Date: 31 May 2010
References: ESB-2010.0167 ASB-2009.1109 ASB-2009.1121.2 ASB-2010.0030 ESB-2010.0167
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.0485
Updated Java JRE packages address several security issues
31 May 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Java JRE
Publisher: VMWare
Operating System: VMWare ESX Server
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Unknown/Unspecified
Create Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Read-only Data Access -- Remote/Unauthenticated
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2009-3886 CVE-2009-3885 CVE-2009-3884
CVE-2009-3883 CVE-2009-3882 CVE-2009-3881
CVE-2009-3880 CVE-2009-3879 CVE-2009-3877
CVE-2009-3876 CVE-2009-3875 CVE-2009-3874
CVE-2009-3873 CVE-2009-3872 CVE-2009-3871
CVE-2009-3869 CVE-2009-3868 CVE-2009-3867
CVE-2009-3866 CVE-2009-3865 CVE-2009-3864
CVE-2009-3729 CVE-2009-3728 CVE-2009-2724
CVE-2009-2723 CVE-2009-2722 CVE-2009-2721
CVE-2009-2720 CVE-2009-2719 CVE-2009-2718
CVE-2009-2716 CVE-2009-2676 CVE-2009-2675
CVE-2009-2673 CVE-2009-2672 CVE-2009-2671
CVE-2009-2670 CVE-2009-2625 CVE-2009-1107
CVE-2009-1106 CVE-2009-1105 CVE-2009-1104
CVE-2009-1103 CVE-2009-1102 CVE-2009-1101
CVE-2009-1100 CVE-2009-1099 CVE-2009-1098
CVE-2009-1097 CVE-2009-1096 CVE-2009-1095
CVE-2009-1094 CVE-2009-1093
Reference: ASB-2010.0030
ESB-2010.0167
ASB-2009.1109
ASB-2009.1121.2
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - -----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2010-0002.2
Synopsis: VMware vCenter update release addresses multiple
security issues in Java JRE
Issue date: 2010-01-29
Updated on: 2010-05-27
CVE numbers: --- JRE ---
CVE-2009-1093 CVE-2009-1094 CVE-2009-1095
CVE-2009-1096 CVE-2009-1097 CVE-2009-1098
CVE-2009-1099 CVE-2009-1100 CVE-2009-1101
CVE-2009-1102 CVE-2009-1103 CVE-2009-1104
CVE-2009-1105 CVE-2009-1106 CVE-2009-1107
CVE-2009-2625 CVE-2009-2670 CVE-2009-2671
CVE-2009-2672 CVE-2009-2673 CVE-2009-2675
CVE-2009-2676 CVE-2009-2716 CVE-2009-2718
CVE-2009-2719 CVE-2009-2720 CVE-2009-2721
CVE-2009-2722 CVE-2009-2723 CVE-2009-2724
CVE-2009-3728 CVE-2009-3729 CVE-2009-3864
CVE-2009-3865 CVE-2009-3866 CVE-2009-3867
CVE-2009-3868 CVE-2009-3869 CVE-2009-3871
CVE-2009-3872 CVE-2009-3873 CVE-2009-3874
CVE-2009-3875 CVE-2009-3876 CVE-2009-3877
CVE-2009-3879 CVE-2009-3880 CVE-2009-3881
CVE-2009-3882 CVE-2009-3883 CVE-2009-3884
CVE-2009-3886 CVE-2009-3885
- - -----------------------------------------------------------------------
1. Summary
Updated Java JRE packages address several security issues.
2. Relevant releases
Virtual Center 2.5 before Update 6
ESX 4.0 without patch ESX400-201005402-SG
ESX 3.5 without patch ESX350-201003403-SG
3. Problem Description
a. Java JRE Security Update
JRE update to version 1.5.0_22, which addresses multiple security
issues that existed in earlier releases of JRE.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095,
CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099,
CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103,
CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671,
CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676,
CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720,
CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the security issues fixed in
JRE 1.5.0_22: CVE-2009-3728, CVE-2009-3729, CVE-2009-3864,
CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868,
CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873,
CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877,
CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882,
CVE-2009-3883, CVE-2009-3884, CVE-2009-3886, CVE-2009-3885.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.0 Windows affected, patch pending *
VirtualCenter 2.5 Windows Update 6
VirtualCenter 2.0.2 Windows affected, patch pending
Workstation any any not affected
Player any any not affected
Server 2.0 any not being fixed at this time
Server 1.0 any not affected
ACE any any not affected
Fusion any any not affected
ESXi any ESXi not affected
ESX 4.0 ESX ESX400-201005402-SG
ESX 3.5 ESX ESX350-201003403-SG
ESX 3.0.3 ESX affected, patch pending
ESX 2.5.5 ESX not affected
vMA 4.0 RHEL5 affected, patch pending
* The JRE version of vCenter 4.0 and ESX 4.0 will be updated in the
Update 2 release of vCenter 4.0 and ESX 4.0. See VMSA-2009-0016.1
for the update of JRE in vCenter 4.0 Update 1 and in ESX 4.0
Update 1.
Notes: These vulnerabilities can be exploited remotely only if the
attacker has access to the Service Console network.
Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.
The currently installed version of JRE depends on your patch
deployment history.
4. Solution
Please review the patch/release notes for your product and version
and verify the sha1sum or md5sum of your downloaded file.
VMware Virtual Center 2.5 Update 6
----------------------------------
Version 2.5 Update 6
Build Number 227637
Release Date 2010/01/29
Type Product Binaries
http://downloads.vmware.com/download/download.do?downloadGroup=VC250U6
VirtualCenter DVD image - English only version
File size: 854 MB
File type: .iso
md5sum: d83b09ac0533a418d5b7f5493dbd3ed3
sha1sum: 1b969b397a937402b5e9463efc767eff7a980ad0
VirtualCenter as a Zip file - English only version
File size: 625 MB
File type: .zip
md5sum: 760f335ebcd363e0e159b20da923621f
sha1sum: e400bc1008d1e4c44d204a8135293b8ae305f14e
VMware vCenter Converter BootCD
VMware Converter Enterprise BootCD for VirtualCenter
File size: 97 MB
File type: .zip
md5sum: e49e0ff0f2563196cc5d4b5c471cd666
VMware vCenter Converter CLI (Linux)
VMware Converter Enterprise CLI for Linux platform
File size: 37 MB
File type: .tar.gz
md5sum: 30d1f5e58a6cad8dacd988908305bc1c
ESX 4.0
-------
http://bit.ly/aqTCqn
md5sum: ace37cd8d7c6388edcea2798ba8be939
sha1sum: 8fe7312fe74a435e824d879d4f1ff33df25cee78
http://kb.vmware.com/kb/1013127
ESX 3.5
-------
ESX350-201003403-SG
http://download3.vmware.com/software/vi/ESX350-201003403-SG.zip
md5sum: cdddef476c06eeb28c10c5dac3730dca
http://kb.vmware.com/kb/1018702
5. References
CVE numbers
--- JRE ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1099
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1100
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1104
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1105
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1106
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1107
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2670
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2671
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2672
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2673
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2675
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2676
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2716
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2718
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2719
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2721
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2722
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2723
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2724
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3728
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3729
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3865
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3866
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3867
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3868
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3869
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3871
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3872
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3873
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3874
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3875
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3876
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3877
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3879
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3880
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3881
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3882
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3883
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3884
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3886
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3885
- - ------------------------------------------------------------------------
6. Change log
2010-01-29 VMSA-2010-0002
Initial security advisory after release of Virtual Center 2.5 Update 6
on 2010-01-29
2010-03-29 VMSA-2010-0002.1
Updated security advisory after release of ESX 3.5 patch for WebAccess.
2010-05-27 VMSA-2010-0002.1
Updated after release of patches for ESX 4.0 on 2010-05-27.
- - -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Center
http://www.vmware.com/security
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2010 VMware Inc. All rights reserved.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
iEYEARECAAYFAkv/X9sACgkQS2KysvBH1xkAjwCdHU4Sku/tNnD1GEHyOXV/USSE
Ko8AnjZDOFKwiaTRbUECiOG29oSgYBEi
=x9au
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFMAv4f/iFOrG6YcBERAs61AJ994TR28w9BIJwabS1CGcgW7yiDMwCeMRb7
BczeXRvtDkA3e9YOEV0jilc=
=yelo
-----END PGP SIGNATURE-----
|