|
|
|
|
| |
Credit:
The original article can be found at: http://www.vmware.com/security/advisories/VMSA-2012-0014.html
|
| |
Vulnerable Systems:
* vCenter Operations prior to 5.0.x
* vCenter CapacityIQ 1.5.x
* Movie Decoder prior to 9.0
a. VMware Movie Decoder Installer binary planting vulnerability
The installer of the VMware Movie Decoder has a binary planting vulnerability. An attacker who can write their malicious executable to the same folder as where the installer of the Movie Decoder is located may be able to run their code when the installation is started.
VMware would like to thank Mitja Kolsek of ACROS Security for reporting this issue to us.
b. vCenter Operations cross-site scripting vulnerability
The vCenter Operations server contains a cross-site scripting vulnerability that allows an attacker to steal an administrator's session cookie. To exploit this vulnerability, the attacker must convince the administrator to click on a malicious link.
c. vCenter CapacityIQ path traversal vulnerability
vCenter CapacityIQ contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files.
POC:
https://www.vmware.com/support/pubs/vcops-pubs.html
Vendor Status:
Vendor had issued an update for this Vulnerability.
Patch Availability:
https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_management/vmware_vcenter_operations/5_0
CVE Information:
CVE-2012-4897
CVE-2012-5050
CVE-2012-5051
Disclosure Timeline:
Publish Date : 2012-10-04
Update Date : 2012-10-04(initial advisory)
|
|
|
|
|
