VMware vCenter Chargeback Manager Multiple Java Vulnerabilities (VMSA-2015-0003) (POODLE)
critical Nessus Plugin ID 82899
Language:
New! Vulnerability Priority Rating (VPR)
Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.
VPR Score: 9
Synopsis
The remote Windows host has an application installed that is affected by multiple vulnerabilities.Description
The version of VMware vCenter Chargeback Manager installed on the remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode.MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections.
(CVE-2014-3566)
Additionally, unspecified vulnerabilities also exist in the following bundled Java components :
- 2D (CVE-2014-6585, CVE-2014-6591)
- Deployment (CVE-2015-0403, CVE-2015-0406)
- Hotspot (CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0437)
- Installation (CVE-2015-0421)
- JAX-WS (CVE-2015-0412)
- JSSE (CVE-2014-6593)
- Libraries (CVE-2014-6549, CVE-2014-6587, CVE-2015-0400)
- RMI (CVE-2015-0408)
- Security (CVE-2015-0410)
- Serviceability (CVE-2015-0413)
- Swing (CVE-2015-0407)
Solution
Apply the vendor patch referenced in :- KB: 2112011 for vCenter Chargeback Manager 2.7
- KB: 2113178 for vCenter Chargeback Manager 2.6
See Also
https://www.vmware.com/security/advisories/VMSA-2015-0003.html
https://seclists.org/fulldisclosure/2015/Apr/5
http://www.nessus.org/u?2fc26e85
http://www.nessus.org/u?09fca0e3
http://www.nessus.org/u?75c6cafb
http://www.nessus.org/u?64c6b956
http://www.nessus.org/u?726f7054
https://www.imperialviolet.org/2014/10/14/poodle.html
https://www.openssl.org/~bodo/ssl-poodle.pdf
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
Plugin Details
Severity: Critical
ID: 82899
File Name: vmware_vcenter_chargeback_manager_vmsa_2015_0003.nasl
Version: 1.8
Type: local
Agent: windows
Family: Windows
Published: 4/20/2015
Updated: 11/15/2018
Dependencies: vmware_vcenter_chargeback_manager_installed.nasl
Risk Information
Risk Factor: Critical
VPR Score: 9
CVSS v2.0
Base Score: 10
Temporal Score: 7.8
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal Vector: E:POC/RL:OF/RC:C
Vulnerability Information
CPE: cpe:/a:vmware:vcenter_chargeback_manager
Required KB Items: SMB/VMware vCenter Chargeback Manager/Version, SMB/Registry/Enumerated
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 4/9/2015
Vulnerability Publication Date: 10/14/2014
Reference Information
CVE: CVE-2014-3566, CVE-2014-6549, CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0400, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412, CVE-2015-0413, CVE-2015-0421, CVE-2015-0437
BID: 70574, 72132, 72136, 72137, 72140, 72142, 72146, 72148, 72150, 72154, 72155, 72159, 72162, 72165, 72168, 72169, 72173, 72175, 72176