SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Generic)  >   VMware Vendors:   VMware
VMware vCenter Operations Input Validation Flaw Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1027612
SecurityTracker URL:  http://securitytracker.com/id/1027612
CVE Reference:   CVE-2012-5050   (Links to External Site)
Date:  Oct 5 2012
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 5.0.x
Description:   A vulnerability was reported in VMware vCenter Operations. A remote user can conduct cross-site scripting attacks.

The software does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target authenticated administrative user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the vCenter Operations software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Alexander Minozhenko of ERPScan reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the vCenter Operations software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fix (5.0).

The vendor's advisory is available at:

http://www.vmware.com/security/advisories/VMSA-2012-0014.html

Vendor URL:  www.vmware.com/security/advisories/VMSA-2012-0014.html (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents

Subject:  [Security-announce] VMSA-2012-0014 VMware vCenter Operations, CapacityIQ, and Movie Decoder security updates

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 -----------------------------------------------------------------------
                       VMware Security Advisory

Advisory ID:  VMSA-2012-0014
Synopsis: VMware vCenter Operations, CapacityIQ, and Movie Decoder
          security updates
Issue date:   2012-10-04
Updated on:   2012-10-04 (initial advisory)
CVE numbers:  CVE-2012-4897, CVE-2012-5050, CVE-2012-5051
 -----------------------------------------------------------------------
1. Summary

   VMware has provided an upgrade path for vCenter Operations and
   CapacityIQ and an update for Movie Decoder.  These updates address
   multiple security vulnerabilities.

2. Relevant releases

   vCenter Operations prior to 5.0.x
   vCenter CapacityIQ 1.5.x
   Movie Decoder prior to 9.0

3. Problem Description

   a. VMware Movie Decoder Installer binary planting vulnerability

      The installer of the VMware Movie Decoder has a binary planting
      vulnerability. An attacker who can write their malicious
      executable to the same folder as where the installer of the
      Movie Decoder is located may be able to run their code when the
      installation is started.
 
      VMware would like to thank Mitja Kolsek of ACROS Security for
      reporting this issue to us.
 
      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the name CVE-2012-4897 to this issue.
 
        VMware          Product   Running   Replace with/
        Product         Version   on        Apply Patch
        =============   =======   =======   =================
        Movie Decoder   7.x       Windows   Movie Decoder 9.0
        Movie Decoder   6.x       Windows   Movie Decoder 9.0
        Movie Decoder   5.x       Windows   Movie Decoder 9.0
                
   b. vCenter Operations cross-site scripting vulnerability

      The vCenter Operations server contains a cross-site scripting
      vulnerability that allows an attacker to steal an
      administrator's session cookie.  To exploit this vulnerability,
      the attacker must convince the administrator to click on a
      malicious link.

      VMware would like to thank Alexander Minozhenko of ERPScan for
      reporting this issue to us.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the name CVE-2012-5050 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

        VMware          Product   Running   Replace with/
        Product         Version   on        Apply Patch
        =============   =======   =======   =================
        vCOps           5.0.x     any       not affected
        vCops           1.0.x     any       affected, update to vCOps 5.0.x

   c. vCenter CapacityIQ path traversal vulnerability

      vCenter CapacityIQ contains a path traversal vulnerability that
      allows unauthenticated attackers to download arbitrary files.

      VMware would like to thank Alexander Minozhenko of ERPScan for
      reporting this issue to us.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the name CVE-2012-5051 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

        VMware          Product   Running   Replace with/
        Product         Version   on        Apply Patch
        =============   =======   =======   =================
        vCOps           5.0.x     any       not affected
        CapacityIQ      1.5.x     any       affected, update to vCOps 5.0.x

4. Solution

   Please review the patch/release notes for your product and version
   and verify the checksum of your downloaded file.

   vCenter Operations 5.0.x
   ----------------------
   Download link
   https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_management/vmware_vcenter_operations/5_0
   
   Release Notes
   https://www.vmware.com/support/pubs/vcops-pubs.html

   Movie Decoder 9.0
   -----------------
   Download link
   https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation/9_0#drivers_tools
      
5. References
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4897
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5050
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5051

 -----------------------------------------------------------------------

6. Change log

   2012-10-04 VMSA-2012-0014 
   Initial security advisory in conjunction with the release of Movie
   Decoder 9.0 on 2012-10-04.
      
 -----------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
   
   This Security Advisory is posted to the following lists:
   
   * security-announce at lists.vmware.com
   * bugtraq at securityfocus.com
   * full-disclosure at lists.grok.org.uk
   
   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055
   
   VMware Security Advisories
   http://www.vmware.com/security/advisories
   
   VMware security response policy
   http://www.vmware.com/support/policies/security_response.html
   
   General support life cycle policy
   http://www.vmware.com/support/policies/eos.html
   
   VMware Infrastructure support life cycle policy
   http://www.vmware.com/support/policies/eos_vi.html
   
   Copyright 2012 VMware Inc. All rights reserved.
   
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAlBuDo0ACgkQDEcm8Vbi9kNd5gCfVwopZMAAZv1E2HXb2b0S8gih
F8cAoPmdKWTjJ6ECmGWmpL6jI6ylsACf
=ANDn
-----END PGP SIGNATURE-----

_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
http://lists.vmware.com/mailman/listinfo/security-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC