VMSA-2008-00010 : Updated Tomcat and Java JRE packages for VMware, ESX 3.5 and VirtualCenter 2.5 (DEPRECATED)

critical Nessus Plugin ID 40371
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote VMware host is missing one or more security-related patches.

Description

Updated ESX patches and VirtualCenter update 2 fix the following application vulnerabilities.

a. Tomcat Server Security Update

This release of ESX updates the Tomcat Server package to version 5.5.26, which addresses multiple security issues that existed in earlier releases of Tomcat Server.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-5333, CVE-2007-5342, CVE-2007-5461, CVE-2007-6286 to the security issues fixed in Tomcat 5.5.26.

b. JRE Security Update

This release of ESX and VirtualCenter updates the JRE package to version 1.5.0_15, which addresses multiple security issues that existed in earlier releases of JRE.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-1185, CVE-2008-1186, CVE-2008-1187, CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1192, CVE-2008-1193, CVE-2008-1194, CVE-2008-1195, CVE-2008-1196, CVE-2008-0657, CVE-2007-5689, CVE-2007-5232, CVE-2007-5236, CVE-2007-5237, CVE-2007-5238, CVE-2007-5239, CVE-2007-5240, CVE-2007-5274 to the security issues fixed in JRE 1.5.0_12, JRE 1.5.0_13, JRE 1.5.0_14, JRE 1.5.0_15.

Notes: These vulnerabilities can be exploited remotely only if the attacker has access to the service console network.
Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices.

Solution

Apply the missing patch(es).

See Also

http://www.vmware.com/security/advisories/VMSA-2008-0010.html

http://lists.vmware.com/pipermail/security-announce/2008/000031.html

Plugin Details

Severity: Critical

ID: 40371

File Name: vmware_VMSA-2008-00010.nasl

Version: Revision: 1.11

Type: local

Published: 7/27/2009

Updated: 4/26/2012

Dependencies: ssh_get_info.nasl

Risk Information

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/a:emc:vmware

Required KB Items: Host/local_checks_enabled, Host/VMware/version

Patch Publication Date: 6/16/2008

Reference Information

CVE: CVE-2007-5232, CVE-2007-5236, CVE-2007-5237, CVE-2007-5238, CVE-2007-5239, CVE-2007-5240, CVE-2007-5274, CVE-2007-5333, CVE-2007-5342, CVE-2007-5461, CVE-2007-5689, CVE-2007-6286, CVE-2008-0657, CVE-2008-1185, CVE-2008-1186, CVE-2008-1187, CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1192, CVE-2008-1193, CVE-2008-1194, CVE-2008-1195, CVE-2008-1196

OSVDB: 37759, 37760, 37761, 37762, 37763, 37764, 37765, 38187, 39833, 40834, 41146, 41147, 41435, 41436, 42589, 42590, 42591, 42592, 42593, 42594, 42595, 42596, 42597, 42598, 42599, 42600, 42601, 42602, 48610