Sign up for Security
Advisories

Enter your email address:


VMSA-2012-0018.2

VMware Security Advisory
Advisory ID: VMSA-2012-0018.2
Synopsis: VMware security updates for vCSA, vCenter Server, and ESXi
Issue date: 2012-12-20
Updated on: 2013-04-25
CVE numbers: ------------- vCSA ---------------
CVE-2012-6324, CVE-2012-6325
------------- glibc --------------
CVE-2009-5029, CVE-2009-5064, CVE-2010-0830,
CVE-2011-1089, CVE-2011-4609, CVE-2012-0864,
CVE-2012-3404, CVE-2012-3405, CVE-2012-3406,
CVE-2012-3480
--------- vCenter Server ---------
CVE-2012-6326
1. Summary

VMware has updated vCenter Server Appliance (vCSA), vCenter Server, and ESXi to address multiple security vulnerabilities.
2. Relevant releases
  • vCenter Server Appliance 5.1 prior to 5.1.0b
  • vCenter Server Appliance 5.0 prior to 5.0 Update 2
  • vCenter Server 5.0 prior to 5.0 Update 2
  • vCenter Server 4.1 prior to 4.1 Update 3
  • VMware ESXi 5.1 without patch ESXi510-201304101
  • VMware ESXi 5.0 without patch ESXi500-201212101
3. Problem Description
a. vCenter Server Appliance directory traversal

The vCenter Server Appliance (vCSA) contains a directory traversal vulnerability that allows an authenticated remote user to retrieve arbitrary files.  Exploitation of this issue may expose sensitive information stored on the server.

VMware would like to thank Alexander Minozhenko from ERPScan for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-6324 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Running Replace with/
Product
Version on Apply Patch
============= ======= ======= =================
vCSA 5.1 Linux 5.1.0b
vCSA 5.0 Linux 5.0 Update 2
b. vCenter Server Appliance arbitrary file download

The vCenter Server Appliance (vCSA) contains an XML parsing vulnerability that allows an authenticated remote user to retrieve arbitrary files.  Exploitation of this issue may expose sensitive information stored on the server.

VMware would like to thank Alexander Minozhenko from ERPScan for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-6325 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Running Replace with/
Product
Version on Apply Patch
============= ======= ======= =================
vCSA 5.1 Linux not affected
vCSA 5.0 Linux vCSA 5.0 Update 2

c. Update to ESX glibc package

The ESX glibc package is updated to version glibc-2.5-81.el5_8.1 to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-5029, CVE-2009-5064, CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, CVE-2012-0864, CVE-2012-3404, CVE-2012-3405, CVE-2012-3406 and CVE-2012-3480 to these issues.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Running Replace with/
Product
Version on Apply Patch
============= ======= ======= =================
ESXi 5.1 ESXi ESXi510-201304101
ESXi 5.0 ESXi ESXi500-201212101
ESXi 4.1 ESXi no patch planned
ESXi 4.0 ESXi no patch planned
ESXi 3.5 ESXi not applicable
       
ESX any ESX not applicable

d. vCenter Server and vCSA webservice logging denial of service


The vCenter Server and vCenter Server Appliance (vCSA) both contain a vulnerability that allows unauthenticated remote users to create abnormally large log entries.  Exploitation of this issue may allow an attacker to fill the system volume of the vCenter host or appliance VM and create a denial-of-service condition.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-6326 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============== ======== ======= =================
vCenter Server 5.1 Windows not affected
vCenter Server 5.0 Windows 5.0 Update 2
vCenter Server 4.1 Windows 4.1 Update 3
vCenter Server 4.0 Windows not affected
VirtualCenter 2.5 Windows not affected
       
vCSA 5.1 Linux not affected
vCSA 5.0 Linux 5.0 Update 2
       
ESX/ESXi any any not affected
4. Solution

vCenter Server 5.1.0b
---------------------------
Download link:
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/5_1

Release Notes:
https://www.vmware.com/support/vsphere5/doc/vsphere-vcenter-server-510b-release-notes.html

vCenter Server 5.0 Update 2
---------------------
Download link:
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/5_0

Release Notes:
https://www.vmware.com/support/vsphere5/doc/vsp_vc50_u2_rel_notes.html

vCenter Server 4.1 Update 3
---------------------------
Download link:
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1

Release Notes:
https://www.vmware.com/support/vsphere4/doc/vsp_vc41_u3_rel_notes.html

ESXi and ESX
------------
The download for ESXi includes vCenter Server Appliance.

https://my.vmware.com/web/vmware/downloads

ESXi 5.1
--------
File: update-from-esxi5.1-5.1_update01.zip
md5sum: 28b8026bcfbe3cd1817509759d4b61d6
sha1sum: 9d3124d3c5efa6d0c3b9ba06511243fc6e205542
update-from-esxi5.1-5.1_update01.zip contains ESXi510-201304101-SG
http://kb.vmware.com/kb/2041632


ESXi 5.0
--------
File: update-from-esxi5.0-5.0_update02.zip
md5sum: ab8f7f258932a39f7d3e7877787fd198
sha1sum: b65bacab4e38cf144e223cff4770501b5bd23334
http://kb.vmware.com/kb/2033751
update-from-esxi5.0-5.0_update02.zip contains ESXi500-201212101
5. References
6. Change log


2012-12-20 VMSA-2012-0018
Initial security advisory in conjunction with the release of vSphere 5.1.0b and vSphere 5.0 Update 2 on 2012-12-20.

2013-02-21 VMSA-2012-0018.1
Updated security advisory to add section 3d, which documents CVE-2012-6326.

2013-04-25 VMSA-2012-0018.2
Updated security advisory to correct the wrong Replace with /  Apply Patch for ESXi 5.1 for issue c). The correct patch is ESXi510-201304101 and is reflected in the table.

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  • security-announce at lists.vmware.com
  • bugtraq at securityfocus.com
  • full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2013 VMware Inc. All rights reserved.