I have vcenter on a main site and also a dr site (with SRM) and I also have VMWare update manager. We have quarterly internal vulnerability assesments run and both vcenter servers came up with high vulnerabilities with directory traversal on both ports 9087 and 9084.
Here is the CVE on the vulnerability:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4404
We have 4.1 installed and in vSphere client if I do Help > About it says 4.1.0 Build 491557. How can I upgrade this to U2? I tried scanning with VMWare update manager and it did not come up. I downloaded the full blown vSphere 4.1.0-493063 which I believe includes update 2 that is supposed to fix this vulnerability. THe issue is when I try to run it on either of the vCenter servers it doesn't give me an option to Upgrade. When I run the vCenter server install it only gives me "Modifiy linked mode configuration " or "Uninstall" I dont want to do either of those options... I simply want to upgrade like I did from 4.0 to 4.1.
Thanks for the help. I would love to just download the update 2 "patch" if one so exists.
If you will do the upgrade:
You can download the SRM 4.1.2 here:
Release notes & installation notes:
http://www.vmware.com/support/srm/srm_releasenotes_4_1_2.html
Firstly...
What is your SRM version number?
vCenter Server 4.1 Update 2 support only SRM 4.1.2
vSphere Supported Releases and Required Patches:
vCenter Server Release Required Patches SRM 4.1 SRM 4.1.1 SRM 4.1.2
4.0 Update 3 None No No No
4.1 None YES YES YES
4.1 Update 1 None No YES YES
4.1 Update 2 None No No YES
source:
Compatibility Matrixes for VMware® vCenter Site Recovery Manager 4.1 and its Updates
https://www.vmware.com/pdf/srm_compat_matrix_4_1.pdf page 3.
Well if i check the plug-in manager it shows vCenter SiteRecovery Manager Extention Version 4.1.0.
Wouldnt the installer detect everything that needs updating and go ahead and perform the proper updates?
How can I correct this vulnerability with directory traversal to please the auditors? Can I make configuration changes so I can get rid of this vulnerability without having to get update 2 on there?
Sorry, but I don't know a solution to correct vulnerability without Update 2, but maybe the VMware support do.
The point is, if you want to upgrade to Update 2, you should upgrade SRM first and always check the compatibility matrix before upgrade because installers wont detect every components/products.
The VMware Product Interoperability Matrix provide details on the compatibility of current and earlier versions of VMware vSphere components, including ESX, vCenter Server, the vSphere Client, and optional VMware products. In addition, check the vSphere Compatibility Matrixes for information about supported management and backup agents before installing ESX or vCenter Server."
Thanks. I opened a support ticket with VMWare for them to help me get this resolved. I don't see any link to download a new version of SRM. Sounds like mitigating this vulnerability is opening a whole can of worms that I'd rather have VMWare take care of than potentially screw up a production and a dr site.
If you will do the upgrade:
You can download the SRM 4.1.2 here:
Release notes & installation notes:
http://www.vmware.com/support/srm/srm_releasenotes_4_1_2.html
You are amazing. Worked perfectly.
Also upgraded update manager which I think is what causes the vulnerability mentioned anyway.
I tried to access the win.ini file via the vulnerability using directory traversal and got this:
Problem accessing /WINDOWS/win.ini. Reason:
NOT_FOUND
I think maybe the vulnerability is closed.
I don't have Update 2 installed though.... just the SRM update and Update Manager. My vSphere plugins have been updated as well as a result. both SRM sites are talking to eachother fine.
Still not sure how to get U2 for vSphere itself, but I do have a case open.
Thanks for all your help!
According to VMWare technical support, I already have U2 installed which is why the installer only gives me an option to change linked mode configuration or uninstall.
The vulnerability is resolved by running the upgrade for VMWare Update Manager 4.1 U2. Thanks for your help, this is now fixed.
You're welcome.