Sign up for Security

Enter your email address:


VMware Security Advisory
Advisory ID: VMSA-2012-0002
Synopsis: VMware vCenter Chargeback Manager Information Leak and Denial of Service
Issue date: 2012-03-08
Updated on: 2012-03-08
CVE numbers: CVE-2012-1472
1. Summary

The vCenter Chargeback Manager contains a vulnerability that allows information leakage and denial-of-service.
2. Relevant releases

VMware vCenter Chargeback Manager prior to version 2.0.1
3. Problem Description

The vCenter Chargeback Manager (CBM) contains a flaw in its handling of XML API requests. This vulnerability allows an unauthenticated remote attacker to download files from the CBM server or conduct a denial-of-service against the server. VMware thanks Joshua Keyes for reporting this issue to us.

The Common Vulnerabilities and Exposures project ( has assigned the name CVE-2012-1472 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Product Version Running on Replace with/ Apply Patch
============= ======= ======= =================
CBM 1.6.2 any CBM 2.0.1
CBM 2.0.0 any CBM 2.0.1
4. Solution

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

VMware vCenter Chargeback Manager

Download link:

Release Notes:

md5sum: 88725667703c45f347e28464bfa8a5c7
sha1sum: 7f47db0100b92e7717c40363a271fef563f96c30
6. Change log

2012-03-08 VMSA-2012-0002 Initial security advisory in conjunction with the release of CBM 2.0.1 on 2012-03-08.
7. Contact

E-mail list for product security notifications and announcements:

This Security Advisory is posted to the following lists:
  • security-announce at
  • bugtraq at
  • full-disclosure at
E-mail: security at
PGP key at:

VMware Security Advisories

VMware security response policy

General support life cycle policy

VMware Infrastructure support life cycle policy

Copyright 2012 VMware Inc. All rights reserved.