http://java.sun.com/javase/6/webnotes/6u15.html

37386

37460

GLSA-200911-02

20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components

http://www.vmware.com/security/advisories/VMSA-2009-0016.html

ADV-2009-3316

The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the bundled version of the Java Runtime Environment (JRE).

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components :

  - Apache Geronimo
  - Apache Tomcat
  - Apache Xerces2
  - cURL/libcURL
  - ISC BIND
  - Libxml2
  - Linux kernel
  - Linux kernel 64-bit
  - Linux kernel Common Internet File System
  - Linux kernel eCryptfs
  - NTP
  - Python
  - Java Runtime Environment (JRE)
  - Java SE Development Kit (JDK)
  - Java SE Abstract Window Toolkit (AWT)
  - Java SE Plugin
  - Java SE Provider
  - Java SE Swing
  - Java SE Web Start

a. Java JRE Security Update

  JRE update to version 1.5.0_22, which addresses multiple security   issues that existed in earlier releases of JRE.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095,   CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099,   CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103,   CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671,   CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676,   CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720,   CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   JRE 1.5.0_22: CVE-2009-3728, CVE-2009-3729, CVE-2009-3864,   CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868,   CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873,   CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877,   CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882,   CVE-2009-3883, CVE-2009-3884, CVE-2009-3886, CVE-2009-3885.

a. JRE Security Update

  JRE update to version 1.5.0_20, which addresses multiple security   issues that existed in earlier releases of JRE.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095,   CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099,   CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103,   CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671,   CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676,   CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720,   CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724.

b. Update Apache Tomcat version

  Update for VirtualCenter and ESX patch update the Tomcat package to   version 6.0.20 (vSphere 4.0) or version 5.5.28 (VirtualCenter 2.5)   which addresses multiple security issues that existed   in the previous version of Apache Tomcat.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   Apache Tomcat 6.0.20 and Tomcat 5.5.28: CVE-2008-5515,   CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   Apache Tomcat 6.0.18:  CVE-2008-1232, CVE-2008-1947, CVE-2008-2370.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   Apache Tomcat 6.0.16:  CVE-2007-5333, CVE-2007-5342, CVE-2007-5461,   CVE-2007-6286, CVE-2008-0002.
  c. Third-party library update for ntp.
   The Network Time Protocol (NTP) is used to synchronize a computer's   time with a referenced time source.
   ESXi 3.5 and ESXi 4.0 have a ntp client that is affected by the   following security issue. Note that the same security issue is   present in the ESX Service Console as described in section d. of   this advisory.
   A buffer overflow flaw was discovered in the ntpd daemon's NTPv4   authentication code. If ntpd was configured to use public key   cryptography for NTP packet authentication, a remote attacker could   use this flaw to send a specially crafted request packet that could   crash ntpd or, potentially, execute arbitrary code with the   privileges of the 'ntp' user.
   The Common Vulnerabilities and Exposures Project (cve.mitre.org)   has assigned the name CVE-2009-1252 to this issue.
   The NTP security issue identified by CVE-2009-0159 is not relevant   for ESXi 3.5 and ESXi 4.0.
 d. Service Console update for ntp

  Service Console package ntp updated to version ntp-4.2.2pl-9el5_3.2    The Network Time Protocol (NTP) is used to synchronize a computer's   time with a referenced time source.
   The Service Console present in ESX is affected by the following   security issues.
   A buffer overflow flaw was discovered in the ntpd daemon's NTPv4   authentication code. If ntpd was configured to use public key   cryptography for NTP packet authentication, a remote attacker could   use this flaw to send a specially crafted request packet that could   crash ntpd or, potentially, execute arbitrary code with the   privileges of the 'ntp' user.
   NTP authentication is not enabled by default on the Service Console.
   The Common Vulnerabilities and Exposures Project (cve.mitre.org)   has assigned the name CVE-2009-1252 to this issue.
   A buffer overflow flaw was found in the ntpq diagnostic command. A   malicious, remote server could send a specially crafted reply to an   ntpq request that could crash ntpq or, potentially, execute   arbitrary code with the privileges of the user running the ntpq   command.
   The Common Vulnerabilities and Exposures Project (cve.mitre.org)   has assigned the name CVE-2009-0159 to this issue.
  e. Updated Service Console package kernel

  Updated Service Console package kernel addresses the security   issues listed below.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2008-3528, CVE-2008-5700, CVE-2009-0028,   CVE-2009-0269, CVE-2009-0322, CVE-2009-0675, CVE-2009-0676,   CVE-2009-0778 to the security issues fixed in kernel   2.6.18-128.1.6.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2008-4307, CVE-2009-0834, CVE-2009-1337,   CVE-2009-0787, CVE-2009-1336 to the security issues fixed in   kernel 2.6.18-128.1.10.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-1439, CVE-2009-1633, CVE-2009-1072,   CVE-2009-1630, CVE-2009-1192 to the security issues fixed in   kernel 2.6.18-128.1.14.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2007-5966, CVE-2009-1385, CVE-2009-1388,   CVE-2009-1389, CVE-2009-1895, CVE-2009-2406, CVE-2009-2407 to the   security issues fixed in kernel 2.6.18-128.4.1.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-2692, CVE-2009-2698 to the   security issues fixed in kernel 2.6.18-128.7.1.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-0745, CVE-2009-0746, CVE-2009-0747,   CVE-2009-0748, CVE-2009-2847, CVE-2009-2848 to the security issues   fixed in kernel 2.6.18-164.

 f. Updated Service Console package python

  Service Console package Python update to version 2.4.3-24.el5.

  When the assert() system call was disabled, an input sanitization   flaw was revealed in the Python string object implementation that   led to a buffer overflow. The missing check for negative size values   meant the Python memory allocator could allocate less memory than   expected. This could result in arbitrary code execution with the   Python interpreter's privileges.

  Multiple buffer and integer overflow flaws were found in the Python   Unicode string processing and in the Python Unicode and string   object implementations. An attacker could use these flaws to cause   a denial of service.

  Multiple integer overflow flaws were found in the Python imageop   module. If a Python application used the imageop module to   process untrusted images, it could cause the application to   disclose sensitive information, crash or, potentially, execute   arbitrary code with the Python interpreter's privileges.

  Multiple integer underflow and overflow flaws were found in the   Python snprintf() wrapper implementation. An attacker could use   these flaws to cause a denial of service (memory corruption).

  Multiple integer overflow flaws were found in various Python   modules. An attacker could use these flaws to cause a denial of   service.

  An integer signedness error, leading to a buffer overflow, was   found in the Python zlib extension module. If a Python application   requested the negative byte count be flushed for a decompression   stream, it could cause the application to crash or, potentially,   execute arbitrary code with the Python interpreter's privileges.

  A flaw was discovered in the strxfrm() function of the Python   locale module. Strings generated by this function were not properly   NULL-terminated, which could possibly cause disclosure of data   stored in the memory of a Python application using this function.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2007-2052 CVE-2007-4965 CVE-2008-1721   CVE-2008-1887 CVE-2008-2315 CVE-2008-3142 CVE-2008-3143   CVE-2008-3144 CVE-2008-4864 CVE-2008-5031 to these issues.

 g. Updated Service Console package bind

  Service Console package bind updated to version 9.3.6-4.P1.el5

  The Berkeley Internet Name Domain (BIND) is an implementation of the   Domain Name System (DNS) protocols. BIND includes a DNS server   (named); a resolver library (routines for applications to use when   interfacing with DNS); and tools for verifying that the DNS server   is operating correctly.

  A flaw was found in the way BIND handles dynamic update message   packets containing the 'ANY' record type. A remote attacker could   use this flaw to send a specially crafted dynamic update packet   that could cause named to exit with an assertion failure.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the name CVE-2009-0696 to this issue.

 h. Updated Service Console package libxml2

  Service Console package libxml2 updated to version 2.6.26-2.1.2.8.

  libxml is a library for parsing and manipulating XML files. A   Document Type Definition (DTD) defines the legal syntax (and also   which elements can be used) for certain types of files, such as XML   files.

  A stack overflow flaw was found in the way libxml processes the   root XML document element definition in a DTD. A remote attacker   could provide a specially crafted XML file, which once opened by a   local, unsuspecting user, would lead to denial of service.

