Vigil@nce - VMware vCenter, vSphere: three vulnerabilities
May 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can use three vulnerabilities of VMware vCenter Server
and vSphere Client Installer.
Severity: 2/4
Creation date: 06/05/2011
IMPACTED PRODUCTS
– VMware ESX
– VMware ESXi
– VMware vCenter
– VMware VirtualCenter
DESCRIPTION OF THE VULNERABILITY
Three vulnerabilities were announced in the VMware vCenter Server
and vSphere Client Installer products.
A remote attacker can read files located outside the root
directory of vCenter/VirtualCenter. [severity:2/4; CVE-2011-0426]
An attacker who is authenticated on vCenter can obtain the SOAP
session identifier, in order to elevate his privileges.
[severity:2/4; CVE-2011-1788]
The vSphere Client Installer displays an error message indicating
that it is not signed. [severity:1/4; CVE-2011-1789]
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/VMware-vCenter-vSphere-three-vulnerabilities-10620