VMware has updated vCenter Server Appliance (vCSA), vCenter Server, and ESXi to address multiple security vulnerabilities.
a. vCenter Server Appliance directory traversal
The vCenter Server Appliance (vCSA) contains a directory traversal vulnerability that allows an authenticated remote user to retrieve arbitrary files. Exploitation of this issue may expose sensitive information stored on the server.
VMware would like to thank Alexander Minozhenko from ERPScan for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-6324 to this issue.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
b. vCenter Server Appliance arbitrary file download
The vCenter Server Appliance (vCSA) contains an XML parsing vulnerability that allows an authenticated remote user to retrieve arbitrary files. Exploitation of this issue may expose sensitive information stored on the server.
VMware would like to thank Alexander Minozhenko from ERPScan for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-6325 to this issue.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
c. Update to ESX glibc package
The ESX glibc package is updated to version glibc-2.5-81.el5_8.1 to resolve multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-5029, CVE-2009-5064, CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, CVE-2012-0864, CVE-2012-3404, CVE-2012-3405, CVE-2012-3406 and CVE-2012-3480 to these issues.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
The vCenter Server and vCenter Server Appliance (vCSA) both contain a vulnerability that allows unauthenticated remote users to create abnormally large log entries. Exploitation of this issue may allow an attacker to fill the system volume of the vCenter host or appliance VM and create a denial-of-service condition.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-6326 to this issue.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
vCenter Server 5.1.0b
---------------------------
Download link:
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/5_1
Release Notes:
https://www.vmware.com/support/vsphere5/doc/vsphere-vcenter-server-510b-release-notes.html
vCenter Server 5.0 Update 2
---------------------
Download link:
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/5_0
Release Notes:
https://www.vmware.com/support/vsphere5/doc/vsp_vc50_u2_rel_notes.html
vCenter Server 4.1 Update 3
---------------------------
Download link:
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1
Release Notes:
https://www.vmware.com/support/vsphere4/doc/vsp_vc41_u3_rel_notes.html
ESXi and ESX
------------
The download for ESXi includes vCenter Server Appliance.
https://my.vmware.com/web/vmware/downloads
ESXi 5.1
--------
File: update-from-esxi5.1-5.1_update01.zip
md5sum: 28b8026bcfbe3cd1817509759d4b61d6
sha1sum: 9d3124d3c5efa6d0c3b9ba06511243fc6e205542
update-from-esxi5.1-5.1_update01.zip contains ESXi510-201304101-SG
http://kb.vmware.com/kb/2041632
ESXi 5.0
--------
File: update-from-esxi5.0-5.0_update02.zip
md5sum: ab8f7f258932a39f7d3e7877787fd198
sha1sum: b65bacab4e38cf144e223cff4770501b5bd23334
http://kb.vmware.com/kb/2033751
update-from-esxi5.0-5.0_update02.zip contains ESXi500-201212101
------------- vCSA ---------------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6324
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6325
------------- glibc --------------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5029
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5064
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0830
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4609
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3404
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3405
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3406
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3480
--------- vCenter Server ---------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6326
2012-12-20 VMSA-2012-0018
Initial security advisory in conjunction with the release of vSphere 5.1.0b and vSphere 5.0 Update 2 on 2012-12-20.
2013-02-21 VMSA-2012-0018.1
Updated security advisory to add section 3d, which documents CVE-2012-6326.
2013-04-25 VMSA-2012-0018.2
Updated security advisory to correct the wrong Replace with / Apply Patch for ESXi 5.1 for issue c). The correct patch is ESXi510-201304101 and is reflected in the table.
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
Sign up for Security Advisories