VMTurbo Operations Manager Security Update

Blog Post created by eva.tuczai on Jul 17, 2014

VMTurbo is committed to our customer's success.  This blog post is a notification of a fix that has been create to address a security vulnerability identified in Operations Manager.



1) (CVE: 2014-3806) A directory traversal vulnerability in a script used by the VMTurbo help system allows an attacker to read any file on the VMTurbo virtual machine. Affects VMTurbo Operations Manager versions 4.5 and earlier.

Thanks to Jamal Pecou of Security Focus (https://www.securityfocus.com/) for reporting this issue.


2) (No CVE assigned yet; Secunia Advisory SA58880) An OS command injection vulnerability allows an attacker to run arbitrary shell commands with the privileges of the "wwwrun" user. Affects VMTurbo Operations Manager version 4.5 and earlier, as well as version 4.6 prior to revision 28647.

Thanks to Emilio Pinna of Secunia Research (http://secunia.com) for reporting this issue.



Upgrading to Operations Manager version 4.6-28647 or newer will resolve both issues. Please refer to this KB Article for more details on Patch For CVE: 2014-3806 and Secunia Advisory SA58880.