what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

VMware Security Advisory 2012-0018

VMware Security Advisory 2012-0018
Posted Dec 22, 2012
Authored by VMware | Site vmware.com

VMware Security Advisory 2012-0018 - VMware has updated vCenter Server Appliance (vCSA) and ESX to address multiple security vulnerabilities

tags | advisory, vulnerability
advisories | CVE-2009-5029, CVE-2009-5064, CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, CVE-2012-0864, CVE-2012-3404, CVE-2012-3405, CVE-2012-3406, CVE-2012-3480, CVE-2012-6324, CVE-2012-6325
SHA-256 | 5958a8d3c043ccefcc3a201b608716a1794533bf0435f23283de8791e9c1fe42

VMware Security Advisory 2012-0018

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

VMware Security Advisory

Advisory ID: VMSA-2012-0018
Synopsis: VMware security updates for vCSA and ESXi
Issue date: 2012-12-20
Updated on: 2012-12-20 (initial advisory)
CVE numbers: ------------- vCSA ---------------
CVE-2012-6324, CVE-2012-6325
------------- glibc --------------
CVE-2009-5029, CVE-2009-5064, CVE-2010-0830,
CVE-2011-1089, CVE-2011-4609, CVE-2012-0864,
CVE-2012-3404, CVE-2012-3405, CVE-2012-3406,
CVE-2012-3480

- --------------------------------------------------------------------

1. Summary

VMware has updated vCenter Server Appliance (vCSA) and ESX to
address multiple security vulnerabilities

2. Relevant releases

vCenter Server Appliance 5.1 without Patch 1
vCenter Server Appliance 5.0 without Update 2

VMware ESXi 5.1 without patch ESXi510-201212101
VMware ESXi 5.0 without patch ESXi500-201212101

3. Problem Description

a. vCenter Server Appliance directory traversal

The vCenter Server Appliance (vCSA) contains a directory
traversal vulnerability that allows an authenticated
remote user to retrieve arbitrary files. Exploitation of
this issue may expose sensitive information stored on the
server.

VMware would like to thank Alexander Minozhenko from ERPScan for
reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-6324 to this issue.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/
Product Version on Apply Patch
============== ======== ======= =================
vCSA 5.1 Linux vCSA 5.1 Patch 1
vCSA 5.0 Linux vCSA 5.0 Update 2

b. vCenter Server Appliance arbitrary file download

The vCenter Server Appliance (vCSA) contains an XML parsing
vulnerability that allows an authenticated remote user to
retrieve arbitrary files. Exploitation of this issue may
expose sensitive information stored on the server.

VMware would like to thank Alexander Minozhenko from ERPScan for
reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-6325 to this issue.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/
Product Version on Apply Patch
============== ======== ======= =================
vCSA 5.1 Linux not affected
vCSA 5.0 Linux vCSA 5.0 Update 2

c. Update to ESX glibc package

The ESX glibc package is updated to version glibc-2.5-81.el5_8.1
to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2009-5029, CVE-2009-5064,
CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, CVE-2012-0864
CVE-2012-3404, CVE-2012-3405, CVE-2012-3406 and CVE-2012-3480
to these issues.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/
Product Version on Apply Patch
============== ======== ======= =================
ESXi 5.1 ESXi ESXi510-201212101
ESXi 5.0 ESXi ESXi500-201212101
ESXi 4.1 ESXi no patch planned
ESXi 4.0 ESXi no patch planned
ESXi 3.5 ESXi not applicable

ESX any ESX not applicable

4. Solution

Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.


ESXi and ESX
------------
The download for ESXi includes vCenter Server Appliance.


https://downloads.vmware.com/go/selfsupport-download

ESXi 5.1
http://kb.vmware.com/kb/2035775

ESXi 5.0
http://kb.vmware.com/kb/2033751

5. References

------------- vCSA ---------------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6324
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6325
------------- glibc --------------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5029
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5064
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0830
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4609
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3404
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3405
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3406
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3480

- --------------------------------------------------------------------

6. Change log

2012-12-20 VMSA-2012-0018
Initial security advisory in conjunction with the release of
vSphere 5.1 Patch 1 and vSphere 5.0 Update 2 on 2012-12-20.

- --------------------------------------------------------------------

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2012 VMware Inc. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.2.0 (Build 2599)
Charset: utf-8

wj8DBQFQ01bsDEcm8Vbi9kMRAkXEAJoClYysvoV67RKiZ0uN1YszPcN0LQCg8QMV
OWjpV7Bnt27472i5EOhk9fI=
=jrDP
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close