20120105 SEC Consult SA-20120104-0 :: Multiple critical vulnerabilities in Apache Struts2

47393

http://struts.apache.org/2.x/docs/s2-008.html

http://struts.apache.org/2.x/docs/version-notes-2311.html

18329

https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party libraries :

  - Apache Struts
  - glibc
  - GnuTLS
  - JRE
  - kernel
  - libxml2
  - OpenSSL
  - Perl
  - popt and rpm

The version of vCenter Operations Manager installed on the remote host is earlier than 5.0.3.  It is, therefore, potentially affected by an arbitrary file upload vulnerability in the Apache Struts component.  By exploiting this flaw, a remote, unauthenticated attacker could overwrite arbitrary files on the remote host subject to the privileges of the user running the affected application.

a. vCenter and ESX update to JRE 1.6.0 Update 31

   The Oracle (Sun) JRE is updated to version 1.6.0_31, which    addresses multiple security issues. Oracle has documented the    CVE identifiers that are addressed by this update in the Oracle    Java SE Critical Patch Update Advisory of February 2012.

b. vCenter Update Manager update to JRE 1.5.0 Update 36

   The Oracle (Sun) JRE is updated to 1.5.0_36 to address multiple    security issues.  Oracle has documented the CVE identifiers that    are addressed in JRE 1.5.0_36 in the Oracle Java SE Critical    Patch Update Advisory for June 2012.

c. Update to ESX/ESXi userworld OpenSSL library

   The ESX/ESXi userworld OpenSSL library is updated from version    0.9.8p to version 0.9.8t to resolve multiple security issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2010-4180, CVE-2010-4252,    CVE-2011-0014, CVE-2011-4108, CVE-2011-4109, CVE-2011-4576,    CVE-2011-4577, CVE-2011-4619, and CVE-2012-0050 to these issues.

d. Update to ESX service console OpenSSL RPM

   The service console OpenSSL RPM is updated to version    0.9.8e-22.el5_8.3 to resolve a security issue.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2012-2110 to this issue.

e. Update to ESX service console kernel

   The ESX service console kernel is updated to resolve multiple    security issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2011-1833, CVE-2011-2484,    CVE-2011-2496, CVE-2011-3188, CVE-2011-3209, CVE-2011-3363,    CVE-2011-4110, CVE-2011-1020, CVE-2011-4132, CVE-2011-4324,    CVE-2011-4325, CVE-2012-0207, CVE-2011-2699, and CVE-2012-1583    to these issues.

f. Update to ESX service console Perl RPM

   The ESX service console Perl RPM is updated to    perl-5.8.8.32.1.8999.vmw to resolve multiple security issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2010-2761, CVE-2010-4410, and    CVE-2011-3597 to these issues.

g. Update to ESX service console libxml2 RPMs

   The ESX service console libmxl2 RPMs are updated to    libxml2-2.6.26-2.1.15.el5_8.2 and    libxml2-python-2.6.26-2.1.15.el5_8.2 to resolve a security    issue.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2012-0841 to this issue.

h. Update to ESX service console glibc RPM

   The ESX service console glibc RPM is updated to version    glibc-2.5-81.el5_8.1 to resolve multiple security issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-5029, CVE-2009-5064,    CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, and CVE-2012-0864    to these issue.

i. Update to ESX service console GnuTLS RPM

   The ESX service console GnuTLS RPM is updated to version    1.4.1-7.el5_8.2 to resolve multiple security issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2011-4128, CVE-2012-1569, and    CVE-2012-1573 to these issues.

j. Update to ESX service console popt, rpm, rpm-libs,    and rpm-python RPMS

   The ESX service console popt, rpm, rpm-libs, and rpm-python RPMS    are updated to the following versions to resolve multiple    security issues :
      - popt-1.10.2.3-28.el5_8
      - rpm-4.4.2.3-28.el5_8
      - rpm-libs-4.4.2.3-28.el5_8
      - rpm-python-4.4.2.3-28.el5_8

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2012-0060, CVE-2012-0061, and    CVE-2012-0815 to these issues.

k. Vulnerability in third-party Apache Struts component

   The version of Apache Struts in vCenter Operations has been    updated to 2.3.4 which addresses an arbitrary file overwrite    vulnerability. This vulnerability allows an attacker to create    a denial of service by overwriting arbitrary files without    authentication. The attacker would need to be on the same network    as the system where vCOps is installed.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the name CVE-2012-0393 to this issue.

   Note: Apache struts 2.3.4 addresses the following issues as well :
   CVE-2011-5057, CVE-2012-0391, CVE-2012-0392, CVE-2012-0394. It    was found that these do not affect vCOps.

   VMware would like to thank Alexander Minozhenko from ERPScan for    reporting this issue to us.

ID	Name	Product	Family	Severity
89038	VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2012-0013) (remote check)	Nessus	Misc.	high
69101	VMware vCenter Operations Manager Arbitrary File Upload (VMSA-2012-0013)	Nessus	Misc.	medium
61747	VMSA-2012-0013 : VMware vSphere and vCOps updates to third-party libraries	Nessus	VMware ESX Local Security Checks	high

CVE-2012-0393

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

medium

high