Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0010.3 VMware security updates for vCSA and ESXi 30 April 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware vCenter VMware ESXi Publisher: VMWare Operating System: VMWare ESX Server Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2012-6325 CVE-2012-6324 CVE-2012-3480 CVE-2012-3406 CVE-2012-3405 CVE-2012-3404 CVE-2012-0864 CVE-2011-4609 CVE-2011-1089 CVE-2010-0830 CVE-2009-5064 CVE-2009-5029 Reference: ESB-2012.0833 ESB-2012.0415.3 Original Bulletin: http://www.vmware.com/security/advisories/VMSA-2012-0018.html Revision History: April 30 2013: Updated security advisory to correct the wrong Replace with / Apply Patch for ESXi 5.1 for issue c). The correct patch is ESXi510-201304101 and is reflected in the table. February 25 2013: Updated security advisory to add section 3d, which documents CVE-2012-6326 January 2 2013: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 VMware Security Advisory Advisory ID: VMSA-2012-0018.2 Synopsis: VMware security updates for vCSA and ESXi Issue date: 2012-12-20 Updated on: 2012-04-25 CVE numbers: ------------- vCSA --------------- CVE-2012-6324, CVE-2012-6325 ------------- glibc -------------- CVE-2009-5029, CVE-2009-5064, CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, CVE-2012-0864, CVE-2012-3404, CVE-2012-3405, CVE-2012-3406, CVE-2012-3480 --------- vCenter Server --------- CVE-2012-6326 - - - -------------------------------------------------------------------- 1. Summary VMware has updated vCenter Server Appliance (vCSA) and ESX to address multiple security vulnerabilities 2. Relevant releases vCenter Server Appliance 5.1 prior to 5.1.0b vCenter Server Appliance 5.0 prior to 5.0 Update 2 vCenter Server 5.0 prior to 5.0 Update 2 vCenter Server 4.1 prior to 4.1 Update 3 VMware ESXi 5.1 without patch ESXi510-201304101 VMware ESXi 5.0 without patch ESXi500-201212101 3. Problem Description a. vCenter Server Appliance directory traversal The vCenter Server Appliance (vCSA) contains a directory traversal vulnerability that allows an authenticated remote user to retrieve arbitrary files. Exploitation of this issue may expose sensitive information stored on the server. VMware would like to thank Alexander Minozhenko from ERPScan for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-6324 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======== ======= ================= vCSA 5.1 Linux 5.1.0b vCSA 5.0 Linux 5.0 Update 2 b. vCenter Server Appliance arbitrary file download The vCenter Server Appliance (vCSA) contains an XML parsing vulnerability that allows an authenticated remote user to retrieve arbitrary files. Exploitation of this issue may expose sensitive information stored on the server. VMware would like to thank Alexander Minozhenko from ERPScan for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-6325 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======== ======= ================= vCSA 5.1 Linux not affected vCSA 5.0 Linux vCSA 5.0 Update 2 c. Update to ESX glibc package The ESX glibc package is updated to version glibc-2.5-81.el5_8.1 to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-5029, CVE-2009-5064, CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, CVE-2012-0864 CVE-2012-3404, CVE-2012-3405, CVE-2012-3406 and CVE-2012-3480 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======== ======= ================= ESXi 5.1 ESXi ESXi510-201304101 ESXi 5.0 ESXi ESXi500-201212101 ESXi 4.1 ESXi no patch planned ESXi 4.0 ESXi no patch planned ESXi 3.5 ESXi not applicable ESX any ESX not applicable d. vCenter Server and vCSA webservice logging denial of service The vCenter Server and vCenter Server Appliance (vCSA) both contain a vulnerability that allows unauthenticated remote users to create abnormally large log entries. Exploitation of this issue may allow an attacker to fill the system volume of the vCenter host or appliance VM and create a denial-of-service condition. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-6326 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======== ======= ================= vCenter Server 5.1 Windows not affected vCenter Server 5.0 Windows 5.0 Update 2 vCenter Server 4.1 Windows 4.1 Update 3 vCenter Server 4.0 Windows not affected VirtualCenter 2.5 Windows not affected vCSA 5.1 Linux not affected vCSA 5.0 Linux 5.0 Update 2 ESX/ESXi any any not affected 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Server 5.1.0b --------------------------- Download link: https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_ vsphere/5_1 Release Notes: https://www.vmware.com/support/vsphere5/doc/vsphere-vcenter-server-510b-rel ease-notes.html vCenter Server 5.0 Update 2 --------------------- Download link: https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_ vsphere/5_0 Release Notes: https://www.vmware.com/support/vsphere5/doc/vsp_vc50_u2_rel_notes.html vCenter Server 4.1 Update 3 --------------------------- Download link: https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_ vsphere/4_1 Release Notes: https://www.vmware.com/support/vsphere4/doc/vsp_vc41_u3_rel_notes.html ESXi and ESX ------------ The download for ESXi includes vCenter Server Appliance. https://my.vmware.com/web/vmware/downloads ESXi 5.1 -------- File: update-from-esxi5.1-5.1_update01.zip md5sum: 28b8026bcfbe3cd1817509759d4b61d6 sha1sum: 9d3124d3c5efa6d0c3b9ba06511243fc6e205542 update-from-esxi5.1-5.1_update01.zip contains ESXi510-201304101-SG http://kb.vmware.com/kb/2041632 ESXi 5.0 -------- File: update-from-esxi5.0-5.0_update02.zip md5sum: ab8f7f258932a39f7d3e7877787fd198 sha1sum: b65bacab4e38cf144e223cff4770501b5bd23334 http://kb.vmware.com/kb/2033751 update-from-esxi5.0-5.0_update02.zip contains ESXi500-201212101 5. References ------------- vCSA --------------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6324 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6325 ------------- glibc -------------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5029 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5064 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0830 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1089 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4609 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3404 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3405 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3406 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3480 --------- vCenter Server --------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6326 - - -------------------------------------------------------------------- 6. Change log 2012-12-20 VMSA-2012-0018 Initial security advisory in conjunction with the release of vSphere 5.1 Patch 1 and vSphere 5.0 Update 2 on 2012-12-20. 2013-02-21 VMSA-2012-0018.1 Updated security advisory to add section 3d, which documents CVE-2012-6326. 2013-02-21 VMSA-2012-0018.2 Updated security advisory to correct the wrong Replace with / Apply Patch for ESXi 5.1 for issue c). The correct patch is ESXi510-201304101 and is reflected in the table. - - -------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2012 VMware Inc. All rights reserved. - -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFReaMbDEcm8Vbi9kMRAuF1AKD/q7a6fKUocgVeOmWPco0JGPd2aACfaQXL bfLqe72MVFIBc/BjQmvYja0= =2IOL - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUX8lze4yVqjM2NGpAQId2g/9GejdFZu+Sasr+zzK4QCeMkoVSK1nU4sU abM694BP7SVfVh7i1IQvszYOS4P6wZpmpX02+v+YUotkwAjKmKFHjSG0U13BdJWL UIbBjP/E8Y+QOGsRINQ2viP3TqXfYvMvKfr7jcIsoIJcCJU2Jrsr4pxtT1zUK+aK kr/C9sYCNX/rHoM/NpCL+c0tMLyD7y+zDHmYroi4XNKyEKrgLW6Ep9O8nrgvZ8bS cM2EABcuEFVeryOeMi/Tpxy5l89UBSFFHyDe8J2965c8sy8e8EyF3ACVF48t3Rei Dvw1e0Wk9Sjf808IQWx/49UxO9nMqBW6U6kCc+Nw7TrSjBKGHtyANYZk8Rv9rAgu uBkWGBq/3CWxt+wQA39YT69tXAZMPu9HutyTq8dy2Y8ixCY5G8xvdEhMJ2IIVkxm h9oQzTi5vl6EMYOw1Vzw/qaocFZZ1+oEIRCdndw9ddg7otTU0bQg8ht/Un/ZthfT KHUdKoX20vhOegN45WN5QhhfiaDEnUj0H6PuP7KZnCY8u503iEA40e0izWoGBxaP kFdbKs4yDoc5cb+wTffwaflhW8NfoXzV4B6OqYGCkQL2AXWZAFPk1rNOryfb62CN UPysaIUT875xv2dUYAYwLWxr+X9zUaF0Rrsc9WUHMrJ4Lk2cfT+uNsz2iUJfYs7R kCNHnR6G9yc= =raM2 -----END PGP SIGNATURE-----