This script is Copyright (C) 2014-2016 Tenable Network Security, Inc.
The remote host has a virtualization appliance installed that is
affected by multiple vulnerabilities.
The version of vCenter Operations Manager installed on the remote host
is prior to 5.8.2. It is, therefore, affected by the following
- An error exists in the included Apache Tomcat version
related to handling 'Content-Type' HTTP headers and
multipart requests such as file uploads that could
allow denial of service attacks. (CVE-2014-0050)
- A security bypass error exists due to the included
Apache Struts2 component, allowing manipulation of the
ClassLoader via the 'class' parameter, which is directly
mapped to the getClass() method. A remote,
unauthenticated attacker can take advantage of this
issue to manipulate the ClassLoader used by the
application server, allowing for the bypass of certain
security restrictions. Note that CVE-2014-0112 exists
because CVE-2014-0094 was not a complete fix.
See also :
Upgrade to vCenter Operations Manager 5.7.3 / 5.8.2 or later.
Alternatively, the vendor has provided a workaround for the security
Risk factor :
High / CVSS Base Score : 7.5
CVSS Temporal Score : 6.2
Public Exploit Available : true