[Security-announce] UPDATED VMSA-2008-0002.1 Low severity security update for VirtualCenter and ESX

security-announce at lists.vmware.com security-announce at lists.vmware.com
Tue Apr 15 18:12:56 PDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------
~                   VMware Security Advisory

Advisory ID:       VMSA-2008-0002.1
Synopsis:          Low severity security update for VirtualCenter
~                   and ESX
Issue date:        2008-01-07
Updated on:        2008-04-15
CVE numbers:       CVE-2005-2090 CVE-2006-7195
~                   CVE-2007-0450 CVE-2007-3004
- -------------------------------------------------------------------

1. Summary:

~   Updated Tomcat and Java JRE packages for VirtualCenter 2.0,
~   VirtualCenter 2.5, ESX 3.5, ESX 3.0.2, and ESX 3.0.1.

2. Relevant releases:

~   VirtualCenter Management Server 2.0
~   VirtualCenter Management Server 2.5 update 1
~   ESX 3.5   without patch ESX350-200803215-UG
~   ESX 3.0.2 without patch ESX-1002434
~   ESX 3.0.1 without patch ESX-1003176

3. Problem description:

~   Updated VirtualCenter fixes the following application vulnerabilities

~   a. Tomcat Server Security Update
~   This release of VirtualCenter Server updates the Tomcat Server
~   package from 5.5.17 to 5.5.25, which addresses multiple security
~   issues that existed in the earlier releases of Tomcat Server.

~   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
~   assigned the names CVE-2005-2090, CVE-2006-7195, and CVE-2007-0450 to
~   these issues.

~   b. JRE Security Update
~   This release of VirtualCenter Server updates the JRE package from
~   1.5.0_7 to 1.5.0_12, which addresses a security issue that existed in
~   the earlier release of JRE.

~   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
~   assigned the name CVE-2007-3004 to this issue.

~   NOTE: These vulnerabilities can be exploited remotely only if the
~         attacker has access to the service console network.

~         Security best practices provided by VMware recommend that the
~         service console be isolated from the VM network. Please see
~         http://www.vmware.com/resources/techresources/726 for more
~         information on VMware security best practices.

4. Solution:

Please review the Patch notes for your product and version and verify
the md5sum of your downloaded file.

~   VMware VirtualCenter 2.5 Update 1 Release Notes
~   http://www.vmware.com/support/vi3/doc/vi3_esx35u1_vc25u1_rel_notes.html

~       VirtualCenter CD image
~       md5sum: 0b5da72003e5627ae12669c2d43821e5

~       VirtualCenter as Zip
~       md5sum: 9146aa4743c0a56e37921f62fb898a64

~   VMware VirtualCenter 2.0.2 Update 2 Release Notes
~   http://www.vmware.com/support/vi3/doc/releasenotes_vc202u2.html

~       VirtualCenter CD image
~       md5sum d7d98a5d7f8afff32cee848f860d3ba7

~       VirtualCenter as Zip
~       md5sum 3b42ec350121659e10352ca2d76e212b

~   ESX 3.5
~   http://download3.vmware.com/software/esx/ESX350-200803215-UG.zip
~   md5sum: 225f16bbcf74f4312f0038d1dd018b27
~   http://kb.vmware.com/kb/1003723

~   ESX 3.0.2 ESX-1002434
~   http://download3.vmware.com/software/vi/ESX-1002434.tgz
~   md5sum: 2f52251f6ace3d50934344ef313539d5
~   http://kb.vmware.com/kb/1002434

~   ESX 3.0.1 ESX-1003176
~   http://download3.vmware.com/software/vi/ESX-1003176.tgz
~   md5sum: 5674ca0dcfac90726014cc316444996e
~   http://kb.vmware.com/kb/1003176

5. References:

~  CVE numbers
~  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090
~  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7195
~  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450
~  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3004

6. Change log:

2008-01-07  VMSA-2008-0002    Initial release
2008-04-15  VMSA-2008-0002.1  Added patch information for
~                              ESX 3.5 patch release on 2008-03-10
~                              and for VirtualCenter 2.5 update 1
~                              release on 2008-04-10

- -------------------------------------------------------------------
7. Contact:

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

~  * security-announce at lists.vmware.com
~  * bugtraq at securityfocus.com
~  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

Security web site
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2008 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFIBVH1S2KysvBH1xkRCKAnAJ97153HHFbvDItkKlCAUyQ95Nd4/QCdEM7N
18enS4La1tdNZFCncAX7E/4=
=dm1V
-----END PGP SIGNATURE-----

More information about the Security-announce mailing list