VMware products address vulnerabilities in WebAccess

a. WebAccess Context Data Cross-site Scripting Vulnerability A cross-site scripting vulnerability in WebAccess allows for disclosure of sensitive information. The flaw is due to insufficient verification of certain parameters which may lead to redirection of a user’s requests. This vulnerability can only be exploited if the attacker tricks the WebAccess user into clicking a malicious link and the attacker has control of a server on the same network as the system where WebAccess is being used. Workaround By switching off WebAccess the issue can no longer be exploited. This can be accomplished on affected versions of Virtual Center and ESX as follows: Virtual Center 2.0.2 and Virtual Center 2.5: Go to the Windows Services overview on the system that runs Virtual Center. To stop WebAccess without a reboot: Change the status of the VMware Infrastructure Web Access service to stop To prevent WebAccess from starting after the next reboot: Change the startup type of the VMware Infrastructure Web Access service to disabled ESX 3.0.3 and ESX 3.5: Open a root shell on ESX. To stop WebAccess without a reboot: service vmware-webAccess stop To prevent WebAccess from starting after the next reboot: chkconfig vmware-webAccess off VMware would like to thank David Byrne and Tom Leavey of Trustwave’s SpiderLabs for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-2277 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available.