Computer Security
[EN] no-pyccku

Related information

  VMWare vCenter / ESX / WebWorks Help crossite scripting

From:VMWARE <security_(at)>
Subject:VMSA-2009-0017 VMware vCenter, ESX patch and vCenter Lab Manager releases address cross-site scripting issues

Hash: SHA1

- -----------------------------------------------------------------------
                  VMware Security Advisory

Advisory ID:       VMSA-2009-0017
Synopsis:          VMware vCenter, ESX patch and vCenter Lab Manager
                  releases address cross-site scripting issues
Issue date:        2009-12-15
Updated on:        2009-12-15 (initial release of advisory)
CVE numbers:       CVE-2009-3731
- -----------------------------------------------------------------------

1. Summary

   VMware vCenter and ESX update releases address cross-site scripting
   issues in the Help functionality of WebAccess. A vCenter Lab Manager
   release addresses the same issues which are present in the online
   Help functionality of Lab Manager and Stage Manager.

2. Relevant releases

   ESX 4.0 without patch ESX400-200911223-UG
   vCenter 4.0 GA
   VMware Server 2.0.2
   VMware Lab Manager 2.x
   VMware vCenter Lab Manager 3.x
   VMware vCenter Lab Manager 4.0
   VMware vCenter Stage Manager 1.x

3. Problem Description

a. WebWorks Help - Cross-site scripting vulnerability

   WebWorks Help is an output format that allows online Help to be
   delivered on multiple platforms and browsers, which makes it easy
   to publish information on the Web or on an enterprise intranet.
   WebWorks Help is used for creating the online help pages that are
   available in VMware WebAccess, Lab Manager and Stage Manager.

   WebWorks Help doesn't sufficiently sanitize incoming requests which
   may result in cross-site scripting vulnerabilities in applications
   that are built with WebWorks Help.

   Exploitation of these vulnerabilities in VMware products requires
   tricking a user to click on a malicious link or to open a malicious
   web page while they are logged in into vCenter, ESX or VMware
   Server using WebAccess, or logged in into Stage Manager or Lab

   Successful exploitation can lead to theft of user credentials. These
   vulnerabilities can be exploited remotely only if the attacker has
   access to the Service Console network.

   Security best practices provided by VMware recommend that the
   Service Console be isolated from the VM network. Please see for more
   information on VMware security best practices.

   Client-side protection measures included with current browsers are not
   always able to prevent these attacks from being executed.

   VMware would like to thank Daniel Grzelak and Alex Kouzemtchenko of
   stratsec ( for finding and reporting this issue.
   VMware would also like to thank Ben Allums of for working
   on the remediation of this issue with us.

   The Common Vulnerabilities and Exposures project ( has
   assigned the name CVE-2009-3731 to this issue.

   The following table lists what action remediates the vulnerability
   (column 4) if a solution is available.

   VMware         Product   Running  Replace with/
   Product        Version   on       Apply Patch
   =============  ========  =======  =================
   vCenter        4.0       Windows  Update 1
   VirtualCenter  2.5       Windows  not affected
   VirtualCenter  2.0.2     Windows  not affected

   Workstation    any       any      not affected

   Player         any       any      not affected

   Server         2.0.2     any      VMware KB 1016594
   Server         1.0       any      not affected

   ACE            any       any      not affected

   Fusion         any       any      not affected

   ESXi           any       ESXi     not affected

   ESX            4.0       ESX      ESX400-200911223-UG
   ESX            3.5       ESX      not affected
   ESX            3.0.3     ESX      not affected
   ESX            2.5.5     ESX      not affected

   vMA            4.0       RHEL5    not affected

   Lab Manager    any       any      Lab Manager 4.0.1

   Stage Manager  any       any      Lab Manager 4.0.1

  Note: The remediation provided by is not applicable
        to VMware products.

4. Solution

  Please review the patch/release notes for your product and version
  and verify the md5sum of your downloaded file.

  VMware vCenter Server 4 Update 1
  Version      4.0 Update 1
  Build Number 208156
  Release Date 2009/11/19
  Type         Product Binaries

  VMware vCenter Server 4 and modules
  File size: 1.8 GB
  File type: .iso
  MD5SUM: 057d55b32eb27fe5f3e01bc8d3df3bc5
  SHA1SUM: c90134418c2e4d3d6637d8bee44261300ad95ec1

  VMware vCenter Server 4 and modules
  File size: 1.5 GB
  File type: .zip
  MD5SUM: f843d9c19795eb3bc5a77f5c545468a8
  SHA1SUM: 9a7abd8e70bd983151e2ee40e1b3931525c4480c

  VMware vSphere Client and Host Update Utility
  File size: 113.8 MB
  File type: .exe
  MD5SUM: 6cc6b2c958e7e9529c284e48dfae22a9
  SHA1SUM: f4c19c63a75d93cffc57b170066358160788c959

  VMware vCenter Converter BootCD
  File size: 98.8 MB
  File type: .zip
  MD5SUM: 3df94eb0e93de76b0389132ada2a3799
  SHA1SUM: 5d7c04e4f9f8ae25adc8de5963fefd8a4c92464c

  VMware vCenter Converter CLI (Linux)
  File size: 36.9 MB
  File type: .tar.gz
  MD5SUM: 3766097563936ba5e03e87e898f6bd48
  SHA1SUM: 36d485bdb5eb279296ce8c8523df04bfb12a2cb4

  ESX 4.0
  ESX400-200911223-UG (Update 1a)
  md5sum: 99c1fcafbf0ca105ce73840d686e9914
  sha1sum: aa8a23416271bc28b6b8f6bdbe00045e36314ebb

  To install an individual bulletin use esxupdate with the -b option.
  esxupdate -b ESX400-200911223-UG

  VMware Server 2.0.2

  Stage Manager

  Lab Manager 4.0.1
  md5sum: b4d8f5637eaea59f028eafe62d0366ab
  sha1sum: a437726b45dce0a72fb5cbd3996a6d6f84e6c8df

5. References

  CVE numbers

- ------------------------------------------------------------------------
6. Change log

2009-12-15  VMSA-2009-0017
Initial security advisory after publication of information by third
party vendor,, on 2009-12-15.

- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:

This Security Advisory is posted to the following lists:

 * security-announce at
 * bugtraq at
 * full-disclosure at

E-mail:  security at
PGP key at:

VMware Security Center

VMware security response policy

General support life cycle policy

VMware Infrastructure support life cycle policy

Copyright 2009 VMware Inc.  All rights reserved.

Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8


About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod