Back to search

VMSA-2010-0005: WebAccess Context Data Cross-site Scripting Vulnerability (CVE-2009-3875)

Severity CVSS Published Added Modified
5 (AV:N/AC:L/Au:N/C:N/I:P/A:N) November 05, 2009 February 16, 2011 August 30, 2012

Available Exploits 

Description

The MessageDigest.isEqual function in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to spoof HMAC-based digital signatures, and possibly bypass authentication, via unspecified vectors related to "timing attack vulnerabilities," aka Bug Id 6863503.

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now

References

Solution

VMware VMware ESX Server >= 3.5 and < 4.0

Apply ESX350-201003403-SG.

See the vCenter Update Manager Administration Guide for instructions on using Update Manager to download and install patches to automatically update ESX 3.5 hosts.

To update ESX 3.5 hosts without using Update Manager, download the most recent patch bundle from http://www.vmware.com/download/vi/vi3_patches_35.html and install the bundle using esxupdate from the command line of the host. For more information, see the ESX Server 3 Patch Management Guide.

Related Vulnerabilities