Summary
The remote ESXi is missing one or more security related Updates from VMSA-2012-0018.
Summary
VMware has updated vCenter Server Appliance (vCSA) and ESX to address multiple security vulnerabilities
Relevant releases
vCenter Server Appliance 5.1 prior to vCSA 5.1.0b
vCenter Server Appliance 5.0 prior to vCSA 5.0 Update 2
VMware ESXi 5.1 without patch ESXi510-201212101
VMware ESXi 5.0 without patch ESXi500-201212101
Problem Description
a. vCenter Server Appliance directory traversal
The vCenter Server Appliance (vCSA) contains a directory traversal vulnerability that allows an authenticated remote user to retrieve arbitrary files. Exploitation of this issue may expose sensitive information stored on the server.
b. vCenter Server Appliance arbitrary file download
The vCenter Server Appliance (vCSA) contains an XML parsing vulnerability that allows an authenticated remote user to retrieve arbitrary files. Exploitation of this issue may expose sensitive information stored on the server.
c. Update to ESX glibc package
The ESX glibc package is updated to version glibc-2.5-81.el5_8.1 to resolve multiple security issues.
Solution
Apply the missing patch(es).
See Also:
http://www.vmware.com/security/advisories/VMSA-2012-0018.html
Severity
Classification
-
CVE CVE-2009-5029, CVE-2009-5064, CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, CVE-2012-0864, CVE-2012-3404, CVE-2012-3405, CVE-2012-3406, CVE-2012-3480, CVE-2012-6324, CVE-2012-6325 -
CVSS Base Score: 6.9
AV:L/AC:M/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- VMSA-2014-0006: VMware product updates address OpenSSL security vulnerabilities
- VMSA-2014-0002 VMware vSphere updates to third party libraries
- VMSA-2014-0005: VMware Workstation, Player, Fusion, and ESXi patches address a guest privilege escalation
- VMSA-2013-0016 VMware ESXi and ESX unauthorized file access through vCenter Server and ESX
- VMSA-2013-0004 VMware ESXi security update for third party library