Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2010.0092.2 VMware vCenter update release addresses multiple security issues in Java JRE 14 June 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: vCenter 4.0 VirtualCenter 2.5 VirtualCenter 2.0.2 ESX 4.0 ESX 3.5 ESX 3.0.3 Publisher: VMWare Operating System: Windows VMWare ESX Server Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Remote with User Interaction Access Privileged Data -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2009-3886 CVE-2009-3885 CVE-2009-3884 CVE-2009-3883 CVE-2009-3882 CVE-2009-3881 CVE-2009-3880 CVE-2009-3879 CVE-2009-3877 CVE-2009-3876 CVE-2009-3875 CVE-2009-3874 CVE-2009-3873 CVE-2009-3872 CVE-2009-3871 CVE-2009-3869 CVE-2009-3868 CVE-2009-3867 CVE-2009-3866 CVE-2009-3865 CVE-2009-3864 CVE-2009-3729 CVE-2009-3728 CVE-2009-2724 CVE-2009-2723 CVE-2009-2722 CVE-2009-2721 CVE-2009-2720 CVE-2009-2719 CVE-2009-2718 CVE-2009-2716 CVE-2009-2676 CVE-2009-2675 CVE-2009-2673 CVE-2009-2672 CVE-2009-2671 CVE-2009-2670 CVE-2009-2625 CVE-2009-1107 CVE-2009-1106 CVE-2009-1105 CVE-2009-1104 CVE-2009-1103 CVE-2009-1102 CVE-2009-1101 CVE-2009-1100 CVE-2009-1099 CVE-2009-1098 CVE-2009-1097 CVE-2009-1096 CVE-2009-1095 CVE-2009-1094 CVE-2009-1093 Reference: ASB-2009.1121.2 ESB-2009.1553.2 Revision History: June 14 2010: VMWare updated advisory for release of vCenter Server 4.0 Update 2 February 1 2010: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2010-0002.3 Synopsis: VMware vCenter update release addresses multiple security issues in Java JRE Issue date: 2010-01-29 Updated on: 2010-06-11 CVE numbers: --- JRE --- CVE-2009-1093 CVE-2009-1094 CVE-2009-1095 CVE-2009-1096 CVE-2009-1097 CVE-2009-1098 CVE-2009-1099 CVE-2009-1100 CVE-2009-1101 CVE-2009-1102 CVE-2009-1103 CVE-2009-1104 CVE-2009-1105 CVE-2009-1106 CVE-2009-1107 CVE-2009-2625 CVE-2009-2670 CVE-2009-2671 CVE-2009-2672 CVE-2009-2673 CVE-2009-2675 CVE-2009-2676 CVE-2009-2716 CVE-2009-2718 CVE-2009-2719 CVE-2009-2720 CVE-2009-2721 CVE-2009-2722 CVE-2009-2723 CVE-2009-2724 CVE-2009-3728 CVE-2009-3729 CVE-2009-3864 CVE-2009-3865 CVE-2009-3866 CVE-2009-3867 CVE-2009-3868 CVE-2009-3869 CVE-2009-3871 CVE-2009-3872 CVE-2009-3873 CVE-2009-3874 CVE-2009-3875 CVE-2009-3876 CVE-2009-3877 CVE-2009-3879 CVE-2009-3880 CVE-2009-3881 CVE-2009-3882 CVE-2009-3883 CVE-2009-3884 CVE-2009-3886 CVE-2009-3885 - - ----------------------------------------------------------------------- 1. Summary Updated Java JRE packages address several security issues. 2. Relevant releases Virtual Center 2.5 before Update 6 ESX 4.0 without patch ESX400-201005402-SG ESX 3.5 without patch ESX350-201003403-SG 3. Problem Description a. Java JRE Security Update JRE update to version 1.5.0_22, which addresses multiple security issues that existed in earlier releases of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676, CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720, CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_22: CVE-2009-3728, CVE-2009-3729, CVE-2009-3864, CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877, CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882, CVE-2009-3883, CVE-2009-3884, CVE-2009-3886, CVE-2009-3885. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter 4.0 Windows Update 2 VirtualCenter 2.5 Windows Update 6 VirtualCenter 2.0.2 Windows affected, patch pending Workstation any any not affected Player any any not affected Server 2.0 any not being fixed at this time Server 1.0 any not affected ACE any any not affected Fusion any any not affected ESXi any ESXi not affected ESX 4.0 ESX ESX400-201005402-SG ESX 3.5 ESX ESX350-201003403-SG ESX 3.0.3 ESX affected, patch pending ESX 2.5.5 ESX not affected vMA 4.0 RHEL5 affected, patch pending Notes: These vulnerabilities can be exploited remotely only if the attacker has access to the Service Console network. Security best practices provided by VMware recommend that the Service Console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices. The currently installed version of JRE depends on your patch deployment history. 4. Solution Please review the patch/release notes for your product and version and verify the sha1sum or md5sum of your downloaded file. VMware vCenter Server 4 Update 2 -------------------------------- Version 4.0 Update 2 Build Number 264050 Release Date 2010/06/10 http://www.vmware.com/download/download.do?downloadGroup=VC40U2 VMware Virtual Center 2.5 Update 6 ---------------------------------- Version 2.5 Update 6 Build Number 227637 Release Date 2010/01/29 Type Product Binaries http://downloads.vmware.com/download/download.do?downloadGroup=VC250U6 VirtualCenter DVD image - English only version File size: 854 MB File type: .iso md5sum: d83b09ac0533a418d5b7f5493dbd3ed3 sha1sum: 1b969b397a937402b5e9463efc767eff7a980ad0 VirtualCenter as a Zip file - English only version File size: 625 MB File type: .zip md5sum: 760f335ebcd363e0e159b20da923621f sha1sum: e400bc1008d1e4c44d204a8135293b8ae305f14e VMware vCenter Converter BootCD VMware Converter Enterprise BootCD for VirtualCenter File size: 97 MB File type: .zip md5sum: e49e0ff0f2563196cc5d4b5c471cd666 VMware vCenter Converter CLI (Linux) VMware Converter Enterprise CLI for Linux platform File size: 37 MB File type: .tar.gz md5sum: 30d1f5e58a6cad8dacd988908305bc1c ESX 4.0 ------- http://bit.ly/aqTCqn md5sum: ace37cd8d7c6388edcea2798ba8be939 sha1sum: 8fe7312fe74a435e824d879d4f1ff33df25cee78 http://kb.vmware.com/kb/1013127 ESX 3.5 ------- ESX350-201003403-SG http://download3.vmware.com/software/vi/ESX350-201003403-SG.zip md5sum: cdddef476c06eeb28c10c5dac3730dca http://kb.vmware.com/kb/1018702 5. References CVE numbers --- JRE --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1099 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1100 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1105 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1106 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1107 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2670 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2671 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2672 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2673 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2675 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2676 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2716 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2718 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2719 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2720 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2721 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2722 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2723 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2724 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3728 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3729 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3865 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3866 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3867 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3868 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3869 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3871 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3872 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3873 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3874 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3875 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3876 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3877 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3879 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3880 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3881 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3882 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3883 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3884 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3886 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3885 - - ------------------------------------------------------------------------ 6. Change log 2010-01-29 VMSA-2010-0002 Initial security advisory after release of Virtual Center 2.5 Update 6 on 2010-01-29 2010-03-29 VMSA-2010-0002.1 Updated security advisory after release of ESX 3.5 patch for WebAccess. 2010-05-27 VMSA-2010-0002.2 Updated after release of patches for ESX 4.0 on 2010-05-27. 2010-06-11 VMSA-2010-0002.3 Updated after release of vCenter Server 4.0 Update 2 on 2010-06-10. - - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2010 VMware Inc. All rights reserved. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iEYEARECAAYFAkwShUgACgkQS2KysvBH1xmMOACeP4b82sguZqRRw8Mx6NWpxFcm yQIAoIACfqTpHglGLRV/kOIwofCxx+Rv =N9cw - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://www.auscert.org.au/1967 iD8DBQFMFZAt/iFOrG6YcBERAkyaAJ43KzWBUWNm5paci98OuGrnJqB8WwCfYkpW meyJNYJtu7e3u/AVbHZoNTQ= =9Bo7 -----END PGP SIGNATURE-----