Hello Team,
I have a customer who have upgraded vCenter from 6.0 to 6.5.
But the python version is still 2.7.11 which has vulnerability as mentioned below.
*Summary:*
This host is running Cpython and is
prone to man in middle attack and arbitrary code execution Vulnerabilities.
*Insight:*
The multiple flaws exist due to the smtplib
library in CPython does not return an error when StartTLS fails and integer
overflow error in the 'get_data' function in 'zipimport.c' script.
*Impact:*
Successful exploitation will allow
man-in-the-middle attackers to bypass the TLS protections and remote attackers
to cause buffer overflow.
*Impact Level:* Application
*Affected Software/OS:*
Cpython before 2.7.12, 3.x before 3.4.5,
and 3.5.x before 3.5.2 on Windows.
*Vulnerability Detection Method:*
Get the installed version with the help of
detect NVT and check the version is vulnerable or not.
Installed version: 2.7.11
Fixed version: 2.7.12
I have done a test by fresh installation of vCenter 6.5 and the vulnerability is gone since we have python 2.7.12 is installed.
Now my question is how do I install python version 2.7.12 or upgrade the python version from 2.7.11 to 2.7.12
What is the build number of 6.5 vCenter and have you installed the same version of vcenter on your machine as your customer?
Thanks,
MS
Hi,
Yes, Its the same built as 4602587
Regards,
Suman