SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   VMware vCenter Vendors:   VMware
(VMware Issues Fix for VirtualCenter) Tomcat RequestDispatcher Bug Lets Remote Users Bypass Access Restrictions
SecurityTracker Alert ID:  1021747
SecurityTracker URL:  http://securitytracker.com/id/1021747
CVE Reference:   CVE-2008-2370   (Links to External Site)
Date:  Feb 24 2009
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Tomcat. A remote user can bypass certain access restriction. VMware VirtualCenter is affected.

When a RequestDispatcher is used, a remote user can submit a specially crafted request to access content that is ostensibly protected by a security constraint or by its location under the WEB-INF directory.

Stefano Di Paola of Minded Security Research Labs reported this vulnerability.

Impact:   A remote user can bypass certain security restrictions to access content that is ostensibly protected.
Solution:   VMware has issued a fix for VirtualCenter (2.5 Update 4), which is affected by this vulnerability.

The VMware advisory is available at:

http://www.vmware.com/security/advisories/

Cause:   Access control error

Message History:   This archive entry is a follow-up to the message listed below.
Aug 4 2008 Tomcat RequestDispatcher Bug Lets Remote Users Bypass Access Restrictions



 Source Message Contents

Subject:  [Security-announce] VMSA-2009-0002 VirtualCenter Update 4 updates


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- ------------------------------------------------------------------------
                   VMware Security Advisory
Advisory ID:       VMSA-2009-0002
Synopsis:          VirtualCenter Update 4 updates Tomcat to 5.5.27
Issue date:        2009-02-23
Updated on:        2009-02-23 (initial release of advisory)
CVE numbers:       CVE-2008-1232 CVE-2008-1947 CVE-2008-2370
- ------------------------------------------------------------------------

1. Summary

   Updated VMware VirtualCenter Update 4 updates Tomcat packages.

2. Relevant releases

   VirtualCenter 2.5 before Update 4

3. Problem Description

 a. Update for VirtualCenter updates Apache Tomcat version to 5.5.27

   Update for VirtualCenter updates the Tomcat package to version 5.5.27
   which addresses multiple security issues that existed in the previous
   version of Apache Tomcat.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the names CVE-2008-1232, CVE-2008-1947 and
   CVE-2008-2370 to these issues.

   The following table lists what action remediates the vulnerability
   (column 4) if a solution is available.

   VMware    Product   Running  Replace with/
   Product   Version   on       Apply Patch
   ========  ========  =======  =======================
   Virtual-  2.5       Windows  VirtualCenter 2.5 Update 4
   Center
   Virtual-  2.0.2     Windows  affected, patch pending
   Center

   Workstation any     any      not affected
   Player      any     any      not affected
   ACE         any     Windows  not affected
   Server    2.x       any      affected, patch pending
   Server    1.x       any      not affected

   Fusion      any     Mac OS/X not affected

   ESXi      3.5       ESXi     not affected

   ESX       3.5       ESX      affected, patch pending
   ESX       3.0.3     ESX      affected, patch pending
   ESX       3.0.2     ESX      affected, patch pending
   ESX       2.5.5     ESX      not affected

 Notes: This vulnerability can be exploited remotely only if the
        attacker has access to the Service Console network.

        Security best practices provided by VMware recommend that the
        Service Console be isolated from the VM network. Please see
        http://www.vmware.com/resources/techresources/726 for more
        information on VMware security best practices.

        The currently installed version of Tomcat depends on your patch
        deployment history.

4. Solution

   Please review the patch/release notes for your product and version
   and verify the md5sum of your downloaded file.

   VirtualCenter
   -------------
   VMware VirtualCenter 2.5 Update 4
   http://www.vmware.com/download/download.do?downloadGroup=VC250U4
   DVD iso image
   md5sum: 4304334ed7662b6a43646e6dde0956d2
   Zip file
   md5sum: 1306cb9b25e28a06bab84257d7cbf38f
   Release Notes
   http://www.vmware.com/support/vi3/doc/vi3_vc25u4_rel_notes.html

5. References

   Tomcat release notes
   tomcat.apache.org/security-5.html

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370

- ------------------------------------------------------------------------
6. Change log

2009-02-23  VMSA-2009-0002
Initial security advisory after release of VirtualCenter 2.5 Update 4
on 2009-02-23.

- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2009 VMware Inc.  All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEAREIAAYFAkmjXc4ACgkQS2KysvBH1xmpyQCfRmVgdISNYjhyAf0GDWKWXkrB
8A0An0qMRIGqaXSd4XBP4RevppRXxhZA
=rJ5q
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
http://lists.vmware.com/mailman/listinfo/security-announce

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC