== 3.0.3
Running on =========== ESX
Replace with/ Apply Path =========== affected, patch pending
VMware Product =========== ESX
Product Version =========== 3.0.2
Running on =========== ESX
Replace with/ Apply Path =========== affected, end of life
VMware Product =========== ESX
Product Version =========== 2.5.5
Running on =========== ESX
Replace with/ Apply Path =========== not affected


** Tomcat will be updated to version 6.0.20 in the next update release
Note: These vulnerabilities can be exploited remotely only if the attacker has access to the Service Console network.
Security best practices provided by VMware recommend that the Service Console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices.
The currently installed version of Tomcat depends on your patch deployment history.

4. Solution

Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file.
VirtualCenter
-------------
VMware VirtualCenter 2.5 Update 4
http://www.vmware.com/download/download.do?downloadGroup=VC250U4
DVD iso image
md5sum: 4304334ed7662b6a43646e6dde0956d2
Zip file
md5sum: 1306cb9b25e28a06bab84257d7cbf38f
Release Notes
http://www.vmware.com/support/vi3/doc/vi3_vc25u4_rel_notes.html
ESX 3.5
-------
ESX350-200910403-SG
http://download3.vmware.com/software/vi/ESX350-200910403-SG.zip
md5sum: 0e90be5bd6aa986dc2356563e809a54f
sha1sum: a5968cf6db78e28d79a4fd0b4df172cadf0f7129
http://kb.vmware.com/kb/1013126

6. Change Log

2009-02-23 VMSA-2009-0002
Initial security advisory after release of VirtualCenter 2.5 Update 4 on 2009-02-23.
2009-10-16 VMSA-2009-0002.1
Updated after release of ESX 3.5 patch 18 on 2009-10-16.
2009-11-20 VMSA-2009-0002.2
Updated after release of vCenter and ESX Update 1 on 2009-11-19.

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:

  • security-announce at lists.vmware.com
  • bugtraq at securityfocus.com
  • full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at:
http://kb.vmware.com/kb/1055
VMware Security Center
http://www.vmware.com/security
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2009 VMware Inc. All rights reserved.

 

Sign up for Security Advisories

Enter your email address: