-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2014-0006.10
Synopsis: VMware product updates address OpenSSL
security vulnerabilities
Issue date: 2014-06-10
Updated on: 2014-09-09
CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and
CVE-2014-3470
- -----------------------------------------------------------------------
1. Summary
VMware product updates address OpenSSL security vulnerabilities.
2. Relevant Releases
Big Data Extensions prior to 2.0.0
ESXi 5.5 without patch ESXi550-201406401-SG
ESXi 5.1 without patch ESXi510-201406401-SG
ESXi 5.0 without patch ESXi500-201407401-SG
Workstation 10.x prior to 10.0.3
Workstation 9.x prior to 9.0.4
Player 6.x prior to 6.0.3
Player 5.x prior to 5.0.4
Fusion 6.x prior to 6.0.4
Fusion 5.x prior to 5.0.5
Horizon Mirage Edge Gateway prior to 4.4.3
Horizon View prior to 5.3.2
Horizon View 5.3 Feature Pack X prior to Feature Pack 3
Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm-
1.5.0.0-1876270.
x86_64.rpm
Horizon Workspace Server 1.8.x without patch horizon-nginx-rpm-
1.8.2.1820-1876338.
x86_64.rpm
Horizon View Clients prior to 3.0
vCD 5.5.x prior to 5.5.1.2
vCD 5.1.x prior to 5.1.3.1
vCenter prior to 5.5u1b
vCenter prior to 5.1 U2a
vCenter prior to 5.0U3a
vCenter Support Assistant prior to 5.5.1.1
vCloud Automation Center prior to 6.0.1.2
vCenter Configuration Manager prior to 5.7.2
vCenter Converter Standalone prior to 5.5.2
Converter Standalone prior to 5.1.1
Usage Manager prior to 3.3
vCenter Operations Manager prior to 5.8.2
vCenter Operations Manager prior to 5.7.3
vCenter Chargeback Manager 2.6 prior to 2.6.0.1
vCloud Networking and Security prior to 5.5.2.1
vCloud Networking and Security prior to 5.1.4.1
vSphere PowerCLI 5.x
vCSA prior to 5.5u1b
vCSA prior to 5.1u2a
vCSA prior to 5.0u3a
OVF Tool prior to 5.3.2
Update Manager prior to 5.5u1b
ITBM Standard prior to 1.1
VDDK prior to 5.5.2
VDDK prior to 5.1.3
VDDK prior to 5.0.4
NSX for Multi-Hypervisor 4.1.x prior to 4.1.3
NSX for Multi-Hypervisor 4.0.x prior to 4.0.4
NVP 3.0.x prior to 3.2.3
NSX 6.0.x for vSphere prior to 6.0.5
vFabric Web Server 5.x
Pivotal Web Server prior to 5.4.1
vCenter Site Recovery Manager prior to 5.5.1.1
vCenter Site Recovery Manager prior to 5.1.2.1
vCenter Site Recovery Manager prior to 5.0.3.2
vSphere Replication prior to 5.8
vSphere Replication prior to 5.5.1.1
vSphere SDK for Perl prior to 5.5 Update 2
3. Problem Description
a. OpenSSL update for multiple products.
OpenSSL libraries have been updated in multiple products to
versions 0.9.8za and 1.0.1h in order to resolve multiple security
issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2014-0224, CVE-2014-0198,
CVE-2010-5298, CVE-2014-3470, CVE-2014-0221 and CVE-2014-0195 to
these issues. The most important of these issues is
CVE-2014-0224.
CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 are considered to
be of moderate severity. Exploitation is highly unlikely or is
mitigated due to the application configuration.
CVE-2014-0221 and CVE-2014-0195, which are listed in the OpenSSL
Security Advisory (see Reference section below), do not affect
any VMware products.
CVE-2014-0224 may lead to a Man-in-the-Middle attack if a server
is running a vulnerable version of OpenSSