VMSA-2012-0014 VMware vCenter Operations, CapacityIQ, and Movie Decoder security updates

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                   VMware Security Advisory

Advisory ID: VMSA-2012-0014
Synopsis: VMware vCenter Operations, CapacityIQ, and Movie Decoder
security updates
Issue date: 2012-10-04
Updated on: 2012-10-04 (initial advisory)
CVE numbers: CVE-2012-4897, CVE-2012-5050, CVE-2012-5051

1. Summary

   VMware has provided an upgrade path for vCenter Operations and
   CapacityIQ and an update for Movie Decoder. These updates address
   multiple security vulnerabilities.

2. Relevant releases

   vCenter Operations prior to 5.0.x
   vCenter CapacityIQ 1.5.x
   Movie Decoder prior to 9.0

3. Problem Description

   a. VMware Movie Decoder Installer binary planting vulnerability

   The installer of the VMware Movie Decoder has a binary planting
   vulnerability. An attacker who can write their malicious
   executable to the same folder as where the installer of the
   Movie Decoder is located may be able to run their code when the
   installation is started.

   VMware would like to thank Mitja Kolsek of ACROS Security for
   reporting this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the name CVE-2012-4897 to this issue.

    VMware          Product   Running   Replace with/
    Product         Version   on        Apply Patch
    =============   =======   =======   =================
    Movie Decoder   7.x       Windows   Movie Decoder 9.0
    Movie Decoder   6.x       Windows   Movie Decoder 9.0
    Movie Decoder   5.x       Windows   Movie Decoder 9.0
   

   b. vCenter Operations cross-site scripting vulnerability

   The vCenter Operations server contains a cross-site scripting
   vulnerability that allows an attacker to steal an
   administrator's session cookie. To exploit this vulnerability,
   the attacker must convince the administrator to click on a
   malicious link.

   VMware would like to thank Alexander Minozhenko of ERPScan for
   reporting this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the name CVE-2012-5050 to this issue.

   Column 4 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

    VMware          Product   Running   Replace with/
    Product         Version   on        Apply Patch
    =============   =======   =======   =================
    vCOps           5.0.x     any       not affected
    vCops           1.0.x     any       affected, update to vCOps 5.0.x
   

   c. vCenter CapacityIQ path traversal vulnerability

   vCenter CapacityIQ contains a path traversal vulnerability that
   allows unauthenticated attackers to download arbitrary files.

   VMware would like to thank Alexander Minozhenko of ERPScan for
   reporting this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the name CVE-2012-5051 to this issue.

   Column 4 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

    VMware          Product   Running   Replace with/
    Product         Version   on        Apply Patch
    =============   =======   =======   =================
    vCOps           5.0.x     any       not affected
    CapacityIQ      1.5.x     any       affected, update to vCOps 5.0.x
   

4. Solution

   Please review the patch/release notes for your product and version
   and verify the checksum of your downloaded file.

   vCenter Operations 5.0.x

   Download link
   https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_management/vmware_vcenter_operations/5_0

   Release Notes
   https://www.vmware.com/support/pubs/vcops-pubs.html

   Movie Decoder 9.0

   Download link
   https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation/9_0#drivers_tools

5. References
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4897
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5050
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5051

6. Change log

   2012-10-04 VMSA-2012-0014
   Initial security advisory in conjunction with the release of Movie
   Decoder 9.0 on 2012-10-04.

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

   • security-announce at lists.vmware.com
   • bugtraq at securityfocus.com
   • full-disclosure at lists.grok.org.uk

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware security response policy
   http://www.vmware.com/support/policies/security_response.html

   General support life cycle policy
   http://www.vmware.com/support/policies/eos.html

   VMware Infrastructure support life cycle policy
   http://www.vmware.com/support/policies/eos_vi.html

   Copyright 2012 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAlBuDo0ACgkQDEcm8Vbi9kNd5gCfVwopZMAAZv1E2HXb2b0S8gih
F8cAoPmdKWTjJ6ECmGWmpL6jI6ylsACf
=ANDn
-----END PGP SIGNATURE-----