Sign up for Security

Enter your email address:


VirtualCenter Update 4 and ESX patch update Tomcat to version 5.5.27

VMware Security Advisory
Advisory ID: VMSA-2009-0002.2
Synopsis: VirtualCenter Update 4 and ESX patch update Tomcat to version 5.5.27
Issue date: 2009-02-23
Updated on: 2009-11-20
CVE numbers: CVE-2008-1232 CVE-2008-1947 CVE-2008-2370
1. Summary
Updated VMware VirtualCenter Update 4 and ESX patch update Tomcat packages.
2. Relevant Releases
VirtualCenter 2.5 before Update 4 ESX 3.5 without patch ESX350-200910403-SG
3. Problem Description
a. Update for VirtualCenter and ESX patch update Apache Tomcat version to 5.5.27
Update for VirtualCenter and ESX patch update the Tomcat package to version 5.5.27 which addresses multiple security issues that existed in the previous version of Apache Tomcat.
The Common Vulnerabilities and Exposures project ( has assigned the names CVE-2008-1232, CVE-2008-1947 and CVE-2008-2370 to these issues.
The following table lists what action remediates the vulnerability (column 4) if a solution is available.


Running on Replace with/
Apply Path
=========== =========== =========== ===========
vCenter 4.0 Windows see VMSA-2009-0016
VirtualCenter 2.5 Windows VirtualCenter 2.5 Update 4
VirtualCenter 2.0.2 Windows affected, patch pending
Workstation any any not affected
Player any any not affected
ACE any Windows not affected
Server 2.x any affected, patch pending
Server 1.x any not affected
Fusion any Mac OS/X not affected
ESXi any ESXi not affected
ESX 4.0 ESX see VMSA-2009-0016
ESX 3.5 ESX ESX350-200910403-SG
ESX 3.0.3 ESX affected, patch pending
ESX 3.0.2 ESX affected, end of life
ESX 2.5.5 ESX not affected

** Tomcat will be updated to version 6.0.20 in the next update release
Note: These vulnerabilities can be exploited remotely only if the attacker has access to the Service Console network.
Security best practices provided by VMware recommend that the Service Console be isolated from the VM network. Please see for more information on VMware security best practices.
The currently installed version of Tomcat depends on your patch deployment history.
4. Solution
Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file.
VMware VirtualCenter 2.5 Update 4
DVD iso image
md5sum: 4304334ed7662b6a43646e6dde0956d2
Zip file
md5sum: 1306cb9b25e28a06bab84257d7cbf38f
Release Notes
ESX 3.5
md5sum: 0e90be5bd6aa986dc2356563e809a54f
sha1sum: a5968cf6db78e28d79a4fd0b4df172cadf0f7129
6. Change Log
2009-02-23 VMSA-2009-0002
Initial security advisory after release of VirtualCenter 2.5 Update 4 on 2009-02-23.
2009-10-16 VMSA-2009-0002.1
Updated after release of ESX 3.5 patch 18 on 2009-10-16.
2009-11-20 VMSA-2009-0002.2
Updated after release of vCenter and ESX Update 1 on 2009-11-19.
7. Contact
E-mail list for product security notifications and announcements:
This Security Advisory is posted to the following lists:
  • security-announce at
  • bugtraq at
  • full-disclosure at
E-mail: security at
PGP key at:
VMware Security Center
VMware security response policy
General support life cycle policy
VMware Infrastructure support life cycle policy
Copyright 2009 VMware Inc. All rights reserved.