-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2009-0002
Synopsis: VirtualCenter Update 4 updates Tomcat to 5.5.27
Issue date: 2009-02-23
Updated on: 2009-02-23 (initial release of advisory)
CVE numbers: CVE-2008-1232 CVE-2008-1947 CVE-2008-2370
- ------------------------------------------------------------------------
1. Summary
Updated VMware VirtualCenter Update 4 updates Tomcat packages.
2. Relevant releases
VirtualCenter 2.5 before Update 4
3. Problem Description
a. Update for VirtualCenter updates Apache Tomcat version to 5.5.27
Update for VirtualCenter updates the Tomcat package to version 5.5.27
which addresses multiple security issues that existed in the previous
version of Apache Tomcat.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-1232, CVE-2008-1947 and
CVE-2008-2370 to these issues.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
======== ======== ======= =======================
Virtual- 2.5 Windows VirtualCenter 2.5 Update 4
Center
Virtual- 2.0.2 Windows affected, patch pending
Center
Workstation any any not affected
Player any any not affected
ACE any Windows not affected
Server 2.x any affected, patch pending
Server 1.x any not affected
Fusion any Mac OS/X not affected
ESXi 3.5 ESXi not affected
ESX 3.5 ESX affected, patch pending
ESX 3.0.3 ESX affected, patch pending
ESX 3.0.2 ESX affected, patch pending
ESX 2.5.5 ESX not affected
Notes: This vulnerability can be exploited remotely only if the
attacker has access to the Service Console network.
Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.
The currently installed version of Tomcat depends on your patch
deployment history.
4. Solution
Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.
VirtualCenter
-------------
VMware VirtualCenter 2.5 Update 4
http://www.vmware.com/download/download.do?downloadGroup=VC250U4
DVD iso image
md5sum: 4304334ed7662b6a43646e6dde0956d2
Zip file
md5sum: 1306cb9b25e28a06bab84257d7cbf38f
Release Notes
http://www.vmware.com/support/vi3/doc/vi3_vc25u4_rel_notes.html
5. References
Tomcat release notes
tomcat.apache.org/security-5.html
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370
- - ------------------------------------------------------------------------
6. Change log
2009-02-23 VMSA-2009-0002
Initial security advisory after release of VirtualCenter 2.5 Update 4
on 2009-02-23.
- -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Center
http://www.vmware.com/security
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2009 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
iD8DBQFJo4tAS2KysvBH1xkRAqVUAJ9OK6/HHBZPRqCc1hKFiMoIEsHh/ACfZo7+
bgDi9c9ojpAO9YEWVSSBxvw=
=+Eua
-----END PGP SIGNATURE-----
