[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] CVE-2011-0527: VMware vFabric tc Server password obfuscation bypass

To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>, "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] CVE-2011-0527: VMware vFabric tc Server password obfuscation bypass
From: s2-security <s2-security@xxxxxxxxxx>
Date: Thu, 11 Aug 2011 02:25:37 -0700

Severity: Important

Versions Affected:
  2.0.0.RELEASE to 2.0.5.SR01
  2.1.0.RELEASE to 2.1.1.SR01

Description:
tc Server allows users to store the passwords used for JMX authentication in an 
obfuscated form for organizations where storing passwords in plain text is not 
permitted. The JMX authentication implementation was incorrectly allowing users 
to authenticate using the password in either its plain text form or its 
obfuscated form, bypassing the benefit of obfuscation.

Mitigation:
If you are not using password obfuscation, then you are not affected by this 
issue.
  Users of 2.0.x may mitigate this issue by upgrading to 2.0.6.RELEASE.
  Users of 2.1.x may mitigate this issue by upgrading to 2.1.2.RELEASE.
  Users of 2.5.x are not affected.

Credit:
The issue was reported by the SpringSource tc Server support team.

History
  2011-08-11: Original Advisory

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [MOHSEP] Month Of Humorous Stefan Esser Photoshops - 0x0A
Next by Date: [Full-disclosure] SUSE Security Announcement: SUSE_SA_2011_033.txt.asc (SUSE-SA:2011:033)
Previous by thread: [Full-disclosure] [MOHSEP] Month Of Humorous Stefan Esser Photoshops - 0x0A
Next by thread: [Full-disclosure] SUSE Security Announcement: SUSE_SA_2011_033.txt.asc (SUSE-SA:2011:033)
Index(es):
- Date
- Thread