VMSA-2008-0010 : Updated Tomcat and Java JRE packages for VMware ESX 3.5 and VirtualCenter

This script is Copyright (C) 2009-2014 Tenable Network Security, Inc.


Synopsis :

The remote VMware ESX host is missing a security-related patch.

Description :

ESX patches and updates for VirtualCenter fix the following
application vulnerabilities.

a. Tomcat Server Security Update

The ESX patches and the updates for VirtualCenter update the
Tomcat Server package to version 5.5.26, which addresses multiple
security issues that existed in earlier releases of Tomcat Server.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2007-5333, CVE-2007-5342, CVE-2007-5461,
CVE-2007-6286 to the security issues fixed in Tomcat 5.5.26.

b. JRE Security Update

The ESX patches and the updates for VirtualCenter update the JRE
package to version 1.5.0_15, which addresses multiple security
issues that existed in earlier releases of JRE.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-1185, CVE-2008-1186, CVE-2008-1187,
CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191,
CVE-2008-1192, CVE-2008-1193, CVE-2008-1194, CVE-2008-1195,
CVE-2008-1196, CVE-2008-0657, CVE-2007-5689, CVE-2007-5232,
CVE-2007-5236, CVE-2007-5237, CVE-2007-5238, CVE-2007-5239,
CVE-2007-5240, CVE-2007-5274 to the security issues fixed in
JRE 1.5.0_12, JRE 1.5.0_13, JRE 1.5.0_14, JRE 1.5.0_15.

See also :

http://lists.vmware.com/pipermail/security-announce/2008/000031.html

Solution :

Apply the missing patch.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true