fherbstr
Contributor
Contributor

VDM - Vulnerabilities scan shows errors

Hi @,

we've build a new VDI environment, connection broker internally and an internet facing security server

for users who want to connect from the the home office.

The solution works fine so far and the users are able to connect perfectly. Our security guys checked the server

for vulnerabilities and found some open security issues like:

THREAT:

Web Server Vulnerable to Cross-Site Scripting attacks.

Web Server Vulnerable to Redirection Page Cross-Site Scripting Attacks

I usually would patch those issues on a standart IIS or Apache/Tomcat. How are those "issues" handled on the integrated VDM webserver?

Cheers & have a nice weekend, Rod

0 Kudos
6 Replies
mpryor
Commander
Commander

Hi Rod,

Are you able to be more specific? Please feel free to send me a direct message.

0 Kudos
fherbstr
Contributor
Contributor

Hi mpryor,

sure, regarding:

Web Server Vulnerable to Cross-Site Scripting Attacks

THREAT:

Your Web server does not filter script embedding from links displayed on a server's Web site.

A malicious user can exploit this vulnerability to cause JavaScript commands or embedded scripts to be executed by any user who clicks on the hyperlink. Upon

clicking the hyperlink, your Web server will generate an error message including the specified or embedded script. The specified or embedded script is executed in

the client's browser and treated as content originating from the target server returning the error message (even though the scripting may have originated from

another site entirely).

IMPACT:

By exploiting this vulnerability, malicious scripts can be executed in the client's browser.

SOLUTION:

Any Web server may be affected by this vulnerablity. To prevent cross-site scripting attacks from occuring, web developers should use static pages whenever

possible and sanitize input / output.

The following vendors provided a patches at the web server level. See below for a list of patches for some specific Web servers. If this information does not apply

to your Web server, contact your Web server vendor. If your web server does not support filtering please have your web developers resolve this issue at the

application level.

This issue is fixed in Sun ONE / iPlanet Web Server 4.1 Service Pack 12 and above. The latest service pack is available for download from Sun ONE Web Server

Enterprise Edition 4.1 Service Pack 13 (http://wwws.sun.com/software/download/products/3f8472da.html).

For Microsoft IIS Web server, apply the cumulative patch described in Microsoft Security Bulletin MS02-018

(http://www.microsoft.com/technet/security/bulletin/MS02-018.mspx). No additional service packs are planned for Windows NT 4.0. IIS 5.0 fixes will be included

in Windows 2000 Service Pack 3. IIS 5.1 fixes will be included in Windows XP Service Pack 1.

Lotus Domino had this issue with Domino R5 Web server. Check the Lotus advisory SPR# JCHN4V2HUY

().

For IBM Websphere, please refer to websphere-faultactor-xss (30055) (http://xforce.iss.net/xforce/xfdb/30055).

0 Kudos
mpryor
Commander
Commander

My first instinct is to reply 'wait for an updated release from us' but I can't give you a definitive answer on our policy regarding thirdparty software - I'll seek an official answer on whether we support patching the bundled tomcat instance, watch this space.

0 Kudos
rpmello
Enthusiast
Enthusiast

Any updates here? Our security team doesn't want to allow VDM through the firewall because of these vulnerabilities... so it's put VDI at a bit of a standstill.

0 Kudos
TomHowarth
Leadership
Leadership

it has been three months now, and still no offical reply from VMware regarding this vunerability

Tom Howarth

VMware Communities User Moderator

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
0 Kudos
mpryor
Commander
Commander

Thanks for the ping Tom, I'd lost track of this thread. VDM 2.1.1, which was released at the end of October 2008, has upgraded the included version of Tomcat to 5.5.26. Several customers have reported that their static analysis tools no longer return warnings against the updated version.

0 Kudos