Sat, Jan 30 2010 | Published in VMware, Virtualization

[Security-announce] VMSA-2010-0002 VMware vCenter update release addresses multiple security issues in Java JR

By: ben.kevan

VMware recently sent out the following vCenter security announcement:

1. Summary

Updated Java JRE packages address several security issues.

2. Relevant releases

Virtual Center 2.5 before Update 6

3. Problem Description

a. Java JRE Security Update

JRE update to version 1.5.0_22, which addresses multiple security
issues that existed in earlier releases of JRE.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095,
CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099,
CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103,
CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671,
CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676,
CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720,
CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
JRE 1.5.0_22: CVE-2009-3728, CVE-2009-3729, CVE-2009-3864,
CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868,
CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873,
CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877,
CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882,
CVE-2009-3883, CVE-2009-3884, CVE-2009-3886, CVE-2009-3885.

The following table lists what action remediates the vulnerability
(column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.0 Windows affected, patch pending *
VirtualCenter 2.5 Windows Update 6
VirtualCenter 2.0.2 Windows affected, patch pending

Workstation any any not affected

Player any any not affected

Server 2.0 any not being fixed at this time
Server 1.0 any not affected

ACE any any not affected

Fusion any any not affected
ESXi any ESXi not affected

ESX 4.0 ESX affected, patch pending *
ESX 3.5 ESX affected, patch pending **
ESX 3.0.3 ESX affected, patch pending
ESX 2.5.5 ESX not affected

vMA 4.0 RHEL5 affected, patch pending

* The JRE version of vCenter 4.0 and ESX 4.0 will be updated in the
Update 2 release of vCenter 4.0 and ESX 4.0. See VMSA-2009-0016.1
for the update of JRE in vCenter 4.0 Update 1 and in ESX 4.0
Update 1.

** The JRE version of ESX 3.5 will be updated in an upcoming patch
release. See VMSA-2009-0014.2 for the update of JRE in ESX 3.5
Patch 18.

Notes: These vulnerabilities can be exploited remotely only if the
attacker has access to the Service Console network.

Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.

The currently installed version of JRE depends on your patch
deployment history.

4. Solution

Please review the patch/release notes for your product and version
and verify the sha1sum or md5sum of your downloaded file.

VMware Virtual Center 2.5 Update 6
———————————-
Version 2.5 Update 6
Build Number 227637
Release Date 2010/01/29
Type Product Binaries

http://downloads.vmware.com/download/download.do?downloadGroup=VC250U6

VirtualCenter DVD image – English only version
File size: 854 MB
File type: .iso
md5sum: d83b09ac0533a418d5b7f5493dbd3ed3
sha1sum: 1b969b397a937402b5e9463efc767eff7a980ad0

VirtualCenter as a Zip file – English only version
File size: 625 MB
File type: .zip
md5sum: 760f335ebcd363e0e159b20da923621f
sha1sum: e400bc1008d1e4c44d204a8135293b8ae305f14e

VMware vCenter Converter BootCD
VMware Converter Enterprise BootCD for VirtualCenter
File size: 97 MB
File type: .zip
md5sum: e49e0ff0f2563196cc5d4b5c471cd666

VMware vCenter Converter CLI (Linux)
VMware Converter Enterprise CLI for Linux platform
File size: 37 MB
File type: .tar.gz
md5sum: 30d1f5e58a6cad8dacd988908305bc1c

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...
Tags: ,

About ben.kevan

I am ben kevan.. Well yeah. .that's about it.
View all articles by ben.kevan
Send Email |Website

Leave a comment

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Your email is never shared. Required fields are marked *