===================================================================== CERT-Renater Note d'Information No. 2012/VULN108 _____________________________________________________________________ DATE : 09/03/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running VMware vCenter Chargeback Manager versions prior to version 2.0.1. ====================================================================== http://lists.vmware.com/pipermail/security-announce/2012/000161.html _______________________________________________________________________ ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2012-0002 Synopsis: VMware vCenter Chargeback Manager Information Leak and Denial of Service Issue date: 2012-03-08 Updated on: 2012-03-08 CVE numbers: CVE-2012-1472 ------------------------------------------------------------------------ 1. Summary The vCenter Chargeback Manager contains a vulnerability that allows information leakage and denial-of-service. 2. Relevant releases VMware vCenter Chargeback Manager prior to version 2.0.1 3. Problem Description The vCenter Chargeback Manager (CBM) contains a flaw in its handling of XML API requests. This vulnerability allows an unauthenticated remote attacker to download files from the CBM server or conduct a denial-of-service against the server. VMware thanks Joshua Keyes for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1472 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= CBM 1.6.2 any CBM 2.0.1 CBM 2.0.0 any CBM 2.0.1 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware vCenter Chargeback Manager --------------- Download link: http://downloads.vmware.com/d/info/it_business_management/vmware_vcenter_chargeback/2_0 Release Notes: https://www.vmware.com/support/vcbm/doc/vcbm_2_0_1_release_notes.html File: vCenter-CB-2.0.1-643764.zip md5sum: 88725667703c45f347e28464bfa8a5c7 sha1sum: 7f47db0100b92e7717c40363a271fef563f96c30 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1472 ------------------------------------------------------------------------ 6. Change log 2012-03-08 VMSA-2012-0002 Initial security advisory in conjunction with the release of CBM 2.0.1 on 2012-03-08. ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2012 VMware Inc. All rights reserved. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================