Bugtraq mailing list archives
VMSA-2012-0002 VMware vCenter Chargeback Manager Information Leak and Denial of Service
From: VMware Security Team <security () vmware com>
Date: Thu, 08 Mar 2012 22:26:46 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2012-0002
Synopsis: VMware vCenter Chargeback Manager Information Leak and
Denial of Service
Issue date: 2012-03-08
Updated on: 2012-03-08
CVE numbers: CVE-2012-1472
------------------------------------------------------------------------
1. Summary
The vCenter Chargeback Manager contains a vulnerability that allows
information leakage and denial-of-service.
2. Relevant releases
VMware vCenter Chargeback Manager prior to version 2.0.1
3. Problem Description
The vCenter Chargeback Manager (CBM) contains a flaw in its
handling of XML API requests. This vulnerability allows an
unauthenticated remote attacker to download files from the CBM
server or conduct a denial-of-service against the server. VMware
thanks Joshua Keyes for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-1472 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch ============= ======== ======= ================= CBM 1.6.2 any CBM 2.0.1 CBM 2.0.0 any CBM 2.0.1 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware vCenter Chargeback Manager --------------- Download link: http://downloads.vmware.com/d/info/it_business_management/vmware_vcenter_ch argeback/2_0Release Notes:
https://www.vmware.com/support/vcbm/doc/vcbm_2_0_1_release_notes.html File: vCenter-CB-2.0.1-643764.zip md5sum: 88725667703c45f347e28464bfa8a5c7 sha1sum: 7f47db0100b92e7717c40363a271fef563f96c30 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1472 ------------------------------------------------------------------------ 6. Change log 2012-03-08 VMSA-2012-0002 Initial security advisory in conjunction with the release of CBM 2.0.1 on 2012-03-08. ----------------------------------------------------------------------- 7. ContactE-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announceThis Security Advisory is posted to the following lists: * security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055VMware Security Advisories
http://www.vmware.com/security/advisoriesVMware security response policy
http://www.vmware.com/support/policies/security_response.htmlGeneral support life cycle policy
http://www.vmware.com/support/policies/eos.htmlVMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.htmlCopyright 2012 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFPWaJZDEcm8Vbi9kMRArvWAKDQCbpKBr9zM4FDZbRKDBw3/rL0VQCeITRZ QcjvsYQZ9jRDkG1X4UKgvIY= =bXDQ -----END PGP SIGNATURE-----
Current thread:
- VMSA-2012-0002 VMware vCenter Chargeback Manager Information Leak and Denial of Service VMware Security Team (Mar 09)