The following VMware vCenter Update Manager versions embed the Jetty Web server version 6.1.6:

• Update Manager 1.0 Update 2 and later
• Update Manager 4.0
• Update Manager 4.0 Update 1
• Update Manager 4.0 Update 2
• Update Manager 4.1

Two Jetty security vulnerabilities have been discovered:

• CVE-2009-1523 (http://jira.codehaus.org/browse/JETTY-1004)
• CVE-2009-1524 (http://jira.codehaus.org/browse/JETTY-980)

The vulnerability identified by CVE-2009-1523 is a directory traversal vulnerability. It allows for obtaining files from the system where Update Manager is installed by a remote, unauthenticated attacker. The attacker would need to be on the same network as the system where Update Manager is installed.

The vulnerability identified by CVE-2009-1524 is a cross-site scripting vulnerability. It allows for running JavaScript in the browser of the user who clicks a URL containing a malicious request to Update Manager. For an attack to be successful the attacker would need to lure the user into clicking the malicious URL.

The vulnerabilities are classified as Important, according to the VMware Security Response Policy.

These vulnerabilities are fixed in Jetty version 6.1.17 and onwards. This KB article explains how to fix the vulnerabilities in existing Update Manager installations by manually upgrading to Jetty 6.1.22.
574906

VMware vCenter Update Manager 4.1.x
VMware vCenter Update Manager 1.0.x
VMware vCenter Update Manager 4.0.x

To upgrade the Jetty version embedded in Update Manager:

1. Log in as an administrator to the machine on which the Update Manager server is installed.
2. Download Jetty from the following link:
   http://dist.codehaus.org/jetty/jetty-6.1.22/jetty-6.1.22.zip
3. Extract the contents of the jetty-6.1.22.zip into a temporary directory.
   For example, if your temporary directory is C:\Temp, after you extract the content of the .zip file in this directory, and run the dir command in a command prompt, you see the following:
   
   Volume in drive C is <name_of_the_machine>
   Volume Serial Number is XXXX-XXXX
   Directory of C:\Temp
   MM/DD/YYYY hh:mm AM <dir> .
   MM/DD/YYYY hh:mm AM <dir> ..
   MM/DD/YYYY hh:mm AM <dir> jetty-6.1.22
   0 File(s); 0 bytes

   In this example, <name_of_the_machine> is the name of the computer where you extracted the .zip file, and the MM/DD/YYYY time is determined by when you extracted the files from the .zip file.

4. Stop the Update Manager service:
   1. Right-click My Computer and select Manage.
   2. In the left pane of the Computer Management window, expand Services and Applications and click Services.
   3. In the right pane, right-click VMware vCenter Update Manager and select Stop.
5. In Windows Explorer, navigate to the Update Manager installation folder.
   
   • The default path to the installation folder in 32-bit Windows is C:\Program Files\VMware\Infrastructure\Update Manager
   • The default path to the installation folder in 64-bit Windows is C:\Program Files (x86)\VMware\Infrastructure\Update Manager
     
     
6. Back up the <Update_Manager_installation_folder>\jetty-6.1.6\ directory and the <Update_Manager_installation_folder>\jetty-vum.xml file.
   
7. Copy <Update_Manager_installation_folder>\jetty-6.1.6\webapps\vum-fileupload.war to the C:\Temp\jetty-6.1.22\webapps\ directory.
   Note: This step is not applicable to Update Manager 1.0.x.
   
8. Copy <Update_Manager_installation_folder>\jetty-6.1.6\etc\jetty.xml to the C:\Temp\jetty-6.1.22\etc\ directory and overwrite the file.
   
9. Navigate to C:\Temp\jetty-6.1.22\ and copy all of the files in that directory to the <Update_Manager_installation_folder>\jetty-6.1.6\ directory.
   
10. Download the attached jetty-vum.zip file.
    You can see the jetty-vum.zip file under the Attachments section of this KB article.
    
11. Extract the jetty-vum.xml file into the <Update_Manager_installation_folder> directory.
    
    
12. Start the Update Manager service.
    
    
13. Right-click My Computer and select Manage.
14. In the left pane of the Computer Management window, expand Services and Applications and click Services.
    
15. In the right pane, right-click VMware vCenter Update Manager and select Start.
    
    

• Verify that Jetty is upgraded to version 6.1.22.
  1. In a command prompt, navigate to the <Update_Manager_installation_folder>\jetty-6.1.6\ directory.
     • The default path to the installation folder in 32-bit Windows is C:\Program Files\VMware\Infrastructure\Update Manager
     • The default path to the installation folder in 64-bit Windows is C:\Program Files (x86)\VMware\Infrastructure\Update Manager
  2. Run the following command:
     "<path_to_java_executable>\java.exe" -jar start.jar --version
     
     For example, the full default path to Java 6 in 64-bit Windows is C:\Program Files (x86)\Java\jre6\bin\java.exe. You must specify the full path to java.exe in the command only if the Java executable is not set in your PATH system variable.
     

</dir></dir></dir>