VMware Cloud Community
gothicreader
Contributor
Contributor
‎04-08-2013 07:31 AM

Tom Cat v6.036 CVE-2012-2733

Hello,

I'm hoping this forum will help with mitigating the CVE-2012-2733 vulnerability issue with Tom Cat 6.036 that is being reported by our security scanner.

Does VMware have any plans to mitigate this vulnerability?

My current environment is patched with the latest build numbers:

ESXi 5.0 and vCenter Server 5.0:

ESXi - 914586

vCenter Server - 913577 (update 2)

vSphere Client - 913577

Tom Cat does have an update to mitigate this problem - but apparently VMware doesn't?  http://tomcat.apache.org/security-6.html

I have read from VMware that they does NOT recommend one updating the Tom Cat 6.036 since this is bundled within vCenter Server.

The reported findings is:

Apache Tomcat contains multiple vulnerabilities when handling request headers and DIGEST authentication.  Successful exploitation may result in authentication bypass and denial of service conditions.  Note: This audit is designed for versions of Tomcat obtained from Tomcat.Apache.org and may report false findings with vendor specific backports.

I look forward to your comments.

Thanks,

Judy

0 Kudos
1 Reply
Texiwill
Leadership
Leadership
‎04-08-2013 02:37 PM

Hello,

My suggestion is that you open a support request (SR) with VMware to get this patched. However, I can also let you know that the security team within VMware does know about these issues and addresses them. I will also bring this to their attention and see what happens.

Have you run the same scan against vCenter 5.1? You can install this without hooking it to an ESX host in this way you can determine if the issue has been 'fixed in the next release'.

Lastly, this is one of those reasons why we strongly urge you to create a firewalled management network  (trust zone) into which vCenter would go as well as those clients that would need to access vCenter. This is the lowest hanging fruit of virtualization security and such a trust zone would limit access to only those who have the appropriate roll. There is plenty out there written on the subject and could be a  control to put in place to help with these issues until an official patch is released.

Best regards,

Edward L. Haletky aka Texiwill

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos