Summary
The remote ESXi is missing one or more security related Updates from VMSA-2012-0018.
Summary
VMware has updated vCenter Server Appliance (vCSA) and ESX to address multiple security vulnerabilities
Relevant releases
vCenter Server Appliance 5.1 prior to vCSA 5.1.0b
vCenter Server Appliance 5.0 prior to vCSA 5.0 Update 2
VMware ESXi 5.1 without patch ESXi510-201212101
VMware ESXi 5.0 without patch ESXi500-201212101
Problem Description
a. vCenter Server Appliance directory traversal
The vCenter Server Appliance (vCSA) contains a directory traversal vulnerability that allows an authenticated remote user to retrieve arbitrary files. Exploitation of this issue may expose sensitive information stored on the server.
b. vCenter Server Appliance arbitrary file download
The vCenter Server Appliance (vCSA) contains an XML parsing vulnerability that allows an authenticated remote user to retrieve arbitrary files. Exploitation of this issue may expose sensitive information stored on the server.
c. Update to ESX glibc package
The ESX glibc package is updated to version glibc-2.5-81.el5_8.1 to resolve multiple security issues.
Solution
Apply the missing patch(es).
See Also:
http://www.vmware.com/security/advisories/VMSA-2012-0018.html
Severity
Classification
-
CVE CVE-2009-5029, CVE-2009-5064, CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, CVE-2012-0864, CVE-2012-3404, CVE-2012-3405, CVE-2012-3406, CVE-2012-3480, CVE-2012-6324, CVE-2012-6325 -
CVSS Base Score: 6.9
AV:L/AC:M/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- VMSA-2013-0016 VMware ESXi and ESX unauthorized file access through vCenter Server and ESX
- VMSA-2014-0012: VMware vSphere product updates address security vulnerabilities
- VMSA-2013-0011 VMware ESX and ESXi updates to third party libraries
- VMSA-2013-0004 VMware ESXi security update for third party library
- VMSA-2012-0018: VMware security updates for vCSA and ESXi