VMSA-2009-0002:VirtualCenter Update 4 and ESX patch update Tomcat to version 5.5.27
23396
21 February 2009
21 February 2009
CLOSED
HIGH
CVE-2008-1232,CVE-2008-1947,CVE-2008-2370
VMSA-2009-0002.2
VirtualCenter Update 4 and ESX patch update Tomcat to version 5.5.27
VMware Security Advisory
1. Summary
Updated VMware VirtualCenter Update 4 and ESX patch update Tomcat packages.
2. Relevant Releases
VirtualCenter 2.5 before Update 4 ESX 3.5 without patch ESX350-200910403-SG
3. Problem Description
a. Update for VirtualCenter and ESX patch update Apache Tomcat version to 5.5.27
Update for VirtualCenter and ESX patch update the Tomcat package to version 5.5.27 which addresses multiple security issues that existed in the previous version of Apache Tomcat.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-1232, CVE-2008-1947 and CVE-2008-2370 to these issues.
The following table lists what action remediates the vulnerability (column 4) if a solution is available.
VMware Product ===========
Product Version ===========
Running on ===========
Replace with/ Apply Path ===========
** Tomcat will be updated to version 6.0.20 in the next update release
Note: These vulnerabilities can be exploited remotely only if the attacker has access to the Service Console network.
Security best practices provided by VMware recommend that the Service Console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices.
The currently installed version of Tomcat depends on your patch deployment history.
4. Solution
Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file.
VirtualCenter
-------------
VMware VirtualCenter 2.5 Update 4
http://www.vmware.com/download/download.do?downloadGroup=VC250U4
DVD iso image
md5sum: 4304334ed7662b6a43646e6dde0956d2
Zip file
md5sum: 1306cb9b25e28a06bab84257d7cbf38f
Release Notes
http://www.vmware.com/support/vi3/doc/vi3_vc25u4_rel_notes.html
ESX 3.5
-------
ESX350-200910403-SG
http://download3.vmware.com/software/vi/ESX350-200910403-SG.zip
md5sum: 0e90be5bd6aa986dc2356563e809a54f
sha1sum: a5968cf6db78e28d79a4fd0b4df172cadf0f7129
http://kb.vmware.com/kb/1013126
6. Change Log
2009-02-23 VMSA-2009-0002
Initial security advisory after release of VirtualCenter 2.5 Update 4 on 2009-02-23.
2009-10-16 VMSA-2009-0002.1
Updated after release of ESX 3.5 patch 18 on 2009-10-16.
2009-11-20 VMSA-2009-0002.2
Updated after release of vCenter and ESX Update 1 on 2009-11-19.
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
- security-announce at lists.vmware.com
- bugtraq at securityfocus.com
- full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at:
http://kb.vmware.com/kb/1055
VMware Security Center
http://www.vmware.com/security
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2009 VMware Inc. All rights reserved.