Upgrading the Jetty Web server embedded in VMware vCenter Update Manager by using a security fix

Products

VMware

Issue/Introduction

The following VMware vCenter Update Manager versions embed the Jetty Web server version 6.1.6:

Update Manager 1.0 Update 2 and later
Update Manager 4.0
Update Manager 4.0 Update 1
Update Manager 4.0 Update 1 Patch 1
Update Manager 4.0 Update 1 Patch 2
Update Manager 4.0 Update 2
Update Manager 4.1

Two security vulnerabilities are reported for Jetty 6.1.6:

CVE-2009-1523 identifies a directory traversal vulnerability, which allows for obtaining files from the system where Update Manager is installed by a remote, unauthenticated attacker. The attacker would need to be on the same network as the system where Update Manager is installed.
CVE-2009-1524 identifies a cross-site scripting vulnerability, which allows for running JavaScript in the browser of the user who clicks a URL containing a malicious request to Update Manager. For an attack to be successful the attacker would need to lure the user into clicking the malicious URL.

The vulnerabilities are classified as important, according to the VMware Security Response Policy.

The vulnerabilities are fixed in Jetty version 6.1.17 and later. This article explains how to apply a security fix and remove the vulnerabilities in existing Update Manager installations by upgrading to Jetty 6.1.22. The solution applies to all supported Update Manager versions.

Resolution

Apply the security fix

To upgrade the embedded Jetty Web server, do the following:

Log in as an administrator to the machine on which the Update Manager server is installed.
Download VUM-KB-1023962.exe to a local directory.

Download VUM-KB-1023962.exe from Customer Connect to a local directory.
(Optional) Verify that the MD5 or SHA1 checksum of the downloaded file matches one of the following:
- MD5SUM: 1140cb4f897f8f63d780068f480dac4e
- SHA1SUM: d5f67eba67bda001bfc2b52c9b1a53d6757b7199
For more information on verifying the checksum match, see Using Cryptographic Hashes.
To run the security fix, double-click VUM-KB-1023962.exe.
On the welcome page of the wizard, click Next.
To accept the EULA and start the upgrade, click I Agree.
(Optional) To view the log messages, click Show details.
When the upgrade completes, click Close.
Verify that Jetty is upgraded to version 6.1.22.
1. In a command prompt, navigate to the Update_Manager_installation_folder\jetty-6.1.6\ directory.
  - The default path to the installation folder in 32-bit Windows is C:\ProgramFiles\VMware\Infrastructure\Update Manager
  - The default path to the installation folder in 64-bit Windows is C:\Program Files(x86)\VMware\Infrastructure\Update Manager
2. Run the command for checking the current Jetty version.
  - To view the current Jetty version in Update Manager 4.1 and Update Manager 4.0 and the subsequent update releases, run the following command:
    ..\jre\bin\java -jar start.jar --version
  - To view the current Jetty version in Update Manager 1.0 Update 6, run the following command:
    ..\jre-1.5.0-16\bin\java -jar start.jar --version

Reapplying the security fix after upgrading Update Manager

If you apply the security fix and then upgrade to a newer version of Update Manager that also contains the security flaws, you might need to reapply the fix.

Note: Before reapplying the fix, verify that your upgraded Update Manager installation contains the security flaws. All affected versions are listed at the top of this page.

Reapply the security fix after you perform these upgrades:

Upgrade from Update Manager 1.0 Update 6 to any version up to Update Manager 4.0 Update 2.
Upgrade from Update Manager 4.0 to any version up to Update Manager 4.0 Update 2.
Upgrade from Update Manager 4.0, 4.0 Update 1, 4.0 Update 1 Patch 1, 4.0 Update 1 Patch 2, or 4.0 Update 2 to Update Manager 4.1.

To reapply the fix:

After upgrading Update Manager to any of the preceding versions, check the Jetty version.
1. In a command prompt, navigate to the <Update_Manager_installation_folder>\jetty-6.1.6\ directory.
  - The default path to the installation folder in 32-bit Windows is C:\ProgramFiles\VMware\Infrastructure\Update Manager
  - The default path to the installation folder in 64-bit Windows is C:\Program Files(x86)\VMware\Infrastructure\Update Manager
2. Run the command for checking the current Jetty version.
  - To view the current Jetty version in Update Manager 4.1, Update Manager 4.0 and the subsequent update releases, run this command:
    ..\jre\bin\java -jar start.jar --version
  - To view the current Jetty version in Update Manager 1.0 Update 6, run the following command:
    ..\jre-1.5.0-16\bin\java -jar start.jar --version
If the Jetty version is 6.1.6, reapply the fix by using the procedure in the Apply the security fix section.

Reapplying the security fix might result in an error message if an old Jetty registry key is present on the machine

If your Jetty version is 6.1.6 and you reapply the security fix after an upgrade of Update Manager, an error message might appear. The error message reads "VMware vCenter Update Manager <version_number> does not require this patch." In such a scenario, remove the JettyVersion registry key before reapplying the fix.

Click Start > Run, type regedit.exe, and click OK.
Navigate to Jetty registry key location.
- The path in 32-bit Windows is HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Update Manager.
- The path in 64-bit Windows is HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Update Manager.
Delete the JettyVersion registry entry.
Reapply the security fix.

Copyright statements and licenses

The attached open_source_license_VUM-KB-1023962.txt contains the copyright statements and license(s) that apply to various open source software components (or portions thereof) that will be made available to VMware vCenter Update Manager upon installation. Use of such open source software is pursuant to such open source license terms and your end user license agreement for VMware vCenter Update Manager.

Attachments

1023962_open_source_license_VUM.txt get_app