-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2013-0052

Title: VMware vCenter Chargeback Manager Remote Code Execution [1]

Version history:
18.06.2013 Initial publication

Summary
=======
The vCenter Chargeback Manager contains a critical vulnerability that allows for remote code execution.

CVE number: CVE-2013-3520

CVSS v2 Base Score:7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) [2]

Vulnerable systems
==================

VMware vCenter Chargeback Manager prior to version 2.5.1

Original Details [1]
================

The vCenter Chargeback Manager (CBM) contains a flaw in its handling of file uploads. Exploitation of this issue may allow an unauthenticated attacker to execute code remotely.

What can you do?
================

Download the patch for your version. [3]

VMware	Product	Running	Replace with / 
Product	Version	on	Apply Patch
========== ===== ===== ================== 
CBM	2.01	any	CBM 2.5.1 
CBM	2.5	any     CBM 2.5.1 



What to tell your users?
========================
N/A

More information
================
[1] http://www.vmware.com/security/advisories/VMSA-2013-0008.html
[2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3520
[3] https://my.vmware.com/web/vmware/downloads 


Best regards,

CERT-EU Pre-configuration Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383
Privacy Statement:
http://cert.europa.eu/cert/plainedition/en/cert_privacy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJRwCdcAAoJEPpzpNLI8SVofVIQAIIxG5OiMMuIiF4vzTWVFhY1
cgnxRvU5rtlBfnukAlXA3r+IjpyEnj62S8EPu5qQFIuRbvynnUfDp35J9P+u9Hb7
FAE/kgDEYPLpoQd6mkEUw/GFdk5mtDA77hofPRaaCtXq8B+IC6h57UnQsoXw+vqE
9q4z5tNgM9UtByPyGf+z0sMoFz9ma3lkjlj9NpDOaRj9eUoLiKPTfKB9dU3VSnKi
PKosYsIc/tZQdBiJKB9IlR60vEclIXJ7jWdDgc8guKJEREPKNt3qGtNIa2SAAfhS
jfEysHYtYeQjZhKqCFfFlppnwoeDvnXmAW2/+HGpZM1BZMeNmXHtVTM0VSjfwUko
JEbWqba0dMYsKELVNJyRnAZuntc+413pVgJvDj3vCH5Q6CcsEEduoAI3vDjm0+Vq
9SBXzvXpjDUdJhCeN+7/yvoxQkjkLAgZezyclvOBUKFxOu9LCZG/PLAMr7isfDCt
UORBHnAI20Qg7iCr5ObqMEza4KIgaaxpjNMg72zloBC18y7a5a4+oXBSctvuAovc
sexLHXxnNtVtOS+4kMRGWRJ7Er2vemOS5eKf+ElJcxj4anEMg8VGO96c+l6qfeFu
ezSaOYxLjdlSPlGzspMrwwhkiODa2AWOenRco+CoObNXJAWpc0iF0+R04Pch36mn
85JHkcfodb3zQarks78T
=yW1G
-----END PGP SIGNATURE-----