Cross-site scripting (XSS) vulnerability in the internal browser in vSphere Client in VMware vSphere 4.1 before Update 2 and 5.0 before Update 1 allows remote attackers to inject arbitrary web script or HTML via a crafted log-file entry.

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components :

  - Apache Tomcat
  - bzip2 library
  - JRE
  - WDDM display driver
  - XPDM display driver

a. VMware Tools Display Driver Privilege Escalation

 The VMware XPDM and WDDM display drivers contain buffer overflow  vulnerabilities and the XPDM display driver does not properly  check for NULL pointers. Exploitation of these issues may lead  to local privilege escalation on Windows-based Guest Operating  Systems.

 VMware would like to thank Tarjei Mandt for reporting theses  issues to us.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)  has assigned the names CVE-2012-1509 (XPDM buffer overrun),  CVE-2012-1510 (WDDM buffer overrun) and CVE-2012-1508 (XPDM null  pointer dereference) to these issues.

 Note: CVE-2012-1509 doesn't affect ESXi and ESX.

b. vSphere Client internal browser input validation vulnerability

 The vSphere Client has an internal browser that renders html  pages from log file entries. This browser doesn't properly  sanitize input and may run script that is introduced into the  log files. In order for the script to run, the user would need  to open an individual, malicious log file entry. The script  would run with the permissions of the user that runs the vSphere  Client.

 VMware would like to thank Edward Torkington for reporting this  issue to us.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)  has assigned the name CVE-2012-1512 to this issue.

 In order to remediate the issue, the vSphere Client of the  vSphere 5.0 Update 1 release or the vSphere 4.1 Update 2 release  needs to be installed. The vSphere Clients that come with  vSphere 4.0 and vCenter Server 2.5 are not affected.

c. vCenter Orchestrator Password Disclosure

 The vCenter Orchestrator (vCO) Web Configuration tool reflects  back the vCenter Server password as part of the webpage. This  might allow the logged-in vCO administrator to retrieve the  vCenter Server password.

 VMware would like to thank Alexey Sintsov from Digital Security  Research Group for reporting this issue to us.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)  has assigned the name CVE-2012-1513 to this issue.

d. vShield Manager Cross-Site Request Forgery vulnerability

 The vShield Manager (vSM) interface has a Cross-Site Request  Forgery vulnerability. If an attacker can convince an  authenticated user to visit a malicious link, the attacker may  force the victim to forward an authenticated request to the  server.

 VMware would like to thank Frans Pehrson of Xxor AB  (www.xxor.se<http://www.xxor.se>) and Claudio Criscione for independently reporting  this issue to us

 The Common Vulnerabilities and Exposures project (cve.mitre.org)  has assigned the name CVE-2012-1514 to this issue.

e. vCenter Update Manager, Oracle (Sun) JRE update 1.6.0_30

 Oracle (Sun) JRE is updated to version 1.6.0_30, which addresses  multiple security issues that existed in earlier releases of  Oracle (Sun) JRE.

 Oracle has documented the CVE identifiers that are addressed in  JRE 1.6.0_29 and JRE 1.6.0_30 in the Oracle Java SE Critical  Patch Update Advisory of October 2011. The References section  provides a link to this advisory.

f. vCenter Server Apache Tomcat update 6.0.35

 Apache Tomcat has been updated to version 6.0.35 to address  multiple security issues.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)  has assigned the names CVE-2011-3190, CVE-2011-3375,  CVE-2011-4858, and CVE-2012-0022 to these issues.


g. ESXi update to third-party component bzip2

 The bzip2 library is updated to version 1.0.6, which resolves a  security issue.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)  has assigned the name CVE-2010-0405 to this issue.

ID	Name	Product	Family	Severity
89106	VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2012-0005) (BEAST) (remote check)	Nessus	Misc.	critical
58362	VMSA-2012-0005 : VMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, Workstation, Player, ESXi, and ESX address several security issues	Nessus	VMware ESX Local Security Checks	critical

Detections

Analytics

CVE-2012-1512

medium

Tenable Plugins

critical

critical