VMware vCenter, ESX patch and vCenter Lab Manager releases address cross-site scripting issues

a. WebWorks Help - Cross-site scripting vulnerabilityWebWorks Help is an output format that allows online Help to bedelivered on multiple platforms and browsers, which makes it easyto publish information on the Web or on an enterprise intranet. WebWorks Help is used for creating the online help pages that are available in VMware WebAccess, Lab Manager and Stage Manager. WebWorks Help doesn’t sufficiently sanitize incoming requests whichmay result in cross-site scripting vulnerabilities in applicationsthat are built with WebWorks Help. Exploitation of these vulnerabilities in VMware products requirestricking a user to click on a malicious link or to open a maliciousweb page while they are logged in into vCenter, ESX or VMwareServer using WebAccess, or logged in into Stage Manager or Lab Manager. Successful exploitation can lead to theft of user credentials. Thesevulnerabilities can be exploited remotely only if the attacker has access to the Service Console network. Security best practices provided by VMware recommend that theService Console be isolated from the VM network. Please seehttp://www.vmware.com/resources/techresources/726 for moreinformation on VMware security best practices. Client-side protection measures included with current browsers are notalways able to prevent these attacks from being executed. VMware would like to thank Daniel Grzelak and Alex Kouzemtchenko ofstratsec (www.stratsec.net) for finding and reporting this issue.VMware would also like to thank Ben Allums of WebWorks.com for workingon the remediation of this issue with us. The Common Vulnerabilities and Exposures project (cve.mitre.org) hasassigned the name CVE-2009-3731 to this issue. The following table lists what action remediates the vulnerability(column 4) if a solution is available.