[guru] VMware biztonsagi frissitesek
DATE: Tue, 27 Jul 2010 21:09:42 +0200
ESX szervíz konzol javítások:
-----------------------------
Kihozták a kernel csomag javítását.
Egyéb:
------
A VMware Studio 2.0, valamint az általa létrehozott appliance-ok Virtual
Appliance Management Infrastructure (VAMI) rendszere hibás, a management
felületen hozzáférő felhasználók kódot tudnak futtatni a rendszeren (pedig
a felület erre nem adna lehetőséget). Ugyancsak gond van a Studio átmeneti
állomány kezelésével is, de ez a hiba a létrehozott appliance-okat nem
érinti.
A VMware vCenter Update Manager Jetty web szervere direcotry traversal és
XSS hibákat tartalmaz.
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2010-0010
Synopsis: ESX 3.5 third party update for Service Console kernel
Issue date: 2010-06-24
Updated on: 2010-06-24 (initial release of advisory)
CVE numbers: CVE-2008-5029 CVE-2008-5300 CVE-2009-1337
CVE-2009-1385 CVE-2009-1895 CVE-2009-2848
CVE-2009-3002 CVE-2009-3547 CVE-2009-2698
CVE-2009-2692
- ------------------------------------------------------------------------
1. Summary
ESX 3.5 Console OS (COS) updates for COS package 'kernel'.
2. Relevant releases
VMware ESX 3.5 without patch ESX350-201006401-SG
Notes:
Effective May 2010, VMware's patch and update release program during
Extended Support will be continued with the condition that all
subsequent patch and update releases will be based on the latest
baseline release version as of May 2010 (i.e. ESX 3.0.3 Update 1,
ESX 3.5 Update 5, and VirtualCenter 2.5 Update 6). Refer to section
"End of Product Availability FAQs" at
http://www.vmware.com/support/policies/lifecycle/vi/faq.html for
details.
Extended support for ESX 3.0.3 ends on 2011-12-10. Users should plan
to upgrade to at least ESX 3.5 and preferably to the newest release
available.
3. Problem Description
a. Service Console update for COS kernel
The service console package kernel is updated to version 2.4.21-63.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-5029, CVE-2008-5300, CVE-2009-1337,
CVE-2009-1385, CVE-2009-1895, CVE-2009-2848, CVE-2009-3002, and
CVE-2009-3547 to the security issues fixed in kernel-2.4.21-63.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2009-2698, CVE-2009-2692 to the security
issues fixed in kernel-2.4.21-60.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.0 ESX not applicable
ESX 3.5 ESX ESX350-201006401-SG
ESX 3.0.3 ESX affected, no update planned
vMA 4.0 RHEL5 not applicable
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
4. Solution
Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.
ESX 3.5
-------
http://download3.vmware.com/software/vi/ESX350-201006401-SG.zip
md5sum: b89fb8a51c4a896bc0bf297b57645d1d
http://kb.vmware.com/kb/1022899
5. References
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5029
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5300
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1385
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1895
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2848
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3002
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3547
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2698
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692
- ------------------------------------------------------------------------
6. Change log
2010-06-24 VMSA-2010-0010
Initial security advisory after release of patches for ESX 3.5
on 2010-06-24
- -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Center
http://www.vmware.com/security
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2010 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
iEYEARECAAYFAkwkQSoACgkQS2KysvBH1xm2VQCeLPp++2UyvyvN9IuL0jQsJza+
KEIAnRkS+BHGgtPa6ZzT/lH++1Qm8naJ
=GQrj
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2010-0011
Synopsis: VMware Studio 2.1 addresses security vulnerabilities
in virtual appliances created with Studio 2.0.
Issue date: 2010-07-13
Updated on: 2010-07-13 (initial release of advisory)
CVE numbers: CVE-2010-2427 CVE-2010-2667
- ------------------------------------------------------------------------
1. Summary
VMware Studio 2.1 addresses security vulnerabilities in virtual
appliances created with Studio 2.0.
2. Relevant releases
VMware Studio 2.0
Note: virtual appliances created with VMware Studio 2.0 may be
affected
3. Problem Description
a. VMware Studio 2.0 remote command execution by Studio user
VMware Studio is a development tool to create and manage virtual
appliances. VMware Studio itself is a virtual appliance.
A vulnerability in the Virtual Appliance Management Infrastructure
(VAMI) allows for remote command execution in Studio 2.0 or in
virtual appliances created with Studio 2.0. Exploitation of the
issue requires authentication to Studio or to the virtual appliance.
Studio 2.0
----------
The vulnerability may be exploited on Studio if both of these
conditions apply:
- you have Studio 2.0
and
- you have created a user account with limited privileges (this is
not the default configuration).
Studio is by default shipped with the root user account and no other
user accounts. For this reason, exploitation of the vulnerability
would not yield any gain for an attacker since the attacker would
need to know the credentials of the root user account in order to
launch an attack. If an attacker knows the credentials of the root
user, the attacker will have other avenues to compromise Studio.
In case another user account with limited privileges has been added
to Studio, the exploitation of the issue may lead to remote command
execution by the attacker. The attacker would still need to know
the credentials of the additional user account in order to launch an
attack.
Virtual appliances created with Studio 2.0
------------------------------------------
The vulnerability may be exploited on a virtual appliance if both of
these conditions apply:
- the virtual appliance was created with Studio 2.0
and
- the virtual appliance has a user account with limited privileges.
The following command will show which version of Studio was used to
create the virtual appliance:
"vamicli version --studio"
If the issue can be exploited, the following will remove this
possibility:
- disable user accounts that have limited privileges
or
- disable the vami-sfcbd daemon (note: this will prevent the use of
VAMI features such as using the web interface to set the network
configuration)
or
- recreate the virtual appliance using Studio 2.1.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2010-2667 to this issue.
VMware would like to thank Claudio Criscione of Secure Network for
reporting this issue to us.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VMware Studio 1.0 VMware not affected
VMware Studio 2.0 VMware not affected (default conf.) *
VMware Studio 2.1 VMware not affected
VMware Studio
plug-in for
Eclipse any Eclipse not affected
* The default configuration of Studio 2.0 is not affected, see above
for details. Virtual appliances created with Studio 2.0 may be
affected, see above for details.
b. VMware Studio 2.0 local privilege escalation vulnerability
VMware Studio is a development tool to create and manage virtual
appliances. VMware Studio itself is a virtual appliance.
A vulnerability in the way temporary files are written may lead
to a privilege escalation in Studio 2.0. Exploitation of the issue
requires authentication to the system running Studio. Virtual
appliances created with Studio 2.0 are not affected.
Studio is by default shipped with the root user account and no other
user accounts. For this reason, exploitation of the vulnerability
would not yield any gain for an attacker since the attacker would
need to know the credentials of the root user account in order to
launch an attack. If an attacker knows the credentials of the root
user, the attacker will have other avenues to compromise Studio.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2010-2427 to this issue.
VMware would like to thank Claudio Criscione of Secure Network for
reporting this issue to us.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VMware Studio 1.0 VMware not affected
VMware Studio 2.0 VMware not affected (default conf.) *
VMware Studio 2.1 VMware not affected
VMware Studio
plug-in for
Eclipse any Eclipse not affected
* The default configuration of Studio 2.0 is not affected, see above
for details. Virtual appliances created with Studio are not
affected.
4. Solution
Please review the patch/release notes for your product and version
and verify the md5sum or sha1sum of your downloaded file.
VMware Studio 2.1 build 1318-268792
-----------------------------------
http://www.vmware.com/support/developer/studio/
Release notes:
http://www.vmware.com/support/developer/studio/studio21/release_notes.html
Following downloads are available from
http://www.vmware.com/downloads/download.do?downloadGroup=STUDIO21GA
VMware Studio appliance in ZIP
md5sum:b8555e11412da3b9ab4a8a663069380b
sha1sum:ec53078d40bb2abaa207ba62ee893a0502dc861b
VMware Studio appliance in OVA
md5sum:9bff9cfd011245278063c8821981519a
sha1sum:163e13587a1a80582970bc02fac98e93df99fdc7
VMware Studio appliance in OVF 1.0
md5sum:f7269080b987aac2982ca50df22f4cc9
sha1sum:d579a72d8bf3f04711816e01d83b999b8b2105ce
VMware Studio appliance in OVF 0.9
md5sum:3388ea758d7f47c51277efad77900a69
sha1sum:0a11225b448085c82909892ba1ff3d3310ad55a5
VMDK associated with the OVF 1.0 and OVF 0.9 descriptor
md5sum:8bc772e36155e2917fa0f1ca63de6759
sha1sum:ca7e77b87c7b2c03a32515da4091e19bb5c1c8a7
VMware Studio Plugin for Eclipse in ZIP
md5sum:d260c26e9ede41e6412407d0089495e9
sha1sum:648812be742968dc8b0e54d3de4d6a90d2f3e17f
5. References
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2427
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2667
- ------------------------------------------------------------------------
6. Change log
2010-07-13 VMSA-2010-0011
Initial security advisory after release of Studio 2.1 on 2010-07-13.
- -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Center
http://www.vmware.com/security
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2010 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFMO/mBS2KysvBH1xkRAuk8AJ47bVVbirFHy9YV7tlkEjBnqoFn/ACfXbmH
MpvA3yOeQCEdX/rTqVFF+zY=
=Wn5B
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2010-0012
Synopsis: VMware vCenter Update Manager fix for Jetty Web
server addresses important security vulnerabilities
Issue date: 2010-07-19
Updated on: 2010-07-19 (initial release of advisory)
CVE numbers: CVE-2009-1523 CVE-2009-1524
- ------------------------------------------------------------------------
1. Summary
VMware vCenter Update Manager fix for Jetty Web server addresses
important security vulnerabilities.
2. Relevant releases
VMware vCenter Update Manager 1.0
VMware vCenter Update Manager 4.0
VMware vCenter Update Manager 4.1
3. Problem Description
a. VMware vCenter Update Manager Jetty Web server vulnerabilities
VMware vCenter Update Manager is an automated patch management
solution for VMware ESX hosts and Microsoft virtual machines. Update
Manager embeds the Jetty Web server which is a third party
component.
The default version of the Jetty Web server in Update Manager is
version 6.1.6 for which the following relevant vulnerabilities are
reported.
A directory traversal vulnerability in Jetty allows for obtaining
files from the system where Update Manager is installed by a remote,
unauthenticated attacker. The attacker would need to be on the same
network as the system where Update Manager is installed.
A cross-site scripting vulnerability in Jetty allows for running
JavaScript in the browser of the user who clicks a URL containing a
malicious request to Update Manager. For an attack to be successful
the attacker would need to lure the user into clicking the malicious
URL.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2009-1523 and CVE-2009-1524 to these issues.
VMware would like to thank Claudio Criscione of Secure Network for
reporting these issues to us.
Column 4 of the following table lists the action required to
remediate the vulnerabilities in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =================
Update Manager 1.0 Windows Update Manager fix for Jetty *
Update Manager 4.0 Windows Update Manager fix for Jetty *
Update Manager 4.1 Windows Update Manager fix for Jetty *
* Refer to VMware Knowledge Base article 1023962
4. Solution
Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.
VMware vCenter Update Manager
-----------------------------
Update Manager fix for Jetty
http://kb.vmware.com/kb/1023962
5. References
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1523
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1524
- ------------------------------------------------------------------------
6. Change log
2010-07-19 VMSA-2010-0012
Initial security advisory after release of VMware vCenter Update Manager
security fix for the Jetty Web server on 2010-07-19.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Center
http://www.vmware.com/security
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2010 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFMRHzZS2KysvBH1xkRAmGOAJ9NP3RuHj2w4mwu3saJFdjce+PrqwCfXhLk
kQ3DQOJquo4Ymo7foPajEwY=
=iZyn
-----END PGP SIGNATURE-----
--- End Message ---