VMware fixes XSS vulnerabilities and a certificate validation issue-bug warning-the black bar safety net

ID MYHACK58:62201456811
Type myhack58
Reporter 佚名
Modified 2014-12-11T00:00:00


VMware this week released a series of patches fixes multiple vulnerabilities, including its server virtualization platform.

A vulnerability exists in VMware vCenter Server Appliance (vCSA)is a VMware vCenter Server of a component. The mainXSSVulnerability(CVE-2 0 1 4-3 7 9 7)by Trustware Spiderlabs researcher*Tanya Secker found*. Hackers can use the vulnerability to let the user click on the malicious link. The vulnerability only affects vCSA 5.1 system, the affected users can upgrade to 5. 1 Update3 to.

Another Vulnerability(CVE-2 0 1 4-8 3 7 1)was made by the Google security team discovered. This vulnerability can allow an attacker using a man in the middle attacks Common Information Model (CIM)service. The main problem is that, previously, vCenter Server connection to the CIM server does not correctly validate certificates. Run all the version of vCenter Server users were affected by this certificate vulnerability. Affect the user can be replaced or patched, they can upgrade to the 5. 5 Update 2, 5.1 Update 3 or 5. 0 Update 3c, depending on their current version.

Six CVE Common Vulnerabilities from third-party libraries:ESXi Python, ESXi Curl and ESXi libxml2。 But VMware is not intended for older versions of ESX 5.0 systems release patches, VMware has to ESXi 5.1 system to push the patch, but not yet for the new version of ESXi 5.5 patch. VMware this time also updated by Oracle Java SE critical security vulnerability affecting vCenter Server and vCenter Update Manager. But each product has differences so 5. 0 version have patch 5.1 has not been repaired, the 5.5 version is not affected by this.

Specific vulnerability details, seehere VMware alert the user to view version comments and timely repair patch.