[Security-announce] NEW VMSA-2013-0008 VMware vCenter Chargeback Manager Remote Code Execution

VMware Security Announcements security-announce at lists.vmware.com
Tue Jun 11 11:12:04 PDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2013-0008
Synopsis:    VMware vCenter Chargeback Manager Remote Code Execution
Issue date:  2013-06-11
Updated on:  2013-06-11 (initial advisory)
CVE number:  CVE-2013-3520
- -----------------------------------------------------------------------

1. Summary

    The vCenter Chargeback Manager contains a critical vulnerability 
    that allows for remote code execution.

2. Relevant releases

    VMware vCenter Chargeback Manager prior to version 2.5.1

3. Problem Description 

   a. vCenter Chargeback Manager Remote Code Execution
       
      The vCenter Chargeback Manager (CBM) contains a flaw in its 
      handling of file uploads. Exploitation of this issue may 
      allow an unauthenticated attacker to execution code remotely.

      VMware would like to thank Andrea Micalizzi, aka rgod, for 
      reporting this issue to us through HP's Zero Day Initiative (ZDI).

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the name CVE-2013-3520 to this issue. 

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is 
      available. 

        VMware		Product	Running	Replace with/
        Product		Version	on	Apply Patch
        =============	=======	=======	=================
	CBM	 	2.0.1 	any 	CBM 2.5.1		
	CBM 		2.5 	any 	CBM 2.5.1

 4. Solution

      Please review the patch/release notes for your product and version 
      and verify the checksum of your downloaded file. 

     
      VMware vCenter Chargeback Manager
      ---------------------------

      Download link:
     
https://downloads.vmware.com/d/info/it_business_management/vmware_vcenter_c
hargeback/2_5

      Release Notes:
      https://www.vmware.com/support/vcbm/doc/vcbm_2_5_1_release_notes.html

   
5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3520


- -----------------------------------------------------------------------

6. Change log

   2013-06-11 VMSA-2013-0008
   Initial security advisory in conjunction with the release of 
   CBM 2.5.1 on 2013-06-11.

- -----------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
   
   This Security Advisory is posted to the following lists:
   
     * security-announce at lists.vmware.com
     * bugtraq at securityfocus.com
     * full-disclosure at lists.grok.org.uk
   
   E-mail:  security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055
   
   VMware Security Advisories
   http://www.vmware.com/security/advisories
   
   VMware security response policy
   http://www.vmware.com/support/policies/security_response.html
   
   General support life cycle policy
   http://www.vmware.com/support/policies/eos.html
   
   VMware Infrastructure support life cycle policy
   http://www.vmware.com/support/policies/eos_vi.html
   
   Copyright 2013 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFRt2fdDEcm8Vbi9kMRAiqLAKCZzlwzQrLOyP5cKsEUFLcKwE3P6wCgjh1U
DObDM+bAKbkBDPP6+keydIg=
=pck3
-----END PGP SIGNATURE-----



More information about the Security-announce mailing list