Hello Team,
I have a customer who have upgraded vCenter from 6.0 to 6.5.
But the python version is still 2.7.11 which has vulnerability as mentioned below.
*Summary:*
This host is running Cpython and is
prone to man in middle attack and arbitrary code execution Vulnerabilities.
*Insight:*
The multiple flaws exist due to the smtplib
library in CPython does not return an error when StartTLS fails and integer
overflow error in the 'get_data' function in 'zipimport.c' script.
*Impact:*
Successful exploitation will allow
man-in-the-middle attackers to bypass the TLS protections and remote attackers
to cause buffer overflow.
*Impact Level:* Application
*Affected Software/OS:*
Cpython before 2.7.12, 3.x before 3.4.5,
and 3.5.x before 3.5.2 on Windows.
*Vulnerability Detection Method:*
Get the installed version with the help of
detect NVT and check the version is vulnerable or not.
Installed version: 2.7.11
Fixed version: 2.7.12
I have done a test by fresh installation of vCenter 6.5 and the vulnerability is gone since we have python 2.7.12 is installed.
Now my question is how do I install python version 2.7.12 or upgrade the python version from 2.7.11 to 2.7.12