VMware

VMSA-2009-0002.2

Updated VMware VirtualCenter Update 4 and ESX patch update Tomcat packages.

------------------------------------------------------------------------
                   VMware Security Advisory



Advisory ID:       VMSA-2009-0002.2
Synopsis:          VirtualCenter Update 4 and ESX patch update Tomcat 
                   to version 5.5.27
Issue date:        2009-02-23
Updated on:        2009-11-20 
CVE numbers:       CVE-2008-1232 CVE-2008-1947 CVE-2008-2370
------------------------------------------------------------------------



1. Summary



   Updated VMware VirtualCenter Update 4 and ESX patch update Tomcat 
   packages.



2. Relevant releases



   VirtualCenter 2.5 before Update 4
   ESX 3.5 without patch ESX350-200910403-SG



3. Problem Description



 a. Update for VirtualCenter and ESX patch update Apache Tomcat version
    to 5.5.27



   Update for VirtualCenter and ESX patch update the Tomcat package to 
   version 5.5.27 which addresses multiple security issues that existed 
   in the previous version of Apache Tomcat.



   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the names CVE-2008-1232, CVE-2008-1947 and 
   CVE-2008-2370 to these issues.



   The following table lists what action remediates the vulnerability 
   (column 4) if a solution is available. 



   VMware        Product   Running  Replace with/
   Product       Version   on       Apply Patch
   ========      ========  =======  =======================
   vCenter       4.0       Windows  see VMSA-2009-0016
   VirtualCenter 2.5       Windows  VirtualCenter 2.5 Update 4
   VirtualCenter 2.0.2     Windows  affected, patch pending



   Workstation   any       any      not affected



   Player        any       any      not affected



   ACE           any       Windows  not affected



   Server        2.x       any      affected, patch pending
   Server        1.x       any      not affected



   Fusion        any       Mac OS/X not affected



   ESXi          any       ESXi     not affected



   ESX           4.0       ESX      see VMSA-2009-0016
   ESX           3.5       ESX      ESX350-200910403-SG
   ESX           3.0.3     ESX      affected, patch pending
   ESX           3.0.2     ESX      affected, end of life
   ESX           2.5.5     ESX      not affected



   ** Tomcat will be updated to version 6.0.20 in the next update release



 Note: These vulnerabilities can be exploited remotely only if the
        attacker has access to the Service Console network.



        Security best practices provided by VMware recommend that the
        Service Console be isolated from the VM network. Please see
        http://www.vmware.com/resources/techresources/726 for more
        information on VMware security best practices.



        The currently installed version of Tomcat depends on your patch 
        deployment history.



4. Solution



   Please review the patch/release notes for your product and version
   and verify the md5sum of your downloaded file.



   VirtualCenter
   -------------
   VMware VirtualCenter 2.5 Update 4
   http://www.vmware.com/download/download.do?downloadGroup=VC250U4
   DVD iso image
   md5sum: 4304334ed7662b6a43646e6dde0956d2
   Zip file
   md5sum: 1306cb9b25e28a06bab84257d7cbf38f
   Release Notes
   http://www.vmware.com/support/vi3/doc/vi3_vc25u4_rel_notes.html



   ESX 3.5
   -------
   ESX350-200910403-SG
   http://download3.vmware.com/software/vi/ESX350-200910403-SG.zip
   md5sum: 0e90be5bd6aa986dc2356563e809a54f
   sha1sum: a5968cf6db78e28d79a4fd0b4df172cadf0f7129
   http://kb.vmware.com/kb/1013126



5. References



   Tomcat release notes
   http://tomcat.apache.org/security-5.html



   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370



------------------------------------------------------------------------
6. Change log



2009-02-23  VMSA-2009-0002
Initial security advisory after release of VirtualCenter 2.5 Update 4 
on 2009-02-23.
2009-10-16  VMSA-2009-0002.1
Updated after release of ESX 3.5 patch 18 on 2009-10-16.
2009-11-20  VMSA-2009-0002.2
Updated after release of vCenter and ESX Update 1 on 2009-11-19.
 
-----------------------------------------------------------------------
7. Contact



E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce



This Security Advisory is posted to the following lists:



  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk



E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055



VMware Security Center
http://www.vmware.com/security



VMware security response policy
http://www.vmware.com/support/policies/security_response.html



General support life cycle policy
http://www.vmware.com/support/policies/eos.html



VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html



Copyright 2009 VMware Inc.  All rights reserved.

Sign Up for Email Alerts

Enter your email address: