-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2008-0002 Synopsis: Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1 Issue date: 2008-01-07 Updated on: 2008-01-07 CVE numbers: CVE-2005-2090 CVE-2006-7195 CVE-2007-0450 CVE-2007-3004 - ------------------------------------------------------------------- 1. Summary: Updated Tomcat and Java JRE packages for VirtualCenter 2.0.2, ESX Server 3.0.2, and ESX 3.0.1. 2. Relevant releases: VirtualCenter Management Server 2 ESX Server 3.0.2 without patch ESX-1002434 ESX Server 3.0.1 without patch ESX-1003176 3. Problem description: Updated VirtualCenter fixes the following application vulnerabilities Tomcat Server Security Update This release of VirtualCenter Server updates the Tomcat Server package from 5.5.17 to 5.5.25, which addresses multiple security issues that existed in the earlier releases of Tomcat Server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-2090, CVE-2006-7195, and CVE-2007-0450 to these issues. JRE Security Update This release of VirtualCenter Server updates the JRE package from 1.5.0_7 to 1.5.0_12, which addresses a security issue that existed in the earlier release of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-3004 to this issue. NOTE: These vulnerabilities can be exploited remotely only if the attacker has access to the service console network. Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices. 4. Solution: Please review the Patch notes for your product and version and verify the md5sum of your downloaded file. VMware VirtualCenter 2.0.2 Update 2 Release Notes http://www.vmware.com/support/vi3/doc/releasenotes_vc202u2.html VirtualCenter CD image md5sum d7d98a5d7f8afff32cee848f860d3ba7 VirtualCenter as Zip md5sum 3b42ec350121659e10352ca2d76e212b ESX Server 3.0.2 http://kb.vmware.com/kb/1002434 md5sum: 2f52251f6ace3d50934344ef313539d5 ESX Server 3.0.1 http://kb.vmware.com/kb/1003176 md5sum: 5674ca0dcfac90726014cc316444996e 5. References: CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3004 - ------------------------------------------------------------------- 6. Contact: E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce@lists.vmware.com * bugtraq@securityfocus.com * full-disclosure@lists.grok.org.uk E-mail: security@vmware.com Security web site http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2008 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHgthVS2KysvBH1xkRCPmqAJ0Vinlb3RZQH9syPorjnNJYkB+V/gCeN8pQ 3AnswXxHMvJR9mEM/eIymPM= =CXyQ -----END PGP SIGNATURE-----