Bugtraq mailing list archives

VMSA-2011-0014 VMware vCenter Update Manager fix for Jetty Web server addresses directory traversal vulnerability

From: VMware Security Team <security () vmware com>
Date: Thu, 17 Nov 2011 22:52:33 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

-----------------------------------------------------------------------
                       VMware Security Advisory

Advisory ID: VMSA-2011-0014
Synopsis:    VMware vCenter Update Manager fix for Jetty Web server
             addresses directory traversal vulnerability

Issue date:  2011-11-17
Updated on:  2011-11-17 (initial release of advisory)

CVE numbers: CVE-2011-4404
-----------------------------------------------------------------------

1. Summary

  Configuration update for VMware vSphere Update Manager's third party
  Jetty Web server component addresses directory traversal
  vulnerability.

2. Relevant releases

  vCenter Update Manager 4.1 prior to Update 2

  vCenter Update Manager 4.0 prior to Update 4

3. Problem Description


a. Directory traversal in third party Jetty Web server component

   VMware vSphere Update Manager is an automated patch management
   solution for VMware ESX hosts and Microsoft virtual machines. Update
   Manager embeds the Jetty Web server which is a third party
   component.

   The way the Jetty Web Server in vSphere Update Manager is configured
   allows for directory traversal. This issue is a variant of the
   directory traversal issue that was addressed in earlier versions of
   vSphere Update Manager. See VMSA-2010-0012 for additional
   information.

VMware would like to thank Alexey Sintsov from Digital Security

   Research Group for reporting this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the name CVE-2011-4404 to this issue.

   Column 4 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

VMware Product Running Replace with/

   Product        Version   on       Apply Patch
   =============  ========  =======  =================
   vCenter        any       Windows  not affected

Update Manager 5.0 Windows not affected

   Update Manager 4.1       Windows  Update 2
   Update Manager 4.0       Windows  Update 4

hosted * any any not affectedESXi any ESXi not affectedESX any ESX not affected* hosted products are VMware Workstation, Player, ACE, Fusion.


4. Solution

  Please review the patch/release notes for your product and version
  and verify the checksum of your downloaded file.

  VMware vCenter Server 4.1
  ----------------------------------------------
  vCenter Server 4.1 Update 2
  The download for vCenter Server includes vSphere Update Manager.

Download link:


http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_v
sphere/4_1

Release Notes:https://www.vmware.com/support/pubs/vum_pubs.html


  File: VMware-VIMSetup-all-4.1.0-493063.iso
  md5sum: d132326846a85bfc9ebbc53defeee6e1
  sha1sum: 192c3e5d2a10bbe53c025cc7eedb3133a23e0541

File: VMware-VIMSetup-all-4.1.0-493063.zip

  md5sum: 7fd7b09e501bd8fde52649b395491222
  sha1sum: 46dd00e7c594ac672a5d7c3c27d15be2f5a5f1f1

  VMware vCenter Server 4.0
  ----------------------------------------------
  vCenter Server 4.0 Update 4
  The download for vCenter Server includes vSphere Update Manager.

Download link:


http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_v
sphere/4_0

Release Notes:https://www.vmware.com/support/pubs/vum_pubs.htmlFile: VMware-VIMSetup-all-4.0.0-502539.iso

  md5sum: b418ff3d394f91b418271b6b93dfd6bd
  sha1sum: 56c2ec60f8b8a734a8312d9e38d5d70cd20c0927

File: VMware-VIMSetup-all-4.0.0-502539.zip

  md5sum: 2acfadde1ec0cd6d37063d87246d6942
  sha1sum: ea1f3a3cb178f23fc2cf49bfc1450d10e5f699f8

5. References

  CVE numbers
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4404

-----------------------------------------------------------------------
6. Change log

  2011-11-17 VMSA-2011-0014
  Initial security advisory in conjunction with the release of
  Update 4 for vCenter Server 4.0, vSphere Update Manager 4.0,
  vSphere Hypervisor (ESXi) 4.0 and ESX 4.0 on 2011-11-17.

-----------------------------------------------------------------------
7. Contact

  E-mail list for product security notifications and announcements:
  http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:* security-announce at lists.vmware.com

    * bugtraq at securityfocus.com
    * full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com

  PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories

  http://www.vmware.com/security/advisories

VMware security response policy

  http://www.vmware.com/support/policies/security_response.html

General support life cycle policy

  http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy

  http://www.vmware.com/support/policies/eos_vi.html



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFOxgCiDEcm8Vbi9kMRAvXfAKC3khDTnSPvVqMr/w2MnsMs+19upgCgyBHl
vO3aPCGs8oG9FalVVKGVE0Q=
=50f0
-----END PGP SIGNATURE-----

Current thread:

VMSA-2011-0014 VMware vCenter Update Manager fix for Jetty Web server addresses directory traversal vulnerability VMware Security Team (Nov 18)