TUCoPS :: VMWare :: bu-1663.htm

VMware vCenter update release addresses multiple security issues in Java JRE
VMSA-2010-0002 VMware vCenter update release addresses multiple security issues in Java JRE
VMSA-2010-0002 VMware vCenter update release addresses multiple security issues in Java JRE



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2010-0002
Synopsis:          VMware vCenter update release addresses multiple
                   security issues in Java JRE
Issue date:        2010-01-29
Updated on:        2010-01-29 (initial release of advisory)
CVE numbers:       --- JRE ---
                   CVE-2009-1093 CVE-2009-1094 CVE-2009-1095
                   CVE-2009-1096 CVE-2009-1097 CVE-2009-1098
                   CVE-2009-1099 CVE-2009-1100 CVE-2009-1101
                   CVE-2009-1102 CVE-2009-1103 CVE-2009-1104
                   CVE-2009-1105 CVE-2009-1106 CVE-2009-1107
                   CVE-2009-2625 CVE-2009-2670 CVE-2009-2671
                   CVE-2009-2672 CVE-2009-2673 CVE-2009-2675
                   CVE-2009-2676 CVE-2009-2716 CVE-2009-2718
                   CVE-2009-2719 CVE-2009-2720 CVE-2009-2721
                   CVE-2009-2722 CVE-2009-2723 CVE-2009-2724
                   CVE-2009-3728 CVE-2009-3729 CVE-2009-3864
                   CVE-2009-3865 CVE-2009-3866 CVE-2009-3867
                   CVE-2009-3868 CVE-2009-3869 CVE-2009-3871
                   CVE-2009-3872 CVE-2009-3873 CVE-2009-3874
                   CVE-2009-3875 CVE-2009-3876 CVE-2009-3877
                   CVE-2009-3879 CVE-2009-3880 CVE-2009-3881
                   CVE-2009-3882 CVE-2009-3883 CVE-2009-3884
                   CVE-2009-3886 CVE-2009-3885                             
 
- -----------------------------------------------------------------------

1. Summary

   Updated Java JRE packages address several security issues.

2. Relevant releases

   Virtual Center 2.5 before Update 6

3. Problem Description

  a. Java JRE Security Update

    JRE update to version 1.5.0_22, which addresses multiple security
    issues that existed in earlier releases of JRE.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the following names to the security issues fixed in
    JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095,
    CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099,
    CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103,
    CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the following names to the security issues fixed in
    JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671,
    CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676,
    CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720,
    CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the following names to the security issues fixed in
    JRE 1.5.0_22: CVE-2009-3728, CVE-2009-3729, CVE-2009-3864,
    CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868,
    CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873,
    CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877,
    CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882,
    CVE-2009-3883, CVE-2009-3884, CVE-2009-3886, CVE-2009-3885.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  ================    vCenter        4.0       Windows  affected, patch pending *
    VirtualCenter  2.5       Windows  Update 6
    VirtualCenter  2.0.2     Windows  affected, patch pending
 
    Workstation    any       any      not affected

    Player         any       any      not affected

    Server         2.0       any      not being fixed at this time
    Server         1.0       any      not affected

    ACE            any       any      not affected

    Fusion         any       any      not affected
    ESXi           any       ESXi     not affected

    ESX            4.0       ESX      affected, patch pending *
    ESX            3.5       ESX      affected, patch pending **
    ESX            3.0.3     ESX      affected, patch pending
    ESX            2.5.5     ESX      not affected

    vMA            4.0       RHEL5    affected, patch pending

  * The JRE version of vCenter 4.0 and ESX 4.0 will be updated in the
    Update 2 release of vCenter 4.0 and ESX 4.0. See VMSA-2009-0016.1
    for the update of JRE in vCenter 4.0 Update 1 and in ESX 4.0
    Update 1.

  ** The JRE version of ESX 3.5 will be updated in an upcoming patch
     release. See VMSA-2009-0014.2 for the update of JRE in ESX 3.5
     Patch 18.
 
    Notes: These vulnerabilities can be exploited remotely only if the
           attacker has access to the Service Console network.

           Security best practices provided by VMware recommend that the
           Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more 
           information on VMware security best practices.

           The currently installed version of JRE depends on your patch
           deployment history.

   
4. Solution

   Please review the patch/release notes for your product and version
   and verify the sha1sum or md5sum of your downloaded file.

   VMware Virtual Center 2.5 Update 6
   ----------------------------------
   Version       2.5 Update 6
   Build Number  227637
   Release Date  2010/01/29
   Type          Product Binaries
http://downloads.vmware.com/download/download.do?downloadGroup=VC250U6 

   VirtualCenter DVD image - English only version
   File size: 854 MB
   File type: .iso
   md5sum: d83b09ac0533a418d5b7f5493dbd3ed3
   sha1sum: 1b969b397a937402b5e9463efc767eff7a980ad0

   VirtualCenter as a Zip file - English only version
   File size: 625 MB
   File type: .zip
   md5sum: 760f335ebcd363e0e159b20da923621f
   sha1sum: e400bc1008d1e4c44d204a8135293b8ae305f14e
   
   VMware vCenter Converter BootCD
   VMware Converter Enterprise BootCD for VirtualCenter
   File size: 97 MB
   File type: .zip
   md5sum: e49e0ff0f2563196cc5d4b5c471cd666

   VMware vCenter Converter CLI (Linux)
   VMware Converter Enterprise CLI for Linux platform
   File size: 37 MB
   File type: .tar.gz
   md5sum: 30d1f5e58a6cad8dacd988908305bc1c



5. References

   CVE numbers
   --- JRE ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1095 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1099 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1100 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1103 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1104 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1105 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1106 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1107 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2670 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2671 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2672 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2673 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2675 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2676 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2716 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2718 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2719 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2720 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2721 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2722 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2723 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2724 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3728 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3729 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3864 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3865 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3866 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3867 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3868 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3869 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3871 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3872 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3873 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3874 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3875 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3876 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3877 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3879 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3880 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3881 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3882 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3883 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3884 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3886 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3885 

- ------------------------------------------------------------------------
6. Change log

2010-01-29  VMSA-2010-0002
Initial security advisory after release of Virtual Center 2.5 Update 6
on 2010-01-29
 
- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055 

VMware Security Center
http://www.vmware.com/security 

VMware security response policy
http://www.vmware.com/support/policies/security_response.html 

General support life cycle policy
http://www.vmware.com/support/policies/eos.html 

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html 

Copyright 2010 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFLY9rGS2KysvBH1xkRArbSAJ9VArpROb/WYxDFHVWpxoZvX60t4wCfQVqo
F4sDVTv0QCg807Ds70VV454=OKeR
-----END PGP SIGNATURE-----


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH