-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2012-0003 Synopsis: VMware VirtualCenter Update and ESX 3.5 patch update JRE Issue date: 2012-03-08 Updated on: 2012-03-08 (initial advisory) CVE numbers: See references ----------------------------------------------------------------------- 1. Summary VMware VirtualCenter Update 6b and ESX 3.5 patch update JRE. 2. Relevant releases VirtualCenter 2.5 previous to Update 6b ESX 3.5 without patch ESX350-201203401-SG 3. Problem Description a. VirtualCenter and ESX, Oracle (Sun) JRE update 1.5.0_32 Oracle (Sun) JRE is updated to version 1.5.0_32, which addresses multiple security issues that existed in earlier releases of Oracle (Sun) JRE. Oracle has documented the CVE identifiers that are addressed in JRE 1.5.0_32 in the Oracle Java SE Critical Patch Update Advisory of October 2011. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter 5.0 Windows not applicable ** vCenter 4.1 Windows not applicable ** vCenter 4.0 Windows patch pending VirtualCenter 2.5 Windows VirtualCenter 2.5 Update 6b hosted * any any not affected ESXi any ESXi not affected ESX 4.1 ESX not applicable ** ESX 4.0 ESX patch pending ESX 3.5 ESX ESX350-201203401-SG * hosted products are VMware Workstation, Player, ACE, Fusion. ** this product uses the Oracle (Sun) JRE 1.6.0 family 4. Solution VMware Virtual Center 2.5 Update 6b ----------------------------------- Version 2.5 Update 6b Build Number 598800 Release Date 2012/03/08 Type Product Binaries http://www.vmware.com/download/download.do?downloadGroup=VC250U6B vCenter Server DVD image - English only version File type: iso MD5SUM: 085f7bddd2adf2c4ba5bd066271e2b06 SHA1SUM: 019ff0a67d150d0a3dbdac53bfde0b0eb69f9bfd vCenter Server as a Zip file - English only version File type: zip MD5SUM: ee15ae73a66dd9dbc27fada476656aeb SHA1SUM: a5c25d114d42f1aae11d7c741587cf57caff72a3 VMware vCenter Converter BootCD for vCenter Server File type: .zip Version: 4.0.3 MD5SUM: e49e0ff0f2563196cc5d4b5c471cd666 VMware vCenter Converter CLI for Linux platform File type: .tar.gz Version: 4.0.3 MD5SUM: 30d1f5e58a6cad8dacd988908305bc1c ESX 3.5 ------- ESX350-201203401-SG http://downloads.vmware.com/go/selfsupport-download md5sum: 07743c471ce46de825c36c2277ccd500 sha1sum: cb77e6f820e1015311bf2386b240fd84f0ad04dd http://kb.vmware.com/kb/2009155 5. References Oracle Java SE Critical Patch Update Advisory of October 2011 http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.htm l ----------------------------------------------------------------------- 6. Change log 2012-03-08 VMSA-2012-0003 Initial security advisory in conjunction with the release of VirtualCenter Update 6b and patches for ESX 3.5 and ESXi 3.5 on 2012-03-08. ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2012 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFPWaMMDEcm8Vbi9kMRAtEjAKCEIjr/8dy4abVO2magvY7W6QbgewCgozns iu22JTXmAi9YTK8/LL/gmIM= =A49E -----END PGP SIGNATURE-----