The following VMware vCenter Update Manager versions embed the Jetty Web server version 6.1.6:
- Update Manager 1.0 Update 2 and later
- Update Manager 4.0
- Update Manager 4.0 Update 1
- Update Manager 4.0 Update 2
- Update Manager 4.1
Two Jetty security vulnerabilities have been discovered:
The vulnerability identified by CVE-2009-1523 is a directory traversal vulnerability. It allows for obtaining files from the system where Update Manager is installed by a remote, unauthenticated attacker. The attacker would need to be on the same network as the system where Update Manager is installed.
The vulnerability identified by CVE-2009-1524 is a cross-site scripting vulnerability. It allows for running JavaScript in the browser of the user who clicks a URL containing a malicious request to Update Manager. For an attack to be successful the attacker would need to lure the user into clicking the malicious URL.
The vulnerabilities are classified as Important, according to the
VMware Security Response Policy.
These vulnerabilities are fixed in Jetty version 6.1.17 and onwards. This KB article explains how to fix the vulnerabilities in existing Update Manager installations by manually upgrading to Jetty 6.1.22.
574906