|
|
|
|
| |
Credit:
The information has been provided by vmware.
|
| |
Vulnerable Systems:
* VMware VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643)
* VMware VirtualCenter client 1.4.x before 1.4.1 Patch 1 (Build 33425)
To ensure a secure channel of communication, you must be sure that any communication is with "trusted" sites whose identity you can be sure of. Both the client and server need certificates from a mutually-trusted Certificate Authority (CA).
However, certificate verification is not enabled by default for the clients. After installing VirtualCenter 2.0.1 Patch 1 or VirtualCenter 1.4.1 Patch 1, you must specifically enable server-certificate verification on theWindows client hosts.
VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch 1 resolve an issue with server-certificate verification by VirtualCenter clients during the initial SSL handshake. Specifically, the x.509 certificate presented by a server to a client at the beginning of an SSL session is not verified. VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch 1 resolve this issue for Windows client hosts.
Solution:
Note that installing the updated software does not, by default, enable authentication. For information about how to enable this new optional capability, see Knowledge Base (KB) article 4646606, "Enabling Server- Certificate Verification for Virtual Infrastructure Clients."
Client hosts include:
* VirtualCenter Server host, which operates as a client to each of the servers that it manages;
VirtualCenter Server 2.x:
* Virtual Infrastructure Client (VI Client, or VIC), client software that lets you connect to and manage ESX Server hosts directly, or through a VirtualCenter Server host;
VirtualCenter Server 1.x:
* VirtualCenter Client (VC Client), client software that lets you connect to and manage ESX Server 2.x hosts through a VirtualCenter Server host (1.x version).
CVE Information:
CVE-2006-5990
|
|
|
|
|
