-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0043 Title: VMware issues Security Advisories & Certifications [1] Version history: 19.03.2012 Initial publication Summary ======= VMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, ESXi and ESX address several security issues CVE-2012-1508, CVE-2012-1509, CVE-2012-1510, CVE-2012-1512, CVE-2012-1513, CVE-2012-1514, CVE-2011-3190, CVE-2011-3375,CVE-2012-0022, CVE-2010-0405 [3] Vulnerable systems ================== Amongst others... ESXi 5.0 ESXi 4.1 ESXi 4.0 ESX 4.1 ESX 4.0 vCO 4.2 vCO 4.1 vCO 4.0 vSM 5.0 vSM 4.1 vSM 4.0 vCenter 5. vCenter 4.1 Update Manager 5.0 Original Details ================ a. VMware Tools Display Driver Privilege Escalation b. vSphere Client internal browser input validation vulnerability c. vCenter Orchestrator Password Disclosure d. vShield Manager Cross-Site Request Forgery vulnerability e. vCenter Update Manager, Oracle (Sun) JRE update 1.6.0_30 f. vCenter Server Apache Tomcat update 6.0.35 g. ESXi update to third party component bzip2 See reference for more details [1] What can you do? ================ Updates have been released [1][2] What to tell your users? ======================== N/A More information ================ [1]http://www.vmware.com/security/advisories/VMSA-2012-0005.html [2]http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/5_0 [3]Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJPZ2EtOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4Mplw//UYlySB8w TV/KVFnA4qYCO6XIAYrM/bJsWrTy45IDpVA+AweL8iEREHKIaF2yuQ7UJpkNYYQc OkMdUoXpNyNzXs6MkmvGwFFEvrSrtU/GXzblebHMmBNT3FHdDbXAqMDYBWJ5kh8o Myq4lxBtKrcxOrHwshvcJJtG5aOZuZsFAAOFUSJWU8mL/21X0s7Z7/aEa+GGpXkf xql8Kh1yeaBPfm2MZIdscc0MqWB1DBJkcfX2z6MljJ/lz33Cv9V+VWccBB3Q//qB zZxO8pR9sbYFKrdcOi4wSXDKfgGGeZUiaHE5bsWBDuTO9+qw/IT1ViMNPcvvoQmT vTdVAWK9kJ3rgAvqidWw8C69tKKwxa8QV0Py/LSHUXWXBSsJ10p7QxKMFEq79r2Q QTvDW1BUsM/292D+ZptazKqy4ngB8xNwPH84Diiu/JA/a2B9E6cp+QV4Cweg5BnF GLFaMmeMt4b7zkeIHcocT4PmmFqmr7hQda8f1M9BicqbpgjEb6iTst9tREERU7r3 Nj+dHDG1fIpnS/wi7akVb1/LP3pd0nEpxxVbGulMUy8p7SG4v2vl2+euZlWBB086 5AVjlACRP+BliN7UBOHCJzOFycrVHtaG4Q583qzTLewr7H4WEG7OpapN/Rd6cs2p gZqxUFJnOLaFE3NHFoQllh98kfWvsBebxIk= =v0FG -----END PGP SIGNATURE-----