VMSA-2012-0003.1

VMware VirtualCenter Update and ESX 3.5 patch update JRE

1. Summary

VMware VirtualCenter Update 6b and ESX 3.5 patch update JRE.

2. Relevant releases

VirtualCenter 2.5 previous to Update 6b

ESX 3.5 without patch ESX350-201203401-SG

3. Problem Description

a. VirtualCenter and ESX, Oracle (Sun) JRE update 1.5.0_32
Oracle (Sun) JRE is updated to version 1.5.0_32, which addresses multiple security issues that existed in earlier releases of Oracle(Sun) JRE.
Oracle has documented the CVE identifiers that are addressed in JRE 1.5.0_32 in the Oracle Java SE Critical Patch Update Advisory of October 2011.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

* hosted products are VMware Workstation, Player, ACE, Fusion.

** this product uses the Oracle (Sun) JRE 1.6.0 family

4. Solution

VMware Virtual Center 2.5 Update 6b
---------------------------

http://www.vmware.com/download/download.do?downloadGroup=VC250U6B

vCenter Server DVD image - English only versionFile type: iso
MD5SUM: 085f7bddd2adf2c4ba5bd066271e2b06
SHA1SUM: 019ff0a67d150d0a3dbdac53bfde0b0eb69f9bfd

vCenter Server as a Zip file - English only version
File type: zip
MD5SUM: ee15ae73a66dd9dbc27fada476656aeb
SHA1SUM: a5c25d114d42f1aae11d7c741587cf57caff72a3

VMware vCenter Converter BootCD for vCenter Server
File type: .zip
Version: 4.0.3
MD5SUM: e49e0ff0f2563196cc5d4b5c471cd666

VMware vCenter Converter CLI for Linux platform
File type: .tar.gz
Version: 4.0.3
MD5SUM: 30d1f5e58a6cad8dacd988908305bc1c

ESX 3.5
---------------------------
ESX350-201203401-SG
http://downloads.vmware.com/go/selfsupport-download
md5sum: 07743c471ce46de825c36c2277ccd500
sha1sum: cb77e6f820e1015311bf2386b240fd84f0ad04dd
http://kb.vmware.com/kb/2009155

5. References

Oracle Java SE Critical Patch Update Advisory of October 2011
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

6. Change log

2012-03-08 VMSA-2012-0003 Initial security advisory in conjunction with the release of VirtualCenter Update 6b and patches for ESX 3.5 and ESXi 3.5 on 2012-03-08.

2012-09-13 VMSA-2012-0003.1 Updated security advisory in conjunction with the release of vSphere 4.0 U4a on 2012-09-12 and ESX 4.0 patches on 2012-09-13.

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

• security-announce at lists.vmware.com
• bugtraq at securityfocus.com
• full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at:
http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2012 VMware Inc. All rights reserved.