7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.176 Low
EPSS
Percentile
96.1%
a. Updated OpenwsmanOpenwsman is a system management platform that implements the WebServices Management protocol (WS-Management). It is installed andrunning by default. It is used in the VMware Management ServiceConsole and in ESXi.The openwsman 2.0.0 management service on ESX 3.5 and ESXi 3.5 is vulnerable to the following issue found by the SuSE Security-Team:- Two remote buffer overflows while decoding the HTTP basicauthentication headerThis vulnerability could potentially be exploited by users without valid login credentials.Openwsman before 2.0.0 is not vulnerable to this issue. The ESXi 3.5 patch ESXe350-200808201-O-UG updated openwsman to version 2.0.0. The ESX 3.5 patch ESX350-200808205-UG updated openwsman to version 2.0.0. These patches are installed as part of the ESX and ESXi Upgrade 2 release. The ESX patch can be installed individually.Version Information and WorkaroundThe following VMware KB articles provide information on how toobtain the version of openwsman in your environment and what apossible workaround for the issue might be.ESXi 3.5Refer to the VMware KB article at kb.vmware.com/kb/1005818.ESX 3.5Refer to the VMware KB article at kb.vmware.com/kb/1006878.Note: This vulnerability can be exploited remotely only if theattacker has access to the service console network.Security best practices provided by VMware recommend that theservice console be isolated from the VM network. Please seewww.vmware.com/resources/techresources/726 for moreinformation on VMware security best practices.The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-2234 this issue.The following table lists what action remediates the vulnerability (column 4) if a solution is available.
CPE | Name | Operator | Version |
---|---|---|---|
esxi | lt | ESXe350-200808501-I-SG | |
esx | lt | ESX350-200808413-SG |