lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <C86D4718-0DB4-4C8C-A0B9-2F1579E40D36@vmware.com>
Date: Wed, 10 Oct 2012 14:40:44 -0700
From: VMware Security Response Center <security@...are.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: VMSA-2012-0014 VMware vCenter Operations, CapacityIQ, and Movie
 Decoder security updates

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 -----------------------------------------------------------------------
                       VMware Security Advisory

Advisory ID:  VMSA-2012-0014
Synopsis: VMware vCenter Operations, CapacityIQ, and Movie Decoder
          security updates
Issue date:   2012-10-04
Updated on:   2012-10-04 (initial advisory)
CVE numbers:  CVE-2012-4897, CVE-2012-5050, CVE-2012-5051
 -----------------------------------------------------------------------
1. Summary

   VMware has provided an upgrade path for vCenter Operations and
   CapacityIQ and an update for Movie Decoder.  These updates address
   multiple security vulnerabilities.

2. Relevant releases

   vCenter Operations prior to 5.0.x
   vCenter CapacityIQ 1.5.x
   Movie Decoder prior to 9.0

3. Problem Description

   a. VMware Movie Decoder Installer binary planting vulnerability

      The installer of the VMware Movie Decoder has a binary planting
      vulnerability. An attacker who can write their malicious
      executable to the same folder as where the installer of the
      Movie Decoder is located may be able to run their code when the
      installation is started.
 
      VMware would like to thank Mitja Kolsek of ACROS Security for
      reporting this issue to us.
 
      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the name CVE-2012-4897 to this issue.
 
        VMware          Product   Running   Replace with/
        Product         Version   on        Apply Patch
        =============   =======   =======   =================
        Movie Decoder   7.x       Windows   Movie Decoder 9.0
        Movie Decoder   6.x       Windows   Movie Decoder 9.0
        Movie Decoder   5.x       Windows   Movie Decoder 9.0
                
   b. vCenter Operations cross-site scripting vulnerability

      The vCenter Operations server contains a cross-site scripting
      vulnerability that allows an attacker to steal an
      administrator's session cookie.  To exploit this vulnerability,
      the attacker must convince the administrator to click on a
      malicious link.

      VMware would like to thank Alexander Minozhenko of ERPScan for
      reporting this issue to us.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the name CVE-2012-5050 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

        VMware          Product   Running   Replace with/
        Product         Version   on        Apply Patch
        =============   =======   =======   =================
        vCOps           5.0.x     any       not affected
        vCops           1.0.x     any       affected, update to vCOps 5.0.x

   c. vCenter CapacityIQ path traversal vulnerability

      vCenter CapacityIQ contains a path traversal vulnerability that
      allows unauthenticated attackers to download arbitrary files.

      VMware would like to thank Alexander Minozhenko of ERPScan for
      reporting this issue to us.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the name CVE-2012-5051 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

        VMware          Product   Running   Replace with/
        Product         Version   on        Apply Patch
        =============   =======   =======   =================
        vCOps           5.0.x     any       not affected
        CapacityIQ      1.5.x     any       affected, update to vCOps 5.0.x

4. Solution

   Please review the patch/release notes for your product and version
   and verify the checksum of your downloaded file.

   vCenter Operations 5.0.x
   ----------------------
   Download link
   https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_management/vmware_vcenter_operations/5_0
   
   Release Notes
   https://www.vmware.com/support/pubs/vcops-pubs.html

   Movie Decoder 9.0
   -----------------
   Download link
   https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation/9_0#drivers_tools
      
5. References
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4897
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5050
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5051

 -----------------------------------------------------------------------

6. Change log

   2012-10-04 VMSA-2012-0014 
   Initial security advisory in conjunction with the release of Movie
   Decoder 9.0 on 2012-10-04.
      
 -----------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
   
   This Security Advisory is posted to the following lists:
   
   * security-announce at lists.vmware.com
   * bugtraq at securityfocus.com
   * full-disclosure at lists.grok.org.uk
   
   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055
   
   VMware Security Advisories
   http://www.vmware.com/security/advisories
   
   VMware security response policy
   http://www.vmware.com/support/policies/security_response.html
   
   General support life cycle policy
   http://www.vmware.com/support/policies/eos.html
   
   VMware Infrastructure support life cycle policy
   http://www.vmware.com/support/policies/eos_vi.html
   
   Copyright 2012 VMware Inc. All rights reserved.
   
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAlBuDo0ACgkQDEcm8Vbi9kNd5gCfVwopZMAAZv1E2HXb2b0S8gih
F8cAoPmdKWTjJ6ECmGWmpL6jI6ylsACf
=ANDn
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