VMware Security Alert – [Security-announce] UPDATED VMSA-2012-0003.1 VMware VirtualCenter Update and ESX 3.5 patch update JRE

In our effort to provide our viewers with up to the minute information on VMware related news and topics, we’re posting the following Security Alert direct from the VMware Security Alert distribution.

VMware Security Advisory

Advisory ID: VMSA-2012-0003.1
Synopsis: VMware VirtualCenter Update and ESX 3.5 patch update JRE
Issue date: 2012-03-08
Updated on: 2012-09-13
CVE numbers: See references

1. Summary

VMware VirtualCenter Update 6b and ESX 3.5 patch update JRE.

2. Relevant releases

VirtualCenter 2.5 previous to Update 6b

ESX 3.5 without patch ESX350-201203401-SG

3. Problem Description

a. VirtualCenter and ESX, Oracle (Sun) JRE update 1.5.0_32

Oracle (Sun) JRE is updated to version 1.5.0_32, which addresses
multiple security issues that existed in earlier releases of Oracle
(Sun) JRE.

Oracle has documented the CVE identifiers that are addressed in
JRE 1.5.0_32 in the Oracle Java SE Critical Patch Update Advisory of
October 2011.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 5.0 Windows not applicable **
vCenter 4.1 Windows not applicable **
vCenter 4.0 Windows see VMSA-2012-0013
VirtualCenter 2.5 Windows VirtualCenter 2.5 Update 6b

hosted * any any not affected

ESXi any ESXi not affected

ESX 4.1 ESX not applicable **
ESX 4.0 ESX see VMSA-2012-0013
ESX 3.5 ESX ESX350-201203401-SG

* hosted products are VMware Workstation, Player, ACE, Fusion.

** this product uses the Oracle (Sun) JRE 1.6.0 family

4. Solution

VMware Virtual Center 2.5 Update 6b
Version 2.5 Update 6b
Build Number 598800
Release Date 2012/03/08
Type Product Binaries


vCenter Server DVD image – English only version
File type: iso
MD5SUM: 085f7bddd2adf2c4ba5bd066271e2b06
SHA1SUM: 019ff0a67d150d0a3dbdac53bfde0b0eb69f9bfd

vCenter Server as a Zip file – English only version
File type: zip
MD5SUM: ee15ae73a66dd9dbc27fada476656aeb
SHA1SUM: a5c25d114d42f1aae11d7c741587cf57caff72a3

VMware vCenter Converter BootCD for vCenter Server
File type: .zip
Version: 4.0.3
MD5SUM: e49e0ff0f2563196cc5d4b5c471cd666

VMware vCenter Converter CLI for Linux platform
File type: .tar.gz
Version: 4.0.3
MD5SUM: 30d1f5e58a6cad8dacd988908305bc1c

ESX 3.5

md5sum: 07743c471ce46de825c36c2277ccd500
sha1sum: cb77e6f820e1015311bf2386b240fd84f0ad04dd

5. References

Oracle Java SE Critical Patch Update Advisory of October 2011



6. Change log

2012-03-08 VMSA-2012-0003
Initial security advisory in conjunction with the release of
VirtualCenter Update 6b and patches for ESX 3.5 and ESXi 3.5 on

2012-09-12 VMSA-2012-0003.1
Updated security advisory in conjunction with the release of
vSphere 4.0 U4a on 2012-09-12 and ESX 4.0 patches on 2012-09-13.


7. Contact

E-mail list for product security notifications and announcements:

This Security Advisory is posted to the following lists:

* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories

VMware security response policy

General support life cycle policy

VMware Infrastructure support life cycle policy

Copyright 2012 VMware Inc. All rights reserved.

Security-announce mailing list

Created on September 15, 2012 by Rick Scherer

Posted under Alert.

This blog has 1,107 views.

Tags: , , , ,

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Leave a Comment

Name (required)

Email (required)



More Blog Post