Manually upgrade the Jetty Web server embedded in VMware vCenter Update Manager
search cancel

Manually upgrade the Jetty Web server embedded in VMware vCenter Update Manager

book

Article ID: 342447

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

The following VMware vCenter Update Manager versions embed the Jetty Web server version 6.1.6:
  • Update Manager 1.0 Update 2 and later
  • Update Manager 4.0
  • Update Manager 4.0 Update 1
  • Update Manager 4.0 Update 2
  • Update Manager 4.1
Two Jetty security vulnerabilities have been discovered:
The vulnerability identified by CVE-2009-1523 is a directory traversal vulnerability. It allows for obtaining files from the system where Update Manager is installed by a remote, unauthenticated attacker. The attacker would need to be on the same network as the system where Update Manager is installed.

The vulnerability identified by CVE-2009-1524 is a cross-site scripting vulnerability. It allows for running JavaScript in the browser of the user who clicks a URL containing a malicious request to Update Manager. For an attack to be successful the attacker would need to lure the user into clicking the malicious URL.

The vulnerabilities are classified as Important, according to the VMware Security Response Policy.

These vulnerabilities are fixed in Jetty version 6.1.17 and onwards. This KB article explains how to fix the vulnerabilities in existing Update Manager installations by manually upgrading to Jetty 6.1.22.
574906

Environment

VMware vCenter Update Manager 4.1.x
VMware vCenter Update Manager 1.0.x
VMware vCenter Update Manager 4.0.x

Resolution

To upgrade the Jetty version embedded in Update Manager:
  1. Log in as an administrator to the machine on which the Update Manager server is installed.
  2. Download Jetty from the following link:
    http://dist.codehaus.org/jetty/jetty-6.1.22/jetty-6.1.22.zip
  3. Extract the contents of the jetty-6.1.22.zip into a temporary directory.
    For example, if your temporary directory is C:\Temp, after you extract the content of the .zip file in this directory, and run the dir command in a command prompt, you see the following:

    Volume in drive C is <name_of_the_machine>
    Volume Serial Number is XXXX-XXXX
    Directory of C:\Temp
    MM/DD/YYYY hh:mm AM
    <dir> .
    MM/DD/YYYY hh:mm AM
    <dir> ..
    MM/DD/YYYY hh:mm AM
    <dir> jetty-6.1.22
    0 File(s); 0 bytes

    In this example, <name_of_the_machine> is the name of the computer where you extracted the .zip file, and the MM/DD/YYYY time is determined by when you extracted the files from the .zip file.

  4. Stop the Update Manager service:
    1. Right-click My Computer and select Manage.
    2. In the left pane of the Computer Management window, expand Services and Applications and click Services.
    3. In the right pane, right-click VMware vCenter Update Manager and select Stop.
  5. In Windows Explorer, navigate to the Update Manager installation folder.
    • The default path to the installation folder in 32-bit Windows is C:\Program Files\VMware\Infrastructure\Update Manager
    • The default path to the installation folder in 64-bit Windows is C:\Program Files (x86)\VMware\Infrastructure\Update Manager

  6. Back up the <Update_Manager_installation_folder>\jetty-6.1.6\ directory and the <Update_Manager_installation_folder>\jetty-vum.xml file.
  7. Copy <Update_Manager_installation_folder>\jetty-6.1.6\webapps\vum-fileupload.war to the C:\Temp\jetty-6.1.22\webapps\ directory.
    Note: This step is not applicable to Update Manager 1.0.x.
  8. Copy <Update_Manager_installation_folder>\jetty-6.1.6\etc\jetty.xml to the C:\Temp\jetty-6.1.22\etc\ directory and overwrite the file.
  9. Navigate to C:\Temp\jetty-6.1.22\ and copy all of the files in that directory to the <Update_Manager_installation_folder>\jetty-6.1.6\ directory.
  10. Download the attached jetty-vum.zip file.
    You can see the jetty-vum.zip file under the Attachments section of this KB article.
  11. Extract the jetty-vum.xml file into the <Update_Manager_installation_folder> directory.

  12. Start the Update Manager service.

    1. Right-click My Computer and select Manage.
    2. In the left pane of the Computer Management window, expand Services and Applications and click Services.
    3. In the right pane, right-click VMware vCenter Update Manager and select Start.

    • Verify that Jetty is upgraded to version 6.1.22.
      1. In a command prompt, navigate to the <Update_Manager_installation_folder>\jetty-6.1.6\ directory.
        • The default path to the installation folder in 32-bit Windows is C:\Program Files\VMware\Infrastructure\Update Manager
        • The default path to the installation folder in 64-bit Windows is C:\Program Files (x86)\VMware\Infrastructure\Update Manager
      2. Run the following command:
        "<path_to_java_executable>\java.exe" -jar start.jar --version

        For example, the full default path to Java 6 in 64-bit Windows is C:\Program Files (x86)\Java\jre6\bin\java.exe. You must specify the full path to java.exe in the command only if the Java executable is not set in your PATH system variable.
    </dir></dir></dir>

    Attachments

    jetty-vum.zip get_app