-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2013-0005 Title: VMware security updates for vCSA and ESXi [1] Version history: 9.01.2013 Initial publication Summary ======= VMware has updated vCenter Server Appliance (vCSA) and ESX to address multiple security vulnerabilities. - ------------- vCSA --------------- CVE-2012-6324, CVE-2012-6325 - ------------- glibc -------------- CVE-2009-5029, CVE-2009-5064, CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, CVE-2012-0864, CVE-2012-3404, CVE-2012-3405, CVE-2012-3406, CVE-2012-3480 Vulnerable systems ================== vCSA 5.0, 5.1 ESXi 3.5, 4.0, 4.1, 5.0, 5.1 Original Details ================ Several problems identified [1]: vCenter Server Appliance directory traversal (CVE-2012-6324) The vCenter Server Appliance (vCSA) contains a directory traversal vulnerability that allows an authenticated remote user to retrieve arbitrary files. Exploitation of this issue may expose sensitive information stored on the server. vCenter Server Appliance arbitrary file download (CVE-2012-6325) The vCenter Server Appliance (vCSA) contains an XML parsing vulnerability that allows an authenticated remote user to retrieve arbitrary files. Exploitation of this issue may expose sensitive information stored on the server. Vulnerabilities in the ESX glibc package (CVE-2009-5029, CVE-2009-5064, CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, CVE-2012-0864, CVE-2012-3404, CVE-2012-3405, CVE-2012-3406 and CVE-2012-3480) Multiple security issues. What can you do? ================ Update your products to patched versions. The following product versions have been patched [1]: vCenter Server Appliance 5.1.0b vCenter Server Appliance 5.0 Update 2 ESXi 5.0 ESXi 5.1 If there is no patch for your version of the product, it may be necessary to upgrade to a higher version. What to tell your users? ======================== N/A More information ================ [1] http://www.vmware.com/security/advisories/VMSA-2012-0018.html Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJQ7YquAAoJEPpzpNLI8SVoa2gQALKfvldNUbtoYDaMHQC4+dj9 EjRllLImSd060ZXP2dWqsosAKVbbO0XBfl7aMf6YgMAXOJ/jf7IZl3ryPKLuLzen Pq86zpIAtUekZOdsuUKgvmptftQe9/UhiVPFMcr2BzzPDi5tFlmeb9WNiOwaT/PP 9bJN9tSdFCxW5aODwjfgweojJAkRlLIXQzRZVqS0Sh/ZiQW1QVhA6XpCS2gdBan8 EiGNyXznPJVd+V4ddQODwFyxvuiZwDMF3ZJS7S7zafdeDsn44pV8YSkUFRl+WKyc yN4iujwi2Hrg5QZ5Dm15cBJ+H0mnCgaiFyo6ij4vpDOSDLXMzWseIj3khFZxA0HF Fe0Q3waOgWCERu1TRXKisJ3cjAsj3sVptUPCpkayHVxv1hdQqjzgzvesjiY/2IT/ fS9oeXV6hKk8/LYdtb6Q+8IdjA0nWWMvZUHbfpn/DOLSAalb103LLTNfm9YhZyrV S/ch7xsSEvvwyQnVy3sxL9n1ikweyxGXnEN9ifOzGReQW7BXPW0mUsj+e1kialpz DS26D4PVIZDhpTSve5BOkkKogpc4UBIwZ9qYzAqqxyF8COxQXTrIpCRW2Bl5n4pj LomkByKX/0LVPF+3hFQkoZ7HBGkfadfMtPp3rSMCtDvi3Wdhck5QPmfs/Wr0dbVP /IgqyxKlUEHHsmZ7VYP9 =Rp1p -----END PGP SIGNATURE-----