BugTraq
VMSA-2012-0018 VMware security updates for vCSA and ESXi Dec 21 2012 06:47AM
VMware Security Response Center (security vmware com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

VMware Security Advisory

Advisory ID: VMSA-2012-0018
Synopsis: VMware security updates for vCSA and ESXi
Issue date: 2012-12-20
Updated on: 2012-12-20 (initial advisory)
CVE numbers: ------------- vCSA ---------------
CVE-2012-6324, CVE-2012-6325
------------- glibc --------------
CVE-2009-5029, CVE-2009-5064, CVE-2010-0830,
CVE-2011-1089, CVE-2011-4609, CVE-2012-0864,
CVE-2012-3404, CVE-2012-3405, CVE-2012-3406,
CVE-2012-3480

- --------------------------------------------------------------------

1. Summary

VMware has updated vCenter Server Appliance (vCSA) and ESX to
address multiple security vulnerabilities

2. Relevant releases

vCenter Server Appliance 5.1 without Patch 1
vCenter Server Appliance 5.0 without Update 2

VMware ESXi 5.1 without patch ESXi510-201212101
VMware ESXi 5.0 without patch ESXi500-201212101

3. Problem Description

a. vCenter Server Appliance directory traversal

The vCenter Server Appliance (vCSA) contains a directory
traversal vulnerability that allows an authenticated
remote user to retrieve arbitrary files. Exploitation of
this issue may expose sensitive information stored on the
server.

VMware would like to thank Alexander Minozhenko from ERPScan for
reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-6324 to this issue.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/
Product Version on Apply Patch
============== ======== ======= =================
vCSA 5.1 Linux vCSA 5.1 Patch 1
vCSA 5.0 Linux vCSA 5.0 Update 2

b. vCenter Server Appliance arbitrary file download

The vCenter Server Appliance (vCSA) contains an XML parsing
vulnerability that allows an authenticated remote user to
retrieve arbitrary files. Exploitation of this issue may
expose sensitive information stored on the server.

VMware would like to thank Alexander Minozhenko from ERPScan for
reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-6325 to this issue.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/
Product Version on Apply Patch
============== ======== ======= =================
vCSA 5.1 Linux not affected
vCSA 5.0 Linux vCSA 5.0 Update 2

c. Update to ESX glibc package

The ESX glibc package is updated to version glibc-2.5-81.el5_8.1
to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2009-5029, CVE-2009-5064,
CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, CVE-2012-0864
CVE-2012-3404, CVE-2012-3405, CVE-2012-3406 and CVE-2012-3480
to these issues.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/
Product Version on Apply Patch
============== ======== ======= =================
ESXi 5.1 ESXi ESXi510-201212101
ESXi 5.0 ESXi ESXi500-201212101
ESXi 4.1 ESXi no patch planned
ESXi 4.0 ESXi no patch planned
ESXi 3.5 ESXi not applicable

ESX any ESX not applicable

4. Solution

Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.

ESXi and ESX
------------
The download for ESXi includes vCenter Server Appliance.

https://downloads.vmware.com/go/selfsupport-download

ESXi 5.1
http://kb.vmware.com/kb/2035775

ESXi 5.0
http://kb.vmware.com/kb/2033751

5. References

------------- vCSA ---------------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6324
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6325
------------- glibc --------------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5029
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5064
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0830
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4609
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3404
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3405
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3406
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3480

- --------------------------------------------------------------------

6. Change log

2012-12-20 VMSA-2012-0018
Initial security advisory in conjunction with the release of
vSphere 5.1 Patch 1 and vSphere 5.0 Update 2 on 2012-12-20.

- --------------------------------------------------------------------

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2012 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.2.0 (Build 2599)
Charset: utf-8

wj8DBQFQ01bsDEcm8Vbi9kMRAkXEAJoClYysvoV67RKiZ0uN1YszPcN0LQCg8QMV
OWjpV7Bnt27472i5EOhk9fI=
=jrDP
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus