[Security-announce] VMSA-2010-0002 VMware vCenter update release addresses multiple security issues in Java JRE

VMware Security Announcements security-announce at lists.vmware.com
Fri Jan 29 22:55:19 PST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2010-0002
Synopsis:          VMware vCenter update release addresses multiple
                   security issues in Java JRE
Issue date:        2010-01-29
Updated on:        2010-01-29 (initial release of advisory)
CVE numbers:       --- JRE ---
                   CVE-2009-1093 CVE-2009-1094 CVE-2009-1095
                   CVE-2009-1096 CVE-2009-1097 CVE-2009-1098
                   CVE-2009-1099 CVE-2009-1100 CVE-2009-1101
                   CVE-2009-1102 CVE-2009-1103 CVE-2009-1104
                   CVE-2009-1105 CVE-2009-1106 CVE-2009-1107
                   CVE-2009-2625 CVE-2009-2670 CVE-2009-2671
                   CVE-2009-2672 CVE-2009-2673 CVE-2009-2675
                   CVE-2009-2676 CVE-2009-2716 CVE-2009-2718
                   CVE-2009-2719 CVE-2009-2720 CVE-2009-2721
                   CVE-2009-2722 CVE-2009-2723 CVE-2009-2724
                   CVE-2009-3728 CVE-2009-3729 CVE-2009-3864
                   CVE-2009-3865 CVE-2009-3866 CVE-2009-3867
                   CVE-2009-3868 CVE-2009-3869 CVE-2009-3871
                   CVE-2009-3872 CVE-2009-3873 CVE-2009-3874
                   CVE-2009-3875 CVE-2009-3876 CVE-2009-3877
                   CVE-2009-3879 CVE-2009-3880 CVE-2009-3881
                   CVE-2009-3882 CVE-2009-3883 CVE-2009-3884
                   CVE-2009-3886 CVE-2009-3885                             
 
- -----------------------------------------------------------------------

1. Summary

   Updated Java JRE packages address several security issues.

2. Relevant releases

   Virtual Center 2.5 before Update 6

3. Problem Description

  a. Java JRE Security Update

    JRE update to version 1.5.0_22, which addresses multiple security
    issues that existed in earlier releases of JRE.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the following names to the security issues fixed in
    JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095,
    CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099,
    CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103,
    CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the following names to the security issues fixed in
    JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671,
    CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676,
    CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720,
    CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the following names to the security issues fixed in
    JRE 1.5.0_22: CVE-2009-3728, CVE-2009-3729, CVE-2009-3864,
    CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868,
    CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873,
    CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877,
    CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882,
    CVE-2009-3883, CVE-2009-3884, CVE-2009-3886, CVE-2009-3885.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        4.0       Windows  affected, patch pending *
    VirtualCenter  2.5       Windows  Update 6
    VirtualCenter  2.0.2     Windows  affected, patch pending
 
    Workstation    any       any      not affected

    Player         any       any      not affected

    Server         2.0       any      not being fixed at this time
    Server         1.0       any      not affected

    ACE            any       any      not affected

    Fusion         any       any      not affected
    ESXi           any       ESXi     not affected

    ESX            4.0       ESX      affected, patch pending *
    ESX            3.5       ESX      affected, patch pending **
    ESX            3.0.3     ESX      affected, patch pending
    ESX            2.5.5     ESX      not affected

    vMA            4.0       RHEL5    affected, patch pending

  * The JRE version of vCenter 4.0 and ESX 4.0 will be updated in the
    Update 2 release of vCenter 4.0 and ESX 4.0. See VMSA-2009-0016.1
    for the update of JRE in vCenter 4.0 Update 1 and in ESX 4.0
    Update 1.

  ** The JRE version of ESX 3.5 will be updated in an upcoming patch
     release. See VMSA-2009-0014.2 for the update of JRE in ESX 3.5
     Patch 18.
 
    Notes: These vulnerabilities can be exploited remotely only if the
           attacker has access to the Service Console network.

           Security best practices provided by VMware recommend that the
           Service Console be isolated from the VM network. Please see
           http://www.vmware.com/resources/techresources/726 for more
           information on VMware security best practices.

           The currently installed version of JRE depends on your patch
           deployment history.

   
4. Solution

   Please review the patch/release notes for your product and version
   and verify the sha1sum or md5sum of your downloaded file.

   VMware Virtual Center 2.5 Update 6
   ----------------------------------
   Version       2.5 Update 6
   Build Number  227637
   Release Date  2010/01/29
   Type          Product Binaries
   http://downloads.vmware.com/download/download.do?downloadGroup=VC250U6

   VirtualCenter DVD image - English only version
   File size: 854 MB
   File type: .iso
   md5sum: d83b09ac0533a418d5b7f5493dbd3ed3
   sha1sum: 1b969b397a937402b5e9463efc767eff7a980ad0

   VirtualCenter as a Zip file - English only version
   File size: 625 MB
   File type: .zip
   md5sum: 760f335ebcd363e0e159b20da923621f
   sha1sum: e400bc1008d1e4c44d204a8135293b8ae305f14e
   
   VMware vCenter Converter BootCD
   VMware Converter Enterprise BootCD for VirtualCenter
   File size: 97 MB
   File type: .zip
   md5sum: e49e0ff0f2563196cc5d4b5c471cd666

   VMware vCenter Converter CLI (Linux)
   VMware Converter Enterprise CLI for Linux platform
   File size: 37 MB
   File type: .tar.gz
   md5sum: 30d1f5e58a6cad8dacd988908305bc1c


5. References

   CVE numbers
   --- JRE ---
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1095
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1099
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1100
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1103
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1104
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1105
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1106
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1107
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2670
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2671
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2672
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2673
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2675
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2676
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2716
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2718
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2719
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2720
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2721
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2722
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2723
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2724
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3728
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3729
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3864
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3865
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3866
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3867
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3868
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3869
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3871
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3872
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3873
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3874
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3875
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3876
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3877
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3879
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3880
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3881
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3882
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3883
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3884
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3886
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3885             

- ------------------------------------------------------------------------
6. Change log

2010-01-29  VMSA-2010-0002
Initial security advisory after release of Virtual Center 2.5 Update 6
on 2010-01-29
 
- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2010 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFLY9epS2KysvBH1xkRAuU2AJ9FQ6hYWhzOB20chqfU/jS7aFR7PACeMZlU
7W9Oql7DLLL/bTzTAOrANXw=
=Su9v
-----END PGP SIGNATURE-----



More information about the Security-announce mailing list