VirtualCenter Update 4 and ESX patch update Tomcat to version 5.5.27
VMware Security Advisory
Updated VMware VirtualCenter Update 4 and ESX patch update Tomcat packages.
2. Relevant Releases
VirtualCenter 2.5 before Update 4 ESX 3.5 without patch ESX350-200910403-SG
3. Problem Description
a. Update for VirtualCenter and ESX patch update Apache Tomcat version to 5.5.27
Update for VirtualCenter and ESX patch update the Tomcat package to version 5.5.27 which addresses multiple security issues that existed in the previous version of Apache Tomcat.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-1232, CVE-2008-1947 and CVE-2008-2370 to these issues.
The following table lists what action remediates the vulnerability (column 4) if a solution is available.
VMware Product ===========
Product Version ===========
Running on ===========
Replace with/ Apply Path ===========
** Tomcat will be updated to version 6.0.20 in the next update release
Note: These vulnerabilities can be exploited remotely only if the attacker has access to the Service Console network.
Security best practices provided by VMware recommend that the Service Console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices.
The currently installed version of Tomcat depends on your patch deployment history.
Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file.
VMware VirtualCenter 2.5 Update 4
DVD iso image
6. Change Log
Initial security advisory after release of VirtualCenter 2.5 Update 4 on 2009-02-23.
Updated after release of ESX 3.5 patch 18 on 2009-10-16.
Updated after release of vCenter and ESX Update 1 on 2009-11-19.
E-mail list for product security notifications and announcements:
This Security Advisory is posted to the following lists:
- security-announce at lists.vmware.com
- bugtraq at securityfocus.com
- full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at:
VMware Security Center
VMware security response policy
General support life cycle policy
VMware Infrastructure support life cycle policy
Copyright 2009 VMware Inc. All rights reserved.