-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2012-0032

Title: VMware vCenter Chargeback Manager Information Leak and Denial of
Service

Version history:
09.03.2012 Initial publication

Summary
=======
The vCenter Chargeback Manager contains a vulnerability that allows
information leakage and denial-of-service.

CVE-2012-1472 [2]

Affected Versions
=================
VMware vCenter Chargeback Manager prior to version 2.0.1

Original Details
================
The vCenter Chargeback Manager (CBM) contains a flaw in its handling of
XML API requests. This vulnerability allows an unauthenticated remote
attacker to download files from the CBM server or conduct a
denial-of-service against the server.

What can you do?
================
Deploy the updated versions of the software [3].

Workarounds:

There are no workarounds that mitigate these vulnerabilities.

What to tell your users?
========================
N/A

More information
================
[1] http://www.vmware.com/security/advisories/VMSA-2012-0002.html
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1472
[3]
http://downloads.vmware.com/d/info/it_business_management/vmware_vcenter_chargeback/2_0
[4] Information about CVSS: http://www.first.org/cvss/cvss-guide.html

Best regards,
CERT-EU
CERT-EU Pre-configuration Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383

(DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in
its setup phase, until May 2012. Services are provided in a pilot
fashion, and are not yet fully functional. Announcements, alerts and
warnings are sent out in best effort manner, and to contact information
currently known to us. We apologise if you are not the correct
recipient, or if you had already been warned about this issue from
another source . Format, content and way of alerting are subject to
change in the future. Contact information or even the team name may
change as well.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJPWh62AAoJEPpzpNLI8SVolVcP/3ZvfUqQDUEXkFyqaXXVqU/Y
jEr9ydo1JFDXczPNh2gCu5XTCk+afPSFCLRQnKmnAJlZrZZ+TPCP5eV5IGah+uzK
peZBfXIUWe02HuIizvi8LbBEuFa7XV5b8dKqZhusmRF5RI8J+/CqwzbwOFm/TBKY
HOPT3fDVNAXZEvVcQzLjkVwcssM/8IlK/md2wwRcmgQ7oDHi9+svvRAI/O/Zkort
sKkRB67N6X+0MhbuLn2qZQflY+QkCM3/vf0W1bz6Vc32FsHBW+xY0kLMLkbqwTNt
RZREn0gm/9Fo5Nw/Xwhf+1mRr2BXX1w7ZSaxUFlJYaiNH2z8uWkZew4fSYwI5Y1H
Hz48t2iELQADPTp25EYw6kaaOGCMPK9jQVEm8QXUvfP2U/FYHxWiGA+qrKYI6L7d
57zpeoG/Y9ofYR4rjz35zMrse4svMO5vZZDaDkY37pxF4DmtmYdsMCc4gOpPjKPi
RadCNgdoo/p4+tkLxlxTU1GjlYhfK/pUgmxaVvgYr+l7Gq/5lp8vHd331vXjAOyk
904SBvn0d5b/5qmx4pTjH6Fr4ft+plYG+rQX927Bv+4xRQ0edN0N+EFqYlAeyydP
ourCfIQTjo6tkq48OdtPjnjdTRVaH7FCC8J+OFNtdoDu4iWqPdpVnZgUa5kJcdBn
JTC56UrQVP581hymNUGk
=gtDm
-----END PGP SIGNATURE-----