Home page logo
/

bugtraq logo Bugtraq mailing list archives

VMSA-2012-0005 VMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, ESXi and ESX address several security issues
From: VMware Security Team <security () vmware com>
Date: Fri, 16 Mar 2012 15:43:56 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

-----------------------------------------------------------------------
                 VMware Security Advisory

Advisory ID:      VMSA-2012-0005
Synopsis:         VMware vCenter Server, Orchestrator, Update Manager,
                 vShield, vSphere Client, ESXi and ESX address
                 several security issues
Issue date:       2012-03-15
Updated on:       2012-03-15 (initial advisory)

CVE numbers:      CVE-2012-1508, CVE-2012-1509, CVE-2012-1510,
                 CVE-2012-1512, CVE-2012-1513, CVE-2012-1514,
                 CVE-2011-3190, CVE-2011-3375, CVE-2012-0022,
                 CVE-2010-0405
                 --- JRE ---
                 See references
-----------------------------------------------------------------------
1. Summary

  VMware vCenter Server, Orchestrator, Update Manager, vShield,
  vSphere Client, ESXi and ESX address several security issues

2. Relevant releases

  VMware vCenter Server 5.0

  VMware vSphere Client 5.0
  VMware vSphere Client 4.1 Update 1 and earlier

  VMware vCenter Orchestrator 4.2
  VMware vCenter Orchestrator 4.1 Update 1 and earlier
  VMware vCenter Orchestrator 4.0 Update 3 and earlier

  VMware vShield Manager 4.1 Update 1
  VMware vShield Manager 1.0 Update 1

  VMware Update Manager 5.0

  ESXi 5.0 without patches ESXi500-201203101-SG, ESXi500-201112402-BG
  ESXi 4.1 without patch ESXi410-201110202-UG
  ESXi 4.0 without patch ESXi400-201110402-BG

  ESX 4.1 without patch ESX410-201110201-SG
  ESX 4.0 without patch ESX400-201110401-SG

3. Problem Description

  a. VMware Tools Display Driver Privilege Escalation

     The VMware XPDM and WDDM display drivers contain buffer overflow
     vulnerabilities and the XPDM display driver does not properly
     check for NULL pointers. Exploitation of these issues may lead
     to local privilege escalation on Windows-based Guest Operating
     Systems.

     VMware would like to thank Tarjei Mandt for reporting theses
     issues to us.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the names CVE-2012-1509 (XPDM buffer overrun),
     CVE-2012-1510 (WDDM buffer overrun) and CVE-2012-1508 (XPDM null
     pointer dereference) to these issues.

     Note: CVE-2012-1509 doesn't affect ESXi and ESX.

     Column 4 of the following table lists the action required to
     remediate the vulnerability in each release, if a solution is
     available.

       VMware         Product   Running  Replace with/
       Product *      Version   on       Apply Patch **
       =============  ========  =======  =================
       vCenter        any       Windows  not affected
Workstation 8.x any not affected Player 4.x any not affected Fusion 4.x Mac OS/X not affected ESXi 5.0 ESXi ESXi500-201112402-BG
       ESXi           4.1       ESXi     ESXi410-201110202-UG
       ESXi           4.0       ESXi     ESXi400-201110402-BG
       ESXi           3.5       ESXi     not affected
ESX 4.1 ESX ESX410-201110201-SG
       ESX            4.0       ESX      ESX400-201110401-SG
       ESX            3.5       ESX      not affected

       * Remediation for VMware View is described in VMSA-2012-0004.

       ** Notes on updating VMware Guest Tools:

       After the update or patch is applied, VMware Guest Tools must
       be updated in any pre-existing Windows-based Guest Operating
       System. The XPDM and WDDM drivers are part of Tools.

       Windows-Based Virtual Machines that have moved to Workstation
       8 or Player 4 from a lower version of Workstation or Player
       are affected unless:

           - They were moved from Workstation 7.1.5 or Player 3.1.5,

                AND

           - The Tools version was updated before the move.

