Multiple VMware Products Multiple Input Validation Vulnerabilities

Bugtraq ID:	52525
Class:	Input Validation Error
CVE:	CVE-2012-1512 CVE-2012-1513 CVE-2012-1514
Remote:	Yes
Local:	No
Published:	Mar 15 2012 12:00AM
Updated:	Mar 15 2012 12:00AM
Credit:	Edward Torkington, Claudio Criscione, Alexey Sintsov from Digital Security Research Group, Frans Pehrson of Xxor AB
Vulnerable:	VMWare vSphere 5.0 0 VMWare vSphere 4.1 VMWare vShield Manager 4.1 for Linux 0 VMWare vShield Manager 4.0 for Linux 0 VMWare vCenter Orchestrator 4.2 for Windows 0 VMWare vCenter Orchestrator 4.1 for Windows 0 VMWare vCenter Orchestrator 4.0 for Windows 0
Not Vulnerable:	VMWare vSphere 5.0 Update 1 0 VMWare vSphere 4.1 Update 2 0 VMWare vShield Manager 4.1.0 Update 2 for Linux 0 VMWare vShield Manager 1.0.1 Update 2 for Linux 0 VMWare vCenter Orchestrator 4.2 Update 1 for Windows 0 VMWare vCenter Orchestrator 4.1 Update 2 for Windows 0 VMWare vCenter Orchestrator 4.0 Update 4 for Windows 0

Multiple VMware Products Multiple Input Validation Vulnerabilities

Multiple VMware products are prone to multiple input validation vulnerabilities that includes cross-site scripting, cross-site request-forgery and information-disclosure vulnerabilities.

An attacker can exploit these issues to steal cookie-based authentication credentials, perform unauthorized actions in the context of a user's session, or disclose sensitive-information.

Multiple VMware Products Multiple Input Validation Vulnerabilities

An attacker can exploit these issues through a browser. To exploit a cross-site scripting issue, the attacker must entice an unsuspecting victim to follow a malicious URI.

Multiple VMware Products Multiple Input Validation Vulnerabilities

Solution:
Updates are available. Please see the references for more information.

Multiple VMware Products Multiple Input Validation Vulnerabilities

References:

• [Security-announce] VMSA-2012-0005 VMware vCenter Server, Orchestrator, Update M (VMWare)
  
• VMware Homepage (VMware)