exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

VMware Security Advisory 2006-0001.asc

VMware Security Advisory 2006-0001.asc
Posted Jun 3, 2006
Authored by VMware | Site vmware.com

VMware Security Advisory VMSA-2006-0001: VMware ESX Server Cross Site Scripting issue

tags | advisory, xss
SHA-256 | 726f9d276952b2f62ad214bd01f6b5a9ad22236f887256e9dee21bdc2411de2e

VMware Security Advisory 2006-0001.asc

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- -------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2006-0001
Synopsis: VMware ESX Server Cross Site Scripting issue
VMware ESX 2.5.2 prior to upgrade patch 2
VMware ESX 2.1.2 prior to upgrade patch 6
VMware ESX 2.0.1 prior to upgrade patch 6
NOT VULNERABLE: VMware ESX 2.5.3 and later
Advisory URL: http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=2001
Issue date: 2006-05-24
Updated on: 2006-05-24
CVE Name: CVE-2005-3619
- -------------------------------------------------------------------

1. Summary:

A Cross Site Scripting issue affects VMware ESX Server.

VMware has rated the severity of this issue a Priority 1 issue.

2. Relevant release:

VMware ESX 2.5.2 prior to upgrade patch 2
VMware ESX 2.1.2 prior to upgrade patch 6
VMware ESX 2.0.1 prior to upgrade patch 6
NOT VULNERABLE: VMware ESX 2.5.3 and later

3. Problem description:

VMware ESX Server provides a web application to perform management
of the system. One of the functions of this application is to allow
administrative users to view log files, through a browser.

In vulnerable releases, no encoding of syslog data is performed to
ensure that meta-characters are not interpreted by the browser.
An attacker could potentially inject content into the syslog file
where it could be rendered when viewed through the Management Interface.

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2005-3619 to this issue.

4. Solution:

Upgrade to the lastest packages: http://www.vmware.com/download/esx/

As of this writing
2.5.3 is the latest release for the 2.5.x branch.

2.5.2 patch 4 also fixes this issue. 2.1.2 patch 6 is the latest
release and 2.0.1 patch 6 addresses this issue.

Installing the Update

This update requires you to boot your server into Linux mode to perform
the upgrade. When you are prompted to reboot at the end of the upgrade,
the installer will restart your system to run ESX Server.

1. Power off all virtual machines and shutdown your server.
2. Restart your system.
3. At the LILO Boot Menu, select the linux option. Allow the system
start procedure to complete.
4. Log in as root into the ESX Server service console, in Linux mode.
Make sure your path variable contains /usr/bin:/bin.
5. Download the tar file into a temporary directory under /root on
your ESX service console.
6. Change directories to that temporary directory.
7. Verify the integrity of the package for your version:
# md5sum esx-*-upgrade.tar.gz

The md5 checksum output should match one of the following:
90900eb0a824ce9b9a427c77383eae72 esx-2.5.2-21059-upgrade.tar.gz
93961d5e9a5e609502ef84082f94c4d1 esx-2.1.2-18670-upgrade.tar.gz
5830bb96fedfecb7f4d95b484c1bfa3a esx-2.0.1-18595-upgrade.tar.gz

8. Extract the compressed tar archive:
# tar -xvzf esx-2.0.1-18595-upgrade.tar.gz
9. Change directories to the newly created directory
# cd esx-2.0.1-18595-upgrade
10. Run the patch installer:
# /usr/bin/perl ./upgrade.pl

Note: Once you start the installation script, do not enter keyboard
escape commands such as Control-C or Control-D. Using escape
commands will interrupt the upgrade procedure and leave your
system partially upgraded.

11. The system updates have now been installed. A reboot prompt displays:
Reboot the server now [y/n]?

This update will not be complete until you reboot the ESX Server. If
you enter N, to indicate that you will not reboot at this time, ESX
Server displays the warning message:

"Please reboot the server manually for this update to take effect.
Update has been terminated unexpectedly."

If you see this message, you must manually reboot the server to complete
the driver update.

12. At the reboot prompt, enter Y to reboot the server.

7. References:

http://www.corsaire.com/
http://www.corsaire.com/advisories/c051114-002.txt
http://www.vmware.com/products/esx/
http://www.aspectsecurity.com/topten/xss.html

8. Acknowledgments

VMware would like to thank Stephen de Vries and the security
consultancy Corsaire Limited, <http://www.corsaire.com/>.

9. Contact:

http://www.vmware.com/security

Copyright 2006 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEfvW8LsZLrftG15MRAmJOAJ9oUqsHxj8lEysJkbq90mq0cVZKxQCeKQxF
k+PqBhDToC82bejRD+L2h0U=
=LbLD
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close