VMSA-2012-0002

VMware vCenter Chargeback Manager Information Leak and Denial of Service

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
VMSA-2012-0002
VMware Security Advisory Synopsis:
VMware vCenter Chargeback Manager Information Leak and Denial of Service
VMware Security Advisory Issue date:
2012-03-08
VMware Security Advisory Updated on:
2012-03-08
VMware Security Advisory CVE numbers:
CVE-2012-1472
1. Summary


The vCenter Chargeback Manager contains a vulnerability that allows information leakage and denial-of-service.

 
2. Relevant releases


VMware vCenter Chargeback Manager prior to version 2.0.1

 

3. Problem Description


The vCenter Chargeback Manager (CBM) contains a flaw in its handling of XML API requests. This vulnerability allows an unauthenticated remote attacker to download files from the CBM server or conduct a denial-of-service against the server. VMware thanks Joshua Keyes for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1472 to this issue.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product =============
Product Version =======
Running on =======
Replace with/ Apply Patch =================
VMware Product ============= CBM
Product Version ======= 1.6.2
Running on ======= any
Replace with/ Apply Patch ================= CBM 2.0.1
VMware Product ============= CBM
Product Version ======= 2.0.0
Running on ======= any
Replace with/ Apply Patch ================= CBM 2.0.1
4. Solution


Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

VMware vCenter Chargeback Manager
---------------------------

Download link:
http://downloads.vmware.com/d/info/it_business_management/vmware_vcenter_chargeback/2_0

Release Notes:
https://www.vmware.com/support/vcbm/doc/vcbm_2_0_1_release_notes.html

File: vCenter-CB-2.0.1-643764.zip
md5sum: 88725667703c45f347e28464bfa8a5c7
sha1sum: 7f47db0100b92e7717c40363a271fef563f96c30

 
5. References


CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1472

 

6. Change log


2012-03-08 VMSA-2012-0002 Initial security advisory in conjunction with the release of CBM 2.0.1 on 2012-03-08.

 
7. Contact


E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  • security-announce at lists.vmware.com
  • bugtraq at securityfocus.com
  • full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at:
http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html


Copyright 2012 VMware Inc. All rights reserved.