Main Vulnerability Database SB2014041104

SB2014041104 - Multiple vulnerabilities in VMware, vSphere Client

Published: April 11, 2014 Updated: August 10, 2020

Security Bulletin ID SB2014041104

Severity

High

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2014-1209)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

VMware vSphere Client 4.0, 4.1, 5.0 before Update 3, and 5.1 before Update 2 does not properly validate updates to Client files, which allows remote attackers to trigger the downloading and execution of an arbitrary program via unspecified vectors.

2) Cryptographic issues (CVE-ID: CVE-2014-1210)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

VMware vSphere Client 5.0 before Update 3 and 5.1 before Update 2 does not properly validate X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate.

Remediation

Install update from vendor's website.

References

http://www.vmware.com/security/advisories/VMSA-2014-0003.html