Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27774
HistoryMar 19, 2012 - 12:00 a.m.

VMSA-2012-0002 VMware vCenter Chargeback Manager Information Leak and Denial of Service

2012-03-1900:00:00
vulners.com
12

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


               VMware Security Advisory

Advisory ID: VMSA-2012-0002
Synopsis: VMware vCenter Chargeback Manager Information Leak and
Denial of Service
Issue date: 2012-03-08
Updated on: 2012-03-08
CVE numbers: CVE-2012-1472


  1. Summary

    The vCenter Chargeback Manager contains a vulnerability that allows
    information leakage and denial-of-service.

  2. Relevant releases

    VMware vCenter Chargeback Manager prior to version 2.0.1

  3. Problem Description

    The vCenter Chargeback Manager (CBM) contains a flaw in its
    handling of XML API requests. This vulnerability allows an
    unauthenticated remote attacker to download files from the CBM
    server or conduct a denial-of-service against the server. VMware
    thanks Joshua Keyes for reporting this issue to us.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2012-1472 to this issue.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware Product Running Replace with/
    Product Version on Apply Patch
    ============= ======== ======= =================
    CBM 1.6.2 any CBM 2.0.1
    CBM 2.0.0 any CBM 2.0.1

  4. Solution

    Please review the patch/release notes for your product and version
    and verify the checksum of your downloaded file.

    VMware vCenter Chargeback Manager

    Download link:

http://downloads.vmware.com/d/info/it_business_management/vmware_vcenter_ch
argeback/2_0

Release Notes:
https://www.vmware.com/support/vcbm/doc/vcbm_2_0_1_release_notes.html

File: vCenter-CB-2.0.1-643764.zip
md5sum: 88725667703c45f347e28464bfa8a5c7
sha1sum: 7f47db0100b92e7717c40363a271fef563f96c30

  1. References

    CVE numbers
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1472


  1. Change log

    2012-03-08 VMSA-2012-0002 Initial security advisory in conjunction
    with the release of CBM 2.0.1 on 2012-03-08.


  1. Contact

    E-mail list for product security notifications and announcements:
    http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

    This Security Advisory is posted to the following lists:

    E-mail: security at vmware.com
    PGP key at: http://kb.vmware.com/kb/1055

    VMware Security Advisories
    http://www.vmware.com/security/advisories

    VMware security response policy
    http://www.vmware.com/support/policies/security_response.html

    General support life cycle policy
    http://www.vmware.com/support/policies/eos.html

    VMware Infrastructure support life cycle policy
    http://www.vmware.com/support/policies/eos_vi.html

    Copyright 2012 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFPWaJZDEcm8Vbi9kMRArvWAKDQCbpKBr9zM4FDZbRKDBw3/rL0VQCeITRZ
QcjvsYQZ9jRDkG1X4UKgvIY=
=bXDQ
-----END PGP SIGNATURE-----

Related for SECURITYVULNS:DOC:27774