VMSA-2012-0018.2

VMware security updates for vCSA, vCenter Server, and ESXi

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
  VMSA-2012-0018.2
VMware Security Advisory Synopsis:
  VMware security updates for vCSA, vCenter Server, and ESXi
VMware Security Advisory Issue date:
  2012-12-20
VMware Security Advisory Updated on:
  2013-04-25
VMware Security Advisory CVE numbers:
  ------------- vCSA ---------------
CVE-2012-6324, CVE-2012-6325
------------- glibc --------------
CVE-2009-5029, CVE-2009-5064, CVE-2010-0830,
CVE-2011-1089, CVE-2011-4609, CVE-2012-0864,
CVE-2012-3404, CVE-2012-3405, CVE-2012-3406,
CVE-2012-3480
--------- vCenter Server ---------
CVE-2012-6326
1. Summary


VMware has updated vCenter Server Appliance (vCSA), vCenter Server, and ESXi to address multiple security vulnerabilities.

2. Relevant releases

  • vCenter Server Appliance 5.1 prior to 5.1.0b
  • vCenter Server Appliance 5.0 prior to 5.0 Update 2
  • vCenter Server 5.0 prior to 5.0 Update 2
  • vCenter Server 4.1 prior to 4.1 Update 3
  • VMware ESXi 5.1 without patch ESXi510-201304101
  • VMware ESXi 5.0 without patch ESXi500-201212101

3. Problem Description

a. vCenter Server Appliance directory traversal

The vCenter Server Appliance (vCSA) contains a directory traversal vulnerability that allows an authenticated remote user to retrieve arbitrary files.  Exploitation of this issue may expose sensitive information stored on the server.

VMware would like to thank Alexander Minozhenko from ERPScan for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-6324 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Replace with/ Apply Patch
VMware Product vCSA
Product Version 5.1
Running on Linux
Replace with/ Apply Patch 5.1.0b
VMware Product vCSA
Product Version 5.0
Running on Linux
Replace with/ Apply Patch 5.0 Update 2

b. vCenter Server Appliance arbitrary file download

The vCenter Server Appliance (vCSA) contains an XML parsing vulnerability that allows an authenticated remote user to retrieve arbitrary files.  Exploitation of this issue may expose sensitive information stored on the server.
VMware would like to thank Alexander Minozhenko from ERPScan for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-6325 to this issue.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Replace with/ Apply Patch
VMware Product vCSA
Product Version 5.1
Running on Linux
Replace with/ Apply Patch not affected
VMware Product vCSA
Product Version 5.0
Running on Linux
Replace with/ Apply Patch vCSA 5.0 Update 2


c. Update to ESX glibc package

The ESX glibc package is updated to version glibc-2.5-81.el5_8.1 to resolve multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-5029, CVE-2009-5064, CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, CVE-2012-0864, CVE-2012-3404, CVE-2012-3405, CVE-2012-3406 and CVE-2012-3480 to these issues.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Replace with/ Apply Patch
VMware Product ESXi
Product Version 5.1
Running on ESXi
Replace with/ Apply Patch ESXi510-201304101
VMware Product ESXi
Product Version 5.0
Running on ESXi
Replace with/ Apply Patch ESXi500-201212101
VMware Product ESXi
Product Version 4.1
Running on ESXi
Replace with/ Apply Patch no patch planned
VMware Product ESXi
Product Version 4.0
Running on ESXi
Replace with/ Apply Patch no patch planned
VMware Product ESXi
Product Version 3.5
Running on ESXi
Replace with/ Apply Patch not applicable
VMware Product ESX
Product Version any
Running on ESX
Replace with/ Apply Patch not applicable


d. vCenter Server and vCSA webservice logging denial of service


The vCenter Server and vCenter Server Appliance (vCSA) both contain a vulnerability that allows unauthenticated remote users to create abnormally large log entries.  Exploitation of this issue may allow an attacker to fill the system volume of the vCenter host or appliance VM and create a denial-of-service condition.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-6326 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Replace with/ Apply Patch
VMware Product vCenter Server
Product Version 5.1
Running on Windows
Replace with/ Apply Patch not affected
VMware Product vCenter Server
Product Version 5.0
Running on Windows
Replace with/ Apply Patch 5.0 Update 2
VMware Product vCenter Server
Product Version 4.1
Running on Windows
Replace with/ Apply Patch 4.1 Update 3
VMware Product vCenter Server
Product Version 4.0
Running on Windows
Replace with/ Apply Patch not affected
VMware Product VirtualCenter
Product Version 2.5
Running on Windows
Replace with/ Apply Patch not affected
VMware Product vCSA
Product Version 5.1
Running on Linux
Replace with/ Apply Patch not affected
VMware Product vCSA
Product Version 5.0
Running on Linux
Replace with/ Apply Patch 5.0 Update 2
VMware Product ESX/ESXi
Product Version any
Running on any
Replace with/ Apply Patch not affected
4. Solution


vCenter Server 5.1.0b
---------------------------
Download link:
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/5_1

Release Notes:
https://www.vmware.com/support/vsphere5/doc/vsphere-vcenter-server-510b-release-notes.html

vCenter Server 5.0 Update 2
---------------------
Download link:
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/5_0

Release Notes:
https://www.vmware.com/support/vsphere5/doc/vsp_vc50_u2_rel_notes.html

vCenter Server 4.1 Update 3
---------------------------
Download link:
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1

Release Notes:
https://www.vmware.com/support/vsphere4/doc/vsp_vc41_u3_rel_notes.html

ESXi and ESX
------------
The download for ESXi includes vCenter Server Appliance.

https://my.vmware.com/web/vmware/downloads

ESXi 5.1
--------
File: update-from-esxi5.1-5.1_update01.zip
md5sum: 28b8026bcfbe3cd1817509759d4b61d6
sha1sum: 9d3124d3c5efa6d0c3b9ba06511243fc6e205542
update-from-esxi5.1-5.1_update01.zip contains ESXi510-201304101-SG
http://kb.vmware.com/kb/2041632


ESXi 5.0
--------
File: update-from-esxi5.0-5.0_update02.zip
md5sum: ab8f7f258932a39f7d3e7877787fd198
sha1sum: b65bacab4e38cf144e223cff4770501b5bd23334
http://kb.vmware.com/kb/2033751
update-from-esxi5.0-5.0_update02.zip contains ESXi500-201212101

6. Change log


2012-12-20 VMSA-2012-0018
Initial security advisory in conjunction with the release of vSphere 5.1.0b and vSphere 5.0 Update 2 on 2012-12-20.

2013-02-21 VMSA-2012-0018.1
Updated security advisory to add section 3d, which documents CVE-2012-6326.

2013-04-25 VMSA-2012-0018.2
Updated security advisory to correct the wrong Replace with /  Apply Patch for ESXi 5.1 for issue c). The correct patch is ESXi510-201304101 and is reflected in the table.

7. Contact


E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  • security-announce at lists.vmware.com
  • bugtraq at securityfocus.com
  • full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2013 VMware Inc. All rights reserved.

 

Sign up for Security Advisories

Enter your email address: