VMware on Thursday fixed a critical directory traversal vulnerability (CVE-2012-5978) in its View server products, which if exploited, could enable a remote attacker to access arbitrary files from affected View Servers.
The vulnerability affects both the View Connection Server and the View Security Server, VMware said, and recommends that customers update both servers immediately.
Affected versions include VMware View 5.x prior to version 5.1.2, and VMware View 4.x prior to version 4.6.2.
For those who are who are unable to immediately patch their View Servers, there are workarounds and considerations that VMware provided, including:
• Disable Security Server – Disabling the Security Server will prevent exploitation of the vulnerability over untrusted remote networks. To restore functionality for remote users, allow them to connect to the Connection Server via a VPN.
• Block directory traversal attempts – Using an intrusion protection system (IPS) or application layer firewall customers may be able to block directory traversal attacks. Check with your network security security administrators on how this could be done.
VMware credited researchers from Digital Defense, Inc. for reporting the issue.
The release notes with additional details and download links are available here.
View 5.1.2 – Release Notes | Download Page
View 4.6.2 – Release Notes| Download Page
Related Reading: Keeping Up With Threats in the Virtualized Data Center
Related Reading: Virtualized Data Center Security Part 1