  Multiple use-after-free flaws were found in the way libxml parses   the Notation and Enumeration attribute types. A remote attacker   could provide a specially crafted XML file, which once opened by a   local, unsuspecting user, would lead to denial of service.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-2414 and CVE-2009-2416 to these   issues.

 i. Updated Service Console package curl

  Service Console package curl updated to version 7.15.5-2.1.el5_3.5

  A cURL is affected by the previously published 'null prefix attack',   caused by incorrect handling of NULL characters in X.509   certificates. If an attacker is able to get a carefully-crafted   certificate signed by a trusted Certificate Authority, the attacker   could use the certificate during a man-in-the-middle attack and   potentially confuse cURL into accepting it by mistake.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the name CVE-2009-2417 to this issue

 j. Updated Service Console package gnutls

  Service Console package gnutil updated to version 1.4.1-3.el5_3.5

  A flaw was discovered in the way GnuTLS handles NULL characters in   certain fields of X.509 certificates. If an attacker is able to get   a carefully-crafted certificate signed by a Certificate Authority   trusted by an application using GnuTLS, the attacker could use the   certificate during a man-in-the-middle attack and potentially   confuse the application into accepting it by mistake.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the name CVE-2009-2730 to this issue

The remote host is affected by the vulnerability described in GLSA-200911-02 (Sun JDK/JRE: Multiple vulnerabilities)

    Multiple vulnerabilities have been reported in the Sun Java     implementation. Please review the CVE identifiers referenced below and     the associated Sun Alerts for details.
  Impact :

    A remote attacker could entice a user to open a specially crafted JAR     archive, applet, or Java Web Start application, possibly resulting in     the execution of arbitrary code with the privileges of the user running     the application. Furthermore, a remote attacker could cause a Denial of     Service affecting multiple services via several vectors, disclose     information and memory contents, write or execute local files, conduct     session hijacking attacks via GIFAR files, steal cookies, bypass the     same-origin policy, load untrusted JAR files, establish network     connections to arbitrary hosts and posts via several vectors, modify     the list of supported graphics configurations, bypass HMAC-based     authentication systems, escalate privileges via several vectors and     cause applet code to be executed with older, possibly vulnerable     versions of the JRE.
    NOTE: Some vulnerabilities require a trusted environment, user     interaction, a DNS Man-in-the-Middle or Cross-Site-Scripting attack.
  Workaround :

    There is no known workaround at this time.

Updated java-1.6.0-sun packages that correct several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

The Sun 1.6.0 Java release includes the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit.

This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. These vulnerabilities are summarized on the 'Advance notification of Security Updates for Java SE' page from Sun Microsystems, listed in the References section. (CVE-2009-0217, CVE-2009-2475, CVE-2009-2476, CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2674, CVE-2009-2675, CVE-2009-2676, CVE-2009-2690)

Users of java-1.6.0-sun should upgrade to these updated packages, which correct these issues. All running instances of Sun Java must be restarted for the update to take effect.

Updated java-1.5.0-sun packages that correct several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

The Sun 1.5.0 Java release includes the Sun Java 5 Runtime Environment and the Sun Java 5 Software Development Kit.

This update fixes several vulnerabilities in the Sun Java 5 Runtime Environment and the Sun Java 5 Software Development Kit. These vulnerabilities are summarized on the 'Advance notification of Security Updates for Java SE' page from Sun Microsystems, listed in the References section. (CVE-2009-2475, CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676, CVE-2009-2689)

Users of java-1.5.0-sun should upgrade to these updated packages, which correct these issues. All running instances of Sun Java must be restarted for the update to take effect.

ID	Name	Product	Family	Severity
89736	VMware ESX Java Runtime Environment (JRE) Multiple Vulnerabilities (VMSA-2010-0002) (remote check)	Nessus	VMware ESX Local Security Checks	critical
89117	VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0016) (remote check)	Nessus	Misc.	critical
45386	VMSA-2010-0002 : VMware vCenter update release addresses multiple security issues in Java JRE	Nessus	VMware ESX Local Security Checks	critical
42870	VMSA-2009-0016 : VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.	Nessus	VMware ESX Local Security Checks	critical
42834	GLSA-200911-02 : Sun JDK/JRE: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
40749	RHEL 4 / 5 : java-1.6.0-sun (RHSA-2009:1200)	Nessus	Red Hat Local Security Checks	critical
40748	RHEL 4 / 5 : java-1.5.0-sun (RHSA-2009:1199)	Nessus	Red Hat Local Security Checks	critical

CVE-2009-2720

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical