VMSA-2012-0005 : VMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, Workstation, Player, ESXi, and ESX address several security issues
Critical Nessus Plugin ID 58362
SynopsisThe remote VMware ESXi / ESX host is missing one or more security-related patches.
Descriptiona. VMware Tools Display Driver Privilege Escalation
The VMware XPDM and WDDM display drivers contain buffer overflow vulnerabilities and the XPDM display driver does not properly check for NULL pointers. Exploitation of these issues may lead to local privilege escalation on Windows-based Guest Operating Systems.
VMware would like to thank Tarjei Mandt for reporting theses issues to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2012-1509 (XPDM buffer overrun), CVE-2012-1510 (WDDM buffer overrun) and CVE-2012-1508 (XPDM null pointer dereference) to these issues.
Note: CVE-2012-1509 doesn't affect ESXi and ESX.
b. vSphere Client internal browser input validation vulnerability
The vSphere Client has an internal browser that renders html pages from log file entries. This browser doesn't properly sanitize input and may run script that is introduced into the log files. In order for the script to run, the user would need to open an individual, malicious log file entry. The script would run with the permissions of the user that runs the vSphere Client.
VMware would like to thank Edward Torkington for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1512 to this issue.
In order to remediate the issue, the vSphere Client of the vSphere 5.0 Update 1 release or the vSphere 4.1 Update 2 release needs to be installed. The vSphere Clients that come with vSphere 4.0 and vCenter Server 2.5 are not affected.
c. vCenter Orchestrator Password Disclosure
The vCenter Orchestrator (vCO) Web Configuration tool reflects back the vCenter Server password as part of the webpage. This might allow the logged-in vCO administrator to retrieve the vCenter Server password.
VMware would like to thank Alexey Sintsov from Digital Security Research Group for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1513 to this issue.
d. vShield Manager Cross-Site Request Forgery vulnerability
The vShield Manager (vSM) interface has a Cross-Site Request Forgery vulnerability. If an attacker can convince an authenticated user to visit a malicious link, the attacker may force the victim to forward an authenticated request to the server.
VMware would like to thank Frans Pehrson of Xxor AB (www.xxor.se<http://www.xxor.se>) and Claudio Criscione for independently reporting this issue to us
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1514 to this issue.
e. vCenter Update Manager, Oracle (Sun) JRE update 1.6.0_30
Oracle (Sun) JRE is updated to version 1.6.0_30, which addresses multiple security issues that existed in earlier releases of Oracle (Sun) JRE.
Oracle has documented the CVE identifiers that are addressed in JRE 1.6.0_29 and JRE 1.6.0_30 in the Oracle Java SE Critical Patch Update Advisory of October 2011. The References section provides a link to this advisory.
f. vCenter Server Apache Tomcat update 6.0.35
Apache Tomcat has been updated to version 6.0.35 to address multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-3190, CVE-2011-3375, CVE-2011-4858, and CVE-2012-0022 to these issues.
g. ESXi update to third-party component bzip2
The bzip2 library is updated to version 1.0.6, which resolves a security issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-0405 to this issue.
SolutionApply the missing patches.