Well if i check the plug-in manager it shows vCenter SiteRecovery Manager Extention Version 4.1.0.

Wouldnt the installer detect everything that needs updating and go ahead and perform the proper updates?

How can I correct this vulnerability with directory traversal to please the auditors?  Can I make configuration changes so I can get rid of this vulnerability without having to get update 2 on there?

Sorry, but I don't know a solution to correct vulnerability without Update 2, but maybe the VMware support do.

The point is, if you want to upgrade to Update 2, you should upgrade SRM first and always check the compatibility matrix before upgrade because installers wont detect every components/products.

VMware vCenter Server 4.1 Update 2  Release Notes:

"Before You Begin

ESX, vCenter Server, and vSphere Client Version Compatibility

The VMware Product Interoperability  Matrix provide details on the compatibility of current and earlier versions of  VMware vSphere components, including ESX, vCenter Server, the vSphere  Client, and optional VMware products. In addition, check the vSphere   Compatibility Matrixes for information about supported management and  backup agents before installing ESX or vCenter Server."

Thanks.  I opened a support ticket with VMWare for them to help me get this resolved.  I don't see any link to download a new version of SRM.  Sounds like mitigating this vulnerability is opening a whole can of worms that I'd rather have VMWare take care of than potentially screw up a production and a dr site.

Thanks for the link!

Problem is all it does is sit there at most of the way through the progress bar "initializing".

It's been sitting like this for over an hour.

VMware Site Recovery Manager on Windows Server 2008 64-bit R2  installation becomes unresponsive on: Please wait while setup is  initializing

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=102844...

Resolution

1. Kill the msiexec process in Task Manager.
2. Right-click the installer file and choose Run as Administrator.
3. Re-initiate the installation.

You are amazing.  Worked perfectly.

Also upgraded update manager which I think is what causes the vulnerability mentioned anyway.

I tried to access the win.ini file via the vulnerability using directory traversal and got this:

HTTP ERROR: 404

Problem accessing /WINDOWS/win.ini. Reason:

    NOT_FOUND

I think maybe the vulnerability is closed.

I don't have Update 2 installed though.... just the SRM update and Update Manager.  My vSphere plugins have been updated as well as a result.  both SRM sites are talking to eachother fine.

Still not sure how to get U2 for vSphere itself, but I do have a case open.

Thanks for all your help!

You're welcome.