VMware vCenter Chargeback Manager Information Leak and Denial of Service
VMware Security Advisory
The vCenter Chargeback Manager contains a vulnerability that allows information leakage and denial-of-service.
2. Relevant releases
VMware vCenter Chargeback Manager prior to version 2.0.1
3. Problem Description
The vCenter Chargeback Manager (CBM) contains a flaw in its handling of XML API requests. This vulnerability allows an unauthenticated remote attacker to download files from the CBM server or conduct a denial-of-service against the server. VMware thanks Joshua Keyes for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1472 to this issue.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
VMware Product =============
Product Version =======
Running on =======
Replace with/ Apply Patch =================
Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
VMware vCenter Chargeback Manager
6. Change log
2012-03-08 VMSA-2012-0002 Initial security advisory in conjunction with the release of CBM 2.0.1 on 2012-03-08.
E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
- security-announce at lists.vmware.com
- bugtraq at securityfocus.com
- full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at:
VMware Security Advisories
VMware security response policy
General support life cycle policy
VMware Infrastructure support life cycle policy
Copyright 2012 VMware Inc. All rights reserved.