SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   VMware Vendors:   VMware
VMware vCenter Chargeback Manager Lets Remote Users Deny Service and Download Files
SecurityTracker Alert ID:  1026778
SecurityTracker URL:  http://securitytracker.com/id/1026778
CVE Reference:   CVE-2012-1472   (Links to External Site)
Date:  Mar 9 2012
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 2.0.1
Description:   A vulnerability was reported in VMware vCenter Chargeback Manager. A remote user can cause denial of service conditions. A remote user can view files on the target system.

A remote user can exploit a flaw in the XML API to download files from the target server or cause denial of service conditions on the target server.

Joshua Keyes reported this vulnerability.

Impact:   A remote user can cause denial of service conditions on the target system.

A remote user can view files on the target system.

Solution:   The vendor has issued a fix (CBM 2.0.1).

The vendor's advisory is available at:

http://www.vmware.com/security/advisories/VMSA-2012-0002.html

Vendor URL:  www.vmware.com/security/advisories/VMSA-2012-0002.html (Links to External Site)
Cause:   Not specified

Message History:   None.


 Source Message Contents

Subject:  [Security-announce] VMSA-2012-0002 VMware vCenter Chargeback Manager Information Leak and Denial of Service

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2012-0002
Synopsis: VMware vCenter Chargeback Manager Information Leak and
          Denial of Service
Issue date:  2012-03-08
Updated on:  2012-03-08 
CVE numbers: CVE-2012-1472

 ------------------------------------------------------------------------

1. Summary

   The vCenter Chargeback Manager contains a vulnerability that allows
   information leakage and denial-of-service.

2. Relevant releases

   VMware vCenter Chargeback Manager prior to version 2.0.1

3. Problem Description

   The vCenter Chargeback Manager (CBM) contains a flaw in its
   handling of XML API requests.  This vulnerability allows an
   unauthenticated remote attacker to download files from the CBM
   server or conduct a denial-of-service against the server.  VMware
   thanks Joshua Keyes for reporting this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the name CVE-2012-1472 to this issue.

   Column 4 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.
   
   VMware         Product   Running  Replace with/
   Product        Version   on       Apply Patch
   =============  ========  =======  =================
   CBM		  1.6.2	    any	     CBM 2.0.1
   CBM		  2.0.0	    any	     CBM 2.0.1

4. Solution

   Please review the patch/release notes for your product and version
   and verify the checksum of your downloaded file.

   VMware vCenter Chargeback Manager
   ---------------
   Download link:
   http://downloads.vmware.com/d/info/it_business_management/vmware_vcenter_chargeback/2_0
   
   Release Notes:
   https://www.vmware.com/support/vcbm/doc/vcbm_2_0_1_release_notes.html

   File: vCenter-CB-2.0.1-643764.zip
   md5sum: 88725667703c45f347e28464bfa8a5c7
   sha1sum: 7f47db0100b92e7717c40363a271fef563f96c30

5. References

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1472

 ------------------------------------------------------------------------
6. Change log

   2012-03-08 VMSA-2012-0002 Initial security advisory in conjunction
   with the release of CBM 2.0.1 on 2012-03-08.

 -----------------------------------------------------------------------
7. Contact
   
   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
   
   This Security Advisory is posted to the following lists:
   
     * security-announce at lists.vmware.com
     * bugtraq at securityfocus.com
     * full-disclosure at lists.grok.org.uk
   
   E-mail:  security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055
   
   VMware Security Advisories
   http://www.vmware.com/security/advisories
   
   VMware security response policy
   http://www.vmware.com/support/policies/security_response.html
   
   General support life cycle policy
   http://www.vmware.com/support/policies/eos.html
   
   VMware Infrastructure support life cycle policy
   http://www.vmware.com/support/policies/eos_vi.html
   
   Copyright 2012 VMware Inc.  All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAk9Zi4kACgkQDEcm8Vbi9kP4twCcCjYlIquQtjNlwtgxoM59ayxb
fJoAoPmAQR55/QvHyFvQhrVIH81rU8tn
=1ROb
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
http://lists.vmware.com/mailman/listinfo/security-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC