cbcvebase.
CVE-2011-4404
published 2011-11-19

CVE-2011-4404: The default configuration of the HTTP server in Jetty in vSphere Update Manager in VMware vCenter Update Manager 4.0 before Update 4 and 4.1 before Update 2…

PriorityP356medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
63.23%
99.1th percentile
The default configuration of the HTTP server in Jetty in vSphere Update Manager in VMware vCenter Update Manager 4.0 before Update 4 and 4.1 before Update 2 allows remote attackers to conduct directory traversal attacks and read arbitrary files via unspecified vectors, a related issue to CVE-2009-1523.

Affected

6 ranges
VendorProductVersion rangeFixed in
vmwareesxi
vmwarevcenter_update_manager
vmwarevcenter_update_manager
vmwarevmware_vcenter_server
vmwarevmware_vsphere
vmwarevmware_workstation

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<host>:9084/vci/downloads/.\..\..\..\..\..\..\.\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\rui.key
port9084
path/vci/downloads/
path\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\rui.key
  • Monitor HTTP requests to port 9084 targeting the /vci/downloads/ path containing directory traversal sequences such as .\..\ or mixed slash traversal patterns, which are characteristic of this Jetty misconfiguration exploit.
  • Unauthenticated attackers can read arbitrary files with the rights of the VMware Update Manager process; alert on any unauthenticated GET requests to port 9084 containing backslash-dot traversal sequences.
  • The traversal technique uses a mixed .\..\ pattern (dot-backslash-dot-dot-backslash) rather than the classic ../ sequence, which may evade simple path-traversal filters; ensure detection rules cover backslash-based traversal on Windows hosts.
  • This issue is a variant of CVE-2009-1523; detection logic for that earlier Jetty traversal (VMSA-2010-0012) should be reviewed and extended to cover the .\..\ bypass variant used here.
  • ·The vulnerability is caused by the default (misconfigured) Jetty HTTP server configuration bundled with vSphere Update Manager; the issue does not affect vCenter Server itself, hosted products (Workstation, Player, ACE, Fusion), ESX, or ESXi.
  • ·Update Manager 5.0 on Windows is not affected; only Update Manager 4.1 (prior to Update 2) and 4.0 (prior to Update 4) on Windows are vulnerable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.