Home page logo
/

bugtraq logo Bugtraq mailing list archives

[Full-disclosure] NEW VMSA-2013-0012 VMware vSphere updates address multiple vulnerabilities
From: "\"VMware Security Response Center\"" <security () vmware com>
Date: Thu, 17 Oct 2013 21:32:53 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
             VMware Security Advisory

Advisory ID: VMSA-2013-0012
Synopsis:    VMware vSphere updates address multiple vulnerabilities
Issue date:  2013-10-17
Updated on:  2013-10-17 (initial advisory)
CVE numbers: CVE-2013-5970, CVE-2013-5971
             --JRE--
             See references
- -----------------------------------------------------------------------

1. Summary
   
   VMware has updated vCenter Server, vCenter Server Appliance (vCSA), 
   vSphere Update Manager (VUM), ESXi and ESX to address multiple 
   security vulnerabilities.
    

2. Relevant releases

   VMware vCenter Server before 5.0 update 3

   VMware Update Manager before 5.0 update 3
   
   VMware ESXi 5.0 without patch ESXi500-201310101-SG
   VMware ESXi 4.1 without patch ESXi410-201307401-SG
   VMware ESXi 4.0 without patch ESXi400-201305401-SG

   VMware ESX 4.1 without patch ESX410-201307401-SG
   VMware ESX 4.0 without patch ESX400-201305401-SG
    
3. Problem Description

   a. VMware ESXi and ESX contain a vulnerability in hostd-vmdb. 

      To exploit this vulnerability, an attacker must intercept and 
      modify the management traffic. Exploitation of the issue may lead
      to a Denial of Service of the hostd-vmdb service.

      To reduce the likelihood of exploitation, vSphere components 
      should be deployed on an isolated management network.
      
      VMware would like to thank Alex Chapman of Context Information 
      Security for reporting this issue to us. 

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the name CVE-2013-5970 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware            Product Running Replace with/
      Product           Version on      Apply Patch
      =============     ======= ======= =================
      vCenter Server    any     any     not affected
                        
      hosted*           any     any     not affected
      
      ESXi              5.5     ESXi    not affected
      ESXi              5.1     ESXi    not affected
      ESXi              5.0     ESXi    ESXi500-201310101-SG
      ESXi              4.1     ESXi    ESXi410-201307401-SG
      ESXi              4.0     ESXi    ESXi400-201305401-SG
                
      ESX               4.1     ESX     ESX410-201307401-SG
      ESX               4.0     ESX     ESX400-201305401-SG
   
      * hosted products are VMware Workstation, Player, ACE, Fusion.

   b. VMware vSphere Web Client Server Session Fixation Vulnerability
      
      The VMware vSphere Web Client Server contains a vulnerability in
      the handling of session IDs. To exploit this vulnerability, an 
      attacker must know a valid session ID of an authenticated user. 
      Exploitation of the issue may lead to Elevation of Privilege.

      To reduce the likelihood of exploitation, vSphere components 
      should be deployed on an isolated management network.

      VMware would like to thank Alexey Tyurin of DSecRG for reporting
      this issue to us.

      The Common Vulnerabilities and Exposures project (cve.mitre.org) 
      has assigned the name CVE-2013-5971 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware            Product Running Replace with/
      Product           Version on      Apply Patch
      =============     ======= ======= =================
      vCenter Server    5.5     ESXi    not affected
      vCenter Server    5.1     ESXi    not affected
      vCenter Server    5.0     ESXi    5.0 Update 3 *
      vCenter Server    4.1     ESXi    not affected
      vCenter Server    4.0     ESXi    not affected
   
      * The affected component is the vSphere Web Client Server.

   c. vCenter and Update Manager, Oracle JRE update 1.6.0_51.
      
      Oracle JRE is updated to version 1.6.0_51, which addresses
      multiple security issues that existed in earlier releases of
      Oracle JRE. 

      Oracle has documented the CVE identifiers that are addressed
      in JRE 1.6.0_51 in the Oracle Java SE Critical Patch Update
      Advisory of June 2013. The References section provides a
      link to this advisory.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware            Product Running Replace with/
      Product           Version on      Apply Patch
      =============     ======= ======= =================
      vCenter Server    5.5     Any     not applicable ***
      vCenter Server    5.1     Any     patch pending
      vCenter Server    5.0     Any     5.0 Update 3
      vCenter Server    4.1     Windows patch pending
      vCenter Server    4.0     Windows not applicable **

      Update Manager    5.5     Windows not applicable ***
      Update Manager    5.1     Windows patch pending
      Update Manager    5.0     Windows 5.0 Update 3
      Update Manager    4.1     Windows not applicable **
      Update Manager    4.0     Windows not applicable **

      hosted *          any     any     not affected

      ESXi              any     ESXi    not applicable

      ESX               4.1     ESX     patch pending
      ESX               4.0     ESX     not applicable **
   
      * hosted products are VMware Workstation, Player, ACE, Fusion.
      ** this product uses the Oracle JRE 1.5.0 family
      *** this product uses the Oracle JRE 1.7.0 family  
 
4. Solution

      Please review the patch/release notes for your product and 
      version and verify the checksum of your downloaded file. 

      vCenter Server 5.0 Update 3 
      --------
   
      Download link: 
  
     
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_0

      Release Notes: 
  
     
https://www.vmware.com/support/vsphere5/doc/vsp_vc50_u3_rel_notes.html

      ESXi and ESX
      ------------
      https://www.vmware.com/patchmgr/download.portal 

      ESXi 5.0 
      ------------------ 
      File: update-from-esxi5.0-5.0_update03.zip
      md5sum: 7e6185fa3238a4895613b39e57a2a94b
      sha1sum: aa3929d2c8183aeaecdc238cbbf4d270bd70dd07
      http://kb.vmware.com/kb/2055559
      update-from-esxi5.0-5.0_update03.zip contains ESXi500-201310101-SG 

      ESXi 4.1 
      ------------------ 
      File: ESXi410-201304001.zip
      md5sum: 9ce63bcacb3412fc1c8a6a8c47ac6af6
      sha1sum: 241603ef6b856e573a62fe27da039c8fffe54b1d
      http://kb.vmware.com/kb/2045258
      ESXi410-201304001.zip contains ESXi410-201307401-SG

      ESXi 4.0 
      ------------------ 
      File: ESXi400-201305001.zip
      md5sum: 065d3fa4b0f52dd38c2bd92e5bfc5580
      sha1sum: 1f3cab25a144746372d86071a47e569c439e276a
      http://kb.vmware.com/kb/2044241
      ESXi400-201305001.zip contains ESXi400-201305401-SG

      ESX 4.1 
      -------- 
      File: ESX410-201307001.zip
      md5sum: 60f15f96454b953f7747486a6a261e4f
      sha1sum: 8e494b450f539ed65729205333dc3598d6ba87f8
      http://kb.vmware.com/kb/2053393
      ESX410-201307001.zip contains ESX410-201307401-SG

      ESX 4.0 
      -------
      File: ESX400-201305001.zip
      md5sum: c9ac91d3d803c7b7cb9df401c20b91c0
      sha1sum: 7f5cef274c709248daa56d8c0e6fcc1ba86ae411
      http://kb.vmware.com/kb/2044240
      ESX400-201305001.zip contains ESX400-201305401-SG

5. References

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5970
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5971

      --------- jre --------- 
      Oracle Java SE Critical Patch Update Advisory of June 2013
     
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.ht
ml

- -----------------------------------------------------------------------

6. Change log

      2013-10-17 VMSA-2013-0012
      Initial security advisory in conjunction with the release of
      vSphere 5.0 Update 3 patches on 2013-10-17.

- -----------------------------------------------------------------------

7. Contact

      E-mail list for product security notifications and announcements:
      http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

      This Security Advisory is posted to the following lists:

      * security-announce at lists.vmware.com
      * bugtraq at securityfocus.com
      * full-disclosure at lists.grok.org.uk

      E-mail: security at vmware.com
      PGP key at: http://kb.vmware.com/kb/1055

      VMware Security Advisories
      http://www.vmware.com/security/advisories

      VMware security response policy
      http://www.vmware.com/support/policies/security_response.html

      General support life cycle policy
      http://www.vmware.com/support/policies/eos.html

      VMware Infrastructure support life cycle policy
      http://www.vmware.com/support/policies/eos_vi.html

      Copyright 2013 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFSYHygDEcm8Vbi9kMRAvqHAJ9vtpqskKEfKrm5J2Cp+tOUBes7fACgoiOE
1SV2EYAELKu4o0cFw1gXGgg=
=ct06
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [Full-disclosure] NEW VMSA-2013-0012 VMware vSphere updates address multiple vulnerabilities \"VMware Security Response Center\" (Dec 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault