[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

VMSA-2012-0002 VMware vCenter Chargeback Manager Information Leak and Denial of Service



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

------------------------------------------------------------------------
                  VMware Security Advisory

Advisory ID: VMSA-2012-0002
Synopsis: VMware vCenter Chargeback Manager Information Leak and
         Denial of Service
Issue date:  2012-03-08
Updated on:  2012-03-08
CVE numbers: CVE-2012-1472

------------------------------------------------------------------------

1. Summary

  The vCenter Chargeback Manager contains a vulnerability that allows
  information leakage and denial-of-service.

2. Relevant releases

  VMware vCenter Chargeback Manager prior to version 2.0.1

3. Problem Description

  The vCenter Chargeback Manager (CBM) contains a flaw in its
  handling of XML API requests.  This vulnerability allows an
  unauthenticated remote attacker to download files from the CBM
  server or conduct a denial-of-service against the server.  VMware
  thanks Joshua Keyes for reporting this issue to us.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)
  has assigned the name CVE-2012-1472 to this issue.

  Column 4 of the following table lists the action required to
  remediate the vulnerability in each release, if a solution is
  available.
VMware Product Running Replace with/
  Product        Version   on       Apply Patch
  =============  ========  =======  =================
  CBM          1.6.2        any         CBM 2.0.1
  CBM          2.0.0        any         CBM 2.0.1

4. Solution

  Please review the patch/release notes for your product and version
  and verify the checksum of your downloaded file.

  VMware vCenter Chargeback Manager
  ---------------
  Download link:

http://downloads.vmware.com/d/info/it_business_management/vmware_vcenter_ch
argeback/2_0
Release Notes:
  https://www.vmware.com/support/vcbm/doc/vcbm_2_0_1_release_notes.html

  File: vCenter-CB-2.0.1-643764.zip
  md5sum: 88725667703c45f347e28464bfa8a5c7
  sha1sum: 7f47db0100b92e7717c40363a271fef563f96c30

5. References

  CVE numbers
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1472

------------------------------------------------------------------------
6. Change log

  2012-03-08 VMSA-2012-0002 Initial security advisory in conjunction
  with the release of CBM 2.0.1 on 2012-03-08.

-----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
  http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com
    * bugtraq at securityfocus.com
    * full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
  PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
  http://www.vmware.com/security/advisories
VMware security response policy
  http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
  http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
  http://www.vmware.com/support/policies/eos_vi.html
Copyright 2012 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFPWaJZDEcm8Vbi9kMRArvWAKDQCbpKBr9zM4FDZbRKDBw3/rL0VQCeITRZ
QcjvsYQZ9jRDkG1X4UKgvIY=
=bXDQ
-----END PGP SIGNATURE-----