漏洞类别:VMware
漏洞等级: 
漏洞信息
VMware vCenter is the centralized management tool for the vSphere suite. The target is missing Update U3f, which corrects the following security issue:
The Flash-based vSphere Web Client (i.e. not the new HTML5-based vSphere Client) contains server side request forgery (SSRF) and CRLF injection issues due to improper neutralization of URLs. An attacker may exploit these issues by sending a POST request with modified headers towards internal services leading to information disclosure.
QID Detection Logic (Authenticated)
This checks for vulnerable version of vCenter.
漏洞危害
A remote user can obtain potentially sensitive information on the target system.
解决方案
VMware has issued a fix (5.5 U3f).
Upgrade vCenter Server Appliance to Build 6516310 or apply the latest VMware vCenter Server Appliance build.
Refer to VMSA-2017-0017 for further details.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论