VMware Security Advisory:-VMSA-2010-0002.2

Two of Three.

Synopsis: VMware vCenter update release addresses multiple security issues in Java JRE

Issue date: 2010-01-29

Updated on: 2010-05-27

CVE numbers: — JRE —

CVE-2009-1093 CVE-2009-1094 CVE-2009-1095 CVE-2009-1096 CVE-2009-1097 CVE-2009-1098 CVE-2009-1099 CVE-2009-1100 CVE-2009-1101 CVE-2009-1102 CVE-2009-1103 CVE-2009-1104 CVE-2009-1105 CVE-2009-1106 CVE-2009-1107 CVE-2009-2625 CVE-2009-2670 CVE-2009-2671 CVE-2009-2672 CVE-2009-2673 CVE-2009-2675 CVE-2009-2676 CVE-2009-2716 CVE-2009-2718 CVE-2009-2719 CVE-2009-2720 CVE-2009-2721 CVE-2009-2722 CVE-2009-2723 CVE-2009-2724 CVE-2009-3728 CVE-2009-3729 CVE-2009-3864 CVE-2009-3865 CVE-2009-3866 CVE-2009-3867 CVE-2009-3868 CVE-2009-3869 CVE-2009-3871 CVE-2009-3872 CVE-2009-3873 CVE-2009-3874 CVE-2009-3875 CVE-2009-3876 CVE-2009-3877 CVE-2009-3879 CVE-2009-3880 CVE-2009-3881 CVE-2009-3882 CVE-2009-3883 CVE-2009-3884 CVE-2009-3886 CVE-2009-3885

1. Summary

Updated Java JRE packages address several security issues.

2. Relevant releases

Virtual Center 2.5 before Update 6
ESX 4.0 without patch ESX400-201005402-SG
ESX 3.5 without patch ESX350-201003403-SG

3. Problem Description

a. Java JRE Security Update

JRE update to version 1.5.0_22, which addresses multiple security issues that existed in earlier releases of JRE.

The Common Vulnerabilities and Exposures project ( has assigned the following names to the security issues fixed in:

JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107.

The Common Vulnerabilities and Exposures project ( has assigned the following names to the security issues fixed in:

JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676, CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720, CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724.

The Common Vulnerabilities and Exposures project ( has assigned the following names to the security issues fixed in:

JRE 1.5.0_22: CVE-2009-3728, CVE-2009-3729, CVE-2009-3864, CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877, CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882, CVE-2009-3883, CVE-2009-3884, CVE-2009-3886, CVE-2009-3885.

The following table lists what action remediates the vulnerability (column 4) if a solution is available.

VMware Product Product Version Running on Replace with/Apply Patch
vCenter 4.0 Windows affected, patch pending *
VirtualCenter 2.5 Windows Update 6
VirtualCenter 2.0.2 Windows <="pending<" patch="patch" .affected,=".affected,">not affected
Workstation any any not affected
Player any any not affected
Server 2.0 any not being fixed at this time
Server 1.0 any not affected
ACE any any not affected
Fusion any any not affected
ESXi any ESXi <="affected<" .not=".not">not affected
ESX 4.0 ESX ESX400-201005402-SG
ESX 3.5 ESX ESX350-201003403-SG
ESX 3.0.3 ESX affected, patch pending
ESX 2.5.5 ESX not affected
vMA 4.0 RHEL5 affected, patch pending

* The JRE version of vCenter 4.0 and ESX 4.0 will be updated in the

Update 2 release of vCenter 4.0 and ESX 4.0. See VMSA-2009-0016.1for the update of JRE in vCenter 4.0 Update 1 and in ESX 4.0 Update 1.

Notes: These vulnerabilities can be exploited remotely only if the attacker has access to the Service Console network. Security best practices provided by VMware recommend that the Service Console be isolated from the VM network. Please see for more information on VMware security best practices. The currently installed version of JRE depends on your patch deployment history.

4. Solution

Please review the patch/release notes for your product and version and verify the sha1sum or md5sum of your downloaded file.

VMware Virtual Center 2.5 Update 6
Version 2.5 Update 6
Build Number 227637
Release Date 2010/01/29
Type Product Binaries

VirtualCenter DVD image – English only version
File size: 854 MB
File type: .iso
md5sum: d83b09ac0533a418d5b7f5493dbd3ed3
sha1sum: 1b969b397a937402b5e9463efc767eff7a980ad0

VirtualCenter as a Zip file – English only version
File size: 625 MB
File type: .zipmd5sum: 760f335ebcd363e0e159b20da923621f
sha1sum: e400bc1008d1e4c44d204a8135293b8ae305f14e

VMware vCenter Converter BootCD
VMware Converter Enterprise BootCD for VirtualCenter
File size: 97 MB
File type: .zip
md5sum: e49e0ff0f2563196cc5d4b5c471cd666

VMware vCenter Converter CLI (Linux)
VMware Converter Enterprise CLI for Linux platform
File size: 37 MB
File type: .tar.gz
md5sum: 30d1f5e58a6cad8dacd988908305bc1c

ESX 4.0
md5sum: ace37cd8d7c6388edcea2798ba8be939
sha1sum: 8fe7312fe74a435e824d879d4f1ff33df25cee78

ESX 3.5

md5sum: cdddef476c06eeb28c10c5dac3730dca

5. References

CVE numbers

— JRE —

6. Change log

2010-01-29 VMSA-2010-0002
Initial security advisory after release of Virtual Center 2.5 Update 6 on 2010-01-29

2010-03-29 VMSA-2010-0002.1
Updated security advisory after release of ESX 3.5 patch for WebAccess.

2010-05-27 VMSA-2010-0002.1
Updated after release of patches for ESX 4.0 on 2010-05-27.

7. Contact

E-mail list for product security notifications and announcements:

This Security Advisory is posted to the following lists:

  • security-announce at
  • bugtraq at
  • full-disclosure at

E-mail: security at

PGP key at:

VMware Security Center

VMware security response policy

General support life cycle policy

VMware Infrastructure support life cycle policy

Copyright 2010 VMware Inc. All rights reserved.


1 ping

  1. […] This post was mentioned on Twitter by Craig Miller, Phil. Phil said: RT @alex_mittell: Three new ESX/ESXi security patches: – get patching people! […]

Comments have been disabled.

%d bloggers like this: