漏洞类别:VMware
漏洞等级: 
漏洞信息
VMware vCenter is the centralized management tool for the vSphere suite. The target is missing Update U3c, which corrects the following security issue:
VMware vCenter Server doesn't correctly handle specially crafted LDAP network packets which may allow for remote DoS.(CVE-2017-4927)
The Flash-based vSphere Web Client (i.e. not the new HTML5-based vSphere Client) contains server side request forgery (SSRF) and CRLF injection issues due to improper neutralization of URLs. An attacker may exploit these issues by sending a POST request with modified headers towards internal services leading to information disclosure. (CVE-2017-4927)
QID Detection Logic (Authenticated)
This checks for vulnerable version of vCenter.
漏洞危害
A remote user can cause denial of service conditions.
A remote user can obtain potentially sensitive information on the target system.
解决方案
VMware has issued a fix (6.0 U3c).
Upgrade vCenter Server Appliance to Build 7037393 or apply the latest VMware vCenter Server Appliance build.
Refer to VMSA-2017-0017 for further details.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论