Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 294215 (CVE-2010-0686) - <=app-emulation/vmware-server-2.0.2.203138 multiple vulnerabilities (CVE-2010-0686)
Summary: <=app-emulation/vmware-server-2.0.2.203138 multiple vulnerabilities (CVE-2010...
Status: RESOLVED FIXED
Alias: CVE-2010-0686
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.vmware.com/security/adviso...
Whiteboard: ~2 [noglsa]
Keywords:
: 294567 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-11-23 15:37 UTC by Stefan Behte (RETIRED)
Modified: 2011-10-24 03:53 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-11-23 15:37:05 UTC
VMSA-2009-0016
Relevant for us is only VMWare Server 2.0

a. JRE Security Update
b. Update Apache Tomcat version to 6.0.20
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-23 17:45:06 UTC
It's app-emulation/vmware-server, I had a litte copy&paste accident there.
Comment 2 Huemi 2009-11-25 14:41:30 UTC
*** Bug 294567 has been marked as a duplicate of this bug. ***
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-06 04:05:09 UTC
CVE-2010-0686 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0686):
  WebAccess in VMware VirtualCenter 2.0.2 and 2.5, VMware Server 2.0,
  and VMware ESX 3.0.3 and 3.5 allows remote attackers to leverage
  proxy-server functionality to spoof the origin of requests via
  unspecified vectors, related to a "URL forwarding vulnerability."

Comment 4 Vadim Kuznetsov (RETIRED) gentoo-dev 2010-04-06 15:38:34 UTC
(In reply to comment #3)
> CVE-2010-0686 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0686):
>   WebAccess in VMware VirtualCenter 2.0.2 and 2.5, VMware Server 2.0,
>   and VMware ESX 3.0.3 and 3.5 allows remote attackers to leverage
>   proxy-server functionality to spoof the origin of requests via
>   unspecified vectors, related to a "URL forwarding vulnerability."
> 

According to http://www.vmware.com/security/advisories/VMSA-2010-0005.html
a. WebAccess Context Data Cross-site Scripting Vulnerability
hosted **      any       any      not affected    
b. WebAccess Virtual Machine Name Cross-site Scripting Vulnerability
Server         2.0       any      not affected
Server         1.0       any      not being fixed at this time ***
c. WebAccess URL Forwarding Vulnerability
Server         2.0       any      not being fixed at this time *
d. WebAccess JSON Cross-site Scripting Vulnerability
Server         2.0       any      not being fixed at this time *

Solution:
* Use the workaround of disabling WebAccess to remediate the issue.

Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-10-24 03:53:57 UTC
VMware server has been removed from the tree. Closing noglsa for ~arch only package.