       Windows-Based Virtual Machines that have moved to Fusion 4
       from a lower version of Fusion are affected.

  b. vSphere Client internal browser input validation vulnerability

     The vSphere Client has an internal browser that renders html
     pages from log file entries. This browser doesn't properly
     sanitize input and may run script that is introduced into the
     log files. In order for the script to run, the user would need
     to open an individual, malicious log file entry. The script
     would run with the permissions of the user that runs the vSphere
     Client.

     VMware would like to thank Edward Torkington for reporting this
     issue to us.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the name CVE-2012-1512 to this issue.

     In order to remediate the issue, the vSphere Client of the
     vSphere 5.0 Update 1 release or the vSphere 4.1 Update 2 release
     needs to be installed. The vSphere Clients that come with
     vSphere 4.0 and vCenter Server 2.5 are not affected.

  c. vCenter Orchestrator Password Disclosure

     The vCenter Orchestrator (vCO) Web Configuration tool reflects
     back the vCenter Server password as part of the webpage. This
     might allow the logged-in vCO administrator to retrieve the
     vCenter Server password.

     VMware would like to thank Alexey Sintsov from Digital Security
     Research Group for reporting this issue to us.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the name CVE-2012-1513 to this issue.

       VMware         Product  Running    Replace with/
       Product        Version  on         Apply Patch
       =============  =======  =======    =================
       vCO            4.2      Windows    vCO 4.2 Update 1
       vCO            4.1      Windows    vCO 4.1 Update 2
       vCO            4.0      Windows    vCO 4.0 Update 4

  d. vShield Manager Cross-Site Request Forgery vulnerability

     The vShield Manager (vSM) interface has a Cross-Site Request
     Forgery vulnerability. If an attacker can convince an
     authenticated user to visit a malicious link, the attacker may
     force the victim to forward an authenticated request to the
     server.

     VMware would like to thank Frans Pehrson of Xxor AB
     (www.xxor.se) and Claudio Criscione for independently reporting
     this issue to us

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the name CVE-2012-1514 to this issue.

       VMware         Product  Running    Replace with/
       Product        Version  on         Apply Patch
       =============  =======  =======    =================
       vSM            5.0      Linux      not affected
       vSM            4.1      Linux      vSM 4.1.0 Update 2
       vSM            4.0      Linux      vSM 1.0.1 Update 2

  e. vCenter Update Manager, Oracle (Sun) JRE update 1.6.0_30

     Oracle (Sun) JRE is updated to version 1.6.0_30, which addresses
     multiple security issues that existed in earlier releases of
     Oracle (Sun) JRE.

     Oracle has documented the CVE identifiers that are addressed in
     JRE 1.6.0_29 and JRE 1.6.0_30 in the Oracle Java SE Critical
     Patch Update Advisory of October 2011. The References section
     provides a link to this advisory.

     Column 4 of the following table lists the action required to
     remediate the vulnerability in each release, if a solution is
     available.

       VMware         Product  Running     Replace with/
       Product        Version  on          Apply Patch
       =============  =======  =======     =================
       vCenter        5.       Windows     patch pending
       vCenter        4.1      Windows     patch pending
       vCenter        4.0      Windows     not applicable **
       VirtualCenter  2.5      Windows     not applicable **

       Update Manager 5.0      Windows     Update Manager 5.0 Update 1
       Update Manager 4.1      Windows     not applicable **
       Update Manager 4.0      Windows     not applicable **

       hosted *       any      any         not affected

       ESXi           any      ESXi        not applicable

       ESX            4.1      ESX         patch pending
       ESX            4.0      ESX         not applicable **
       ESX            3.5      ESX         not applicable **

       * hosted products are VMware Workstation, Player, ACE, Fusion.

       ** this product uses the Oracle (Sun) JRE 1.5.0 family

  f. vCenter Server Apache Tomcat update 6.0.35

     Apache Tomcat has been updated to version 6.0.35 to address
     multiple security issues.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the names CVE-2011-3190, CVE-2011-3375, and
     CVE-2012-0022 to these issues.

       VMware         Product  Running     Replace with/
       Product        Version  on          Apply Patch
       =============  =======  =======     =================
       vCenter        5.0      Windows     vCenter 5.0 Update 1
       vCenter        4.1      Windows     patch pending
       vCenter        4.0      Windows     patch pending
       VirtualCenter  2.5      Windows     not applicable **
hosted * any any not affected ESXi any ESXi not applicable ESX 4.1 ESX patch pending
       ESX            4.0      ESX         patch pending
       ESX            3.5      ESX         not applicable **

       * hosted products are VMware Workstation, Player, ACE, Fusion.

       ** this product uses the Apache Tomcat 5.5 family

  g. ESXi update to third party component bzip2

     The bzip2 library is updated to version 1.0.6, which resolves a
     security issue.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the name CVE-2010-0405 to this issue.

       VMware         Product  Running     Replace with/
       Product        Version  on          Apply Patch
       =============  =======  =======    =================
       vCenter        any      Windows    not affected
hosted * any any not affected ESXi 5.0 ESXi ESXi500-201203101-SG
       ESXi           4.1      ESXi       not affected
       ESXi           4.0      ESXi       not affected
       ESXi           3.5      ESXi       not affected
ESX any ESX not applicable

       * hosted products are VMware Workstation, Player, ACE, Fusion.

4. Solution

  Please review the patch/release notes for your product and version
  and verify the checksum of your downloaded file.

  vCenter Server 5.0 Update 1
  ---------------------------

  The download for vCenter Server includes vSphere Update Manager,
  vSphere Client, and vCenter Orchestrator

  Download link:

http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_v
sphere/5_0

  Release Notes:
  vSphere vCenter Server

https://www.vmware.com/support/pubs/vsphere-esxi-vcenter-server-pubs.html
  https://www.vmware.com/support/pubs/vum_pubs.html

  File: VMware-VIMSetup-all-5.0.0-639890.iso
  md5sum:f860ac4b618e2562ebffa2318446fa5b
  sha1sum:62830e3061b983e98944ae6d9d3b2e820cebe270

  File: VMware-VIMSetup-all-5.0.0-639890.zip
  md5sum:a8bdde277aeeffc382ec210acf510479
  sha1sum:0b675a47349fdc09104c62ad84bd302846213fc8

  vCenter Server 4.1 Update 2
  ---------------------------

  The download for vCenter Server includes vSphere Client and
  vCenter Orchestrator.

  Download link:

http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_v
sphere/4_1

  Release Notes:

http://downloads.vmware.com/support/pubs/vs_pages/vsp_pubs_esx41_vc41.html

  File: VMware-VIMSetup-all-4.1.0-493063.iso
  md5sum: d132326846a85bfc9ebbc53defeee6e1
  sha1sum: 192c3e5d2a10bbe53c025cc7eedb3133a23e0541

  File: VMware-VIMSetup-all-4.1.0-493063.zip
  md5sum: 7fd7b09e501bd8fde52649b395491222
  sha1sum: 46dd00e7c594ac672a5d7c3c27d15be2f5a5f1f1

  vCenter Server 4.0 Update 4
  ---------------------------

  The download for vCenter Server includes vCenter Orchestrator.

  Download link:

http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_v
sphere/4_0

  Release Notes:

http://downloads.vmware.com/support/pubs/vs_pages/vsp_pubs_esx40_vc40.html

  File: VMware-VIMSetup-all-4.0.0-502539.iso
  md5sum: b418ff3d394f91b418271b6b93dfd6bd
  sha1sum: 56c2ec60f8b8a734a8312d9e38d5d70cd20c0927

  File: VMware-VIMSetup-all-4.0.0-502539.zip
  md5sum: 2acfadde1ec0cd6d37063d87246d6942
  sha1sum: ea1f3a3cb178f23fc2cf49bfc1450d10e5f699f8

  vShield Manager 4.1.0 Update 2
  ------------------------------

  Download link:

http://downloads.vmware.com/d/details/vshield_endpoint10u3/ZHB3YnRAKndidHR3
ag==

  Release Notes:

https://www.vmware.com/support/vshield/doc/releasenotes_vshield_410U2.html

  File: VMware-vShield-Manager-upgrade-bundle-4.1.0U2-576124.tar.gz
  md5sum:9a80fc347bc4a19ad0fd4c9fcb4ab475
  sha1sum:f5780c1615da0493d0955a1343876c4111d85203

  vShield Zones 1.0 Update 2
  --------------------------

  The download for VMware vShield Zones contains vShield Manager

  Download link:
  http://downloads.vmware.com/d/details/zones10u2/dHRAYndld2pidHclJQ==

  Release Notes
  https://www.vmware.com/support/vsz/doc/releasenotes_vsz_10U2.html

  File: VMware-vShieldZones-1.0U2-638154.exe
  md5sum:73515f4732c3a1ecc91ef21a504ca6d9
  sha1sum:ed4d858e1c05f54679ba99b739270c054efaf63e

  ESXi and ESX
  ------------

  Download link:
  http://downloads.vmware.com/go/selfsupport-download

  ESXi 5.0
  --------
  File: update-from-esxi5.0-5.0_update01
  md5sum: 55c25bd990e2881462bc5b66fb5f6c39
  sha1sum: ecd871bb09b649c6c8c13de82d579d4b7dcadc88
  http://kb.vmware.com/kb/2011432
  update-from-esxi5.0-5.0_update01 contains ESXi500-201203101-SG

  File: ESXi500-201112001
  md5sum: 107ec1cf6ee1d5d5cb8ea5c05b05cc10
  sha1sum: aff63c8a170508c8c0f21a60d1ea75ef1922096d
  http://kb.vmware.com/kb/2007672
  ESXi500-201112001 contains ESXi500-201112402-BG

  Note: subsequent ESXi releases are cumulative and
        ESXi500-201203101-SG includes the security fixes that are
        present in ESXi500-201112402-BG

  ESXi 4.1
  --------
  File: update-from-esxi4.1-4.1_update02
  md5sum: 57e34b500ce543d778f230da1d44e412
  sha1sum: 52f4378e2f1a29c908493182ccbde91d58b4112f
  http://kb.vmware.com/kb/2002341
  update-from-esxi4.1-4.1_update02 contains ESXi410-201110202-UG

  ESXi 4.0
  --------
  File: ESXi400-201110001
  md5sum: fd47b5e2b7ea1db79a2e0793d4c9d9d3
  sha1sum: 759d4fa6da6eb49f41def68e3bd66e80c9a7032b
  http://kb.vmware.com/kb/1039199
  ESXi400-201110001 contains ESXi400-201110402-BG

  ESX 4.1
  -------
  File: update-from-esx4.1-4.1_update02
  md5sum: 96189a6de3797e28b153f89e01d5a15b
  sha1sum: b1823d39d0e4536a421fb933f02380bae7ee7a5d
  http://kb.vmware.com/kb/2002303
  update-from-esx4.1-4.1_update02 contains ESX410-201110201-SG

  ESX 4.0
  -------
  File: ESX400-201110001
  md5sum: 0ce9cc285ea5c27142c9fdf273443d78
  sha1sum: fdb5482b2bf1e9c97f2814255676e3de74512399
  http://kb.vmware.com/kb/1036392
  ESX400-201110001 contains ESX400-201110401-SG

5. References

  Oracle Java SE Critical Patch Update Advisory of October 2011

http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.htm
l

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1508
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1509
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1510
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1512
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1513
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1514
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3190
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3375
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0022
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0405

-----------------------------------------------------------------------

6. Change log

  2012-03-15 VMSA-2012-0005
Initial security advisory in conjunction with the release of
  vSphere 5.0 Update 1, Orchestrator 4.2 Update 1, Update Manager 5.0
  Update 1, vShield 1.0 Update 2, and ESXi and ESX 5.0 patches on
  2012-03-15.

-----------------------------------------------------------------------

7. Contact

  E-mail list for product security notifications and announcements:
  http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com
   * bugtraq at securityfocus.com
   * full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
  PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
  http://www.vmware.com/security/advisories
VMware security response policy
  http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
  http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
  http://www.vmware.com/support/policies/eos_vi.html
Copyright 2012 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFPY8IgDEcm8Vbi9kMRArL4AJ9S8Fmumd26d3UyRUjpwue4WBIIAwCfX5lO
CZfePTwZlp9o+Bcf2/30Bjg=
=g0FE
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • VMSA-2012-0005 VMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, ESXi and ESX address several security issues VMware Security Team (Mar 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault