[Security-announce] UPDATED VMSA-2013-0006.1 VMware security updates for vCenter Server

VMware Security Announcements security-announce at lists.vmware.com
Thu Oct 17 17:30:48 PDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2013-0006.1
Synopsis:    VMware security updates for vCenter Server
Issue date:  2013-04-25
Updated on:  2013-10-17
CVE number:  CVE-2013-3107, CVE-2013-3079, CVE-2013-3080
             --tomcat --
             CVE-2012-5885, CVE-2012-5886, CVE-2012-5887, CVE-2012-2733,
             CVE-2012-4534, CVE-2012-3546, CVE-2012-4431            
             --JRE --
             See references
- -----------------------------------------------------------------------

1. Summary

   VMware has updated vCenter Server Appliance (vCSA) and vCenter 
   Server running on Windows to address multiple security 
   vulnerabilities.  

2. Relevant releases

   vCenter Server 5.1 without Update 1
   vCenter Server 5.0 without Update 3

   Update Manager 5.0 without Update 3

3. Problem Description

   a. vCenter Server AD anonymous LDAP binding credential by-pass


      vCenter Server when deployed in an environment that uses 
      Active Directory (AD) with anonymous LDAP binding enabled
      doesn't properly handle login credentials. In this
      environment, authenticating to vCenter Server with a valid
      user name and a blank password may be successful even if 
      a non-blank password is required for the account. 

      The issue is present on vCenter Server 5.1, 5.1a and 5.1b
      if AD anonymous LDAP binding is enabled. The issue is 
      addressed in vCenter Server 5.1 Update 1 by removing the
      possibility to authenticate using blank passwords. This
      change in the authentication mechanism is present 
      regardless if anonymous binding is enabled or not.

      Workaround
      The workaround is to discontinue the use of AD anonymous
      LDAP binding if it is enabled in your environment. AD 
      anonymous LDAP binding is not enabled by default. The TechNet
      article listed in the references section explains how to 
      check for anonymous binding (look for "anonymous binding"
      in the article: anonymous binding is enabled if the seventh
      bit of the dsHeuristics attribute is set to 2)


      The Common Vulnerabilities and Exposures project (cve.mitre.org) has 
      assigned the name CVE-2013-3107 to this issue. 

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available. 


        VMware		Product	Running	Replace with/
        Product		Version	on	Apply Patch
        =============	=======	=======	=================
        vCenter Server	5.1	Any	5.1 Update 1
        vCenter Server	5.0	Any	not applicable
	vCenter	Server	4.1	Windows	not applicable
	vCenter	Server	4.0	Windows	not applicable
	VirtualCenter	2.5	Windows	not applicable
	

   b. vCenter Server Appliance arbitrary file execution


      The vCenter Server Appliance (vCSA) contains a remote code 
      vulnerability. An authenticated attacker with access to the 
      Virtual Appliance Management Interface (VAMI) may run 
      an existing file as root. In the default vCSA setup, 
      authentication to vCSA is limited to root since root 
      is the only defined user.

      The Common Vulnerabilities and Exposures project (cve.mitre.org) has 
      assigned the name CVE-2013-3079 to this issue. 

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available. 


        VMware		Product	Running	Replace with/
        Product		Version	on	Apply Patch
        =============	=======	=======	=================
        vCSA 		5.1	Linux 	5.1 Update 1
	vCSA 		5.0 	Linux 	not affected

   c. vCenter Server Appliance arbitrary file upload

      The vCenter Server Appliance (vCSA) VAMI web interface 
      contains a vulnerability that allows an authenticated remote
      attacker to upload files to an arbitrary location creating new
      files or overwriting existing files. Replacing certain files
      may result in a denial of service condition or code execution.
      In the default vCSA setup, authentication to vCSA is limited to
      root since root is the only defined user.


      The Common Vulnerabilities and Exposures project (cve.mitre.org) has 
      assigned the name CVE-2013-3080 to this issue. 

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available. 


        VMware		Product	Running	Replace with/
        Product		Version	on	Apply Patch
        =============	=======	=======	=================
        vCSA 		5.1	Linux 	5.1 Update 1
	vCSA 		5.0 	Linux 	not affected


   d. vCenter, Update Manager, Oracle (Sun) JRE update 1.6.0_37
      
      Oracle (Sun) JRE is updated to version 1.6.0_37, which addresses
      multiple security issues that existed in earlier releases of
      Oracle (Sun) JRE. 

      Oracle has documented the CVE identifiers that are addressed
      in JRE 1.6.0_37 in the Oracle Java SE Critical Patch Update
      Advisory of October 2012. The References section provides a
      link to this advisory. 

      Column 4 of the following table lists the action required to 
      remediate the vulnerability in each release, if a solution is
      available. 

        VMware		Product	Running	Replace with/
        Product		Version	on	Apply Patch
        =============	=======	=======	=================
        vCenter	Server	5.1	Windows	5.1 Update 1
        vCenter	Server	5.0	Windows	See VMSA-2013-0012
	vCenter	Server	4.1	Windows	patch pending
	vCenter	Server	4.0	Windows	not applicable **
	VirtualCenter	2.5	Windows	not applicable **

	Update Manager	5.1	Windows	5.1 Update 1
	Update Manager	5.0	Windows	See VMSA-2013-0012
	Update Manager	4.1	Windows	not applicable **
	Update Manager	4.0	Windows	not applicable **

	hosted *	any	any	not affected

	ESXi		any	ESXi	not applicable

	ESX		4.1	ESX	Patch Pending
	ESX		4.0	ESX	not applicable **
        ESX		3.5	ESX	not applicable **

	* hosted products are VMware Workstation, Player, ACE, Fusion. 

	** this product uses the Oracle (Sun) JRE 1.5.0 family


   e. vCenter Server tc-server 2.8.1 / Apache Tomcat 6.0.36 update

      tc-server has been updated to version 2.8.1 to address multiple
      security issues. This version of tc-server includes Apache 
      Tomcat 6.0.36 

      The Common Vulnerabilities and Exposures project (cve.mitre.org) 
      has assigned the names CVE-2012-5885, CVE-2012-5886, CVE-2012-5887,
      CVE-2012-2733, CVE-2012-4534, CVE-2012-3546 and CVE-2012-4431
      to these issues. 

        VMware	Product	Running	Replace with/
        Product	Version	on	Apply Patch
        =============	=======	=======	=================
        vCenter	Server	5.1	Any     5.1 Update 1 *
	vCenter	Server	5.0	Any	not affected
        vCenter	Server	4.1	Windows	not affected
        vCenter	Server	4.0	Windows	not affected
	VirtualCenter	2.5	Windows	not applicable *** 	
 	 	 
        hosted **	any	any	not affected
 	 	 	 
        ESXi		any	ESXi	not applicable
 	 	 	 
        ESX		4.1	ESX	not affected
        ESX		4.0	ESX	not affected
        ESX		3.5	ESX	not applicable ***
        

      * Only CVE-2012-2733 and CVE-2012-4534 affect vCenter Server 5.1

      ** hosted products are VMware Workstation, Player, ACE, Fusion. 

      *** this product uses the Apache Tomcat 5.5 family

 4. Solution

    Please review the patch/release notes for your product and 
    version and verify the checksum of your downloaded file. 

   vCenter Server 5.1 Update 1 
   --------------------
   Download link: 
  
  
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_
vsphere/5_1 

   Release Notes: 
  
  
http://www.vmware.com/support/vsphere5/doc/vsphere-vcenter-server-51u1-rele
ase-notes.html

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3107
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3079
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3080

   --------jre --------
   Oracle Java SE Critical Patch Update Advisory of October 2012 
  
http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.ht
ml

   --------tomcat --------
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5885
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5886
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5887
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2733
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4534
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3546
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4431

   TechNet: How Active Directory Searches Work
   http://technet.microsoft.com/en-us/library/cc755809.aspx


- -----------------------------------------------------------------------

6. Change log

   2013-04-25 VMSA-2013-0006
   Initial security advisory in conjunction with the release of VMware
   vSphere 5.1 Update 1 on 2013-04-25.

   2013-10-17 VMSA-2012-0006.1 
   Updated security advisory in conjunction with the release of vCenter
   Server 5.0 Update 3 on 2013-10-17 

- -----------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
   
   This Security Advisory is posted to the following lists:
   
     * security-announce at lists.vmware.com
     * bugtraq at securityfocus.com
     * full-disclosure at lists.grok.org.uk
   
   E-mail:  security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055
   
   VMware Security Advisories
   http://www.vmware.com/security/advisories
   
   VMware security response policy
   http://www.vmware.com/support/policies/security_response.html
   
   General support life cycle policy
   http://www.vmware.com/support/policies/eos.html
   
   VMware Infrastructure support life cycle policy
   http://www.vmware.com/support/policies/eos_vi.html
   
   Copyright 2013 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFSXk3JDEcm8Vbi9kMRAsQmAKDIBCF5S+GWsQv+hr4VyZ1KDZpG9QCgiC6r
by9pS/opetfW/HxIsRhZsbc=
=TOig
-----END PGP SIGNATURE-----



More information about the Security-announce mailing list