VMware Security Team
Mon, 01 Feb 2010 12:03:41 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2010-0002
Synopsis: VMware vCenter update release addresses multiple
security issues in Java JRE
Issue date: 2010-01-29
Updated on: 2010-01-29 (initial release of advisory)
CVE numbers: --- JRE ---
CVE-2009-1093 CVE-2009-1094 CVE-2009-1095
CVE-2009-1096 CVE-2009-1097 CVE-2009-1098
CVE-2009-1099 CVE-2009-1100 CVE-2009-1101
CVE-2009-1102 CVE-2009-1103 CVE-2009-1104
CVE-2009-1105 CVE-2009-1106 CVE-2009-1107
CVE-2009-2625 CVE-2009-2670 CVE-2009-2671
CVE-2009-2672 CVE-2009-2673 CVE-2009-2675
CVE-2009-2676 CVE-2009-2716 CVE-2009-2718
CVE-2009-2719 CVE-2009-2720 CVE-2009-2721
CVE-2009-2722 CVE-2009-2723 CVE-2009-2724
CVE-2009-3728 CVE-2009-3729 CVE-2009-3864
CVE-2009-3865 CVE-2009-3866 CVE-2009-3867
CVE-2009-3868 CVE-2009-3869 CVE-2009-3871
CVE-2009-3872 CVE-2009-3873 CVE-2009-3874
CVE-2009-3875 CVE-2009-3876 CVE-2009-3877
CVE-2009-3879 CVE-2009-3880 CVE-2009-3881
CVE-2009-3882 CVE-2009-3883 CVE-2009-3884
CVE-2009-3886 CVE-2009-3885
- -----------------------------------------------------------------------
1. Summary
Updated Java JRE packages address several security issues.
2. Relevant releases
Virtual Center 2.5 before Update 6
3. Problem Description
a. Java JRE Security Update
JRE update to version 1.5.0_22, which addresses multiple security
issues that existed in earlier releases of JRE.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095,
CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099,
CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103,
CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671,
CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676,
CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720,
CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
JRE 1.5.0_22: CVE-2009-3728, CVE-2009-3729, CVE-2009-3864,
CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868,
CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873,
CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877,
CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882,
CVE-2009-3883, CVE-2009-3884, CVE-2009-3886, CVE-2009-3885.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.0 Windows affected, patch pending *
VirtualCenter 2.5 Windows Update 6
VirtualCenter 2.0.2 Windows affected, patch pending
Workstation any any not affected
Player any any not affected
Server 2.0 any not being fixed at this time
Server 1.0 any not affected
ACE any any not affected
Fusion any any not affected
ESXi any ESXi not affected
ESX 4.0 ESX affected, patch pending *
ESX 3.5 ESX affected, patch pending **
ESX 3.0.3 ESX affected, patch pending
ESX 2.5.5 ESX not affected
vMA 4.0 RHEL5 affected, patch pending
* The JRE version of vCenter 4.0 and ESX 4.0 will be updated in the
Update 2 release of vCenter 4.0 and ESX 4.0. See VMSA-2009-0016.1
for the update of JRE in vCenter 4.0 Update 1 and in ESX 4.0
Update 1.
** The JRE version of ESX 3.5 will be updated in an upcoming patch
release. See VMSA-2009-0014.2 for the update of JRE in ESX 3.5
Patch 18.
Notes: These vulnerabilities can be exploited remotely only if the
attacker has access to the Service Console network.
Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.
The currently installed version of JRE depends on your patch
deployment history.
4. Solution
Please review the patch/release notes for your product and version and verify the sha1sum or md5sum of your downloaded file. VMware Virtual Center 2.5 Update 6 ---------------------------------- Version 2.5 Update 6 Build Number 227637 Release Date 2010/01/29 Type Product Binaries http://downloads.vmware.com/download/download.do?downloadGroup=VC250U6 VirtualCenter DVD image - English only version File size: 854 MB File type: .iso md5sum: d83b09ac0533a418d5b7f5493dbd3ed3 sha1sum: 1b969b397a937402b5e9463efc767eff7a980ad0 VirtualCenter as a Zip file - English only version File size: 625 MB File type: .zip md5sum: 760f335ebcd363e0e159b20da923621f sha1sum: e400bc1008d1e4c44d204a8135293b8ae305f14eVMware vCenter Converter BootCD
VMware Converter Enterprise BootCD for VirtualCenter File size: 97 MB File type: .zip md5sum: e49e0ff0f2563196cc5d4b5c471cd666 VMware vCenter Converter CLI (Linux) VMware Converter Enterprise CLI for Linux platform File size: 37 MB File type: .tar.gz md5sum: 30d1f5e58a6cad8dacd988908305bc1c 5. References CVE numbers --- JRE --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1099 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1100 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1105 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1106 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1107 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2670 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2671 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2672 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2673 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2675 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2676 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2716 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2718 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2719 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2720 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2721 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2722 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2723 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2724 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3728 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3729 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3865 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3866 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3867 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3868 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3869 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3871 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3872 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3873 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3874 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3875 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3876 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3877 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3879 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3880 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3881 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3882 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3883 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3884 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3886http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3885
- ------------------------------------------------------------------------ 6. Change log 2010-01-29 VMSA-2010-0002 Initial security advisory after release of Virtual Center 2.5 Update 6 on 2010-01-29 - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2010 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFLY9rGS2KysvBH1xkRArbSAJ9VArpROb/WYxDFHVWpxoZvX60t4wCfQVqo F4sDVTv0QCg807Ds70VV454= =OKeR -----END PGP SIGNATURE-----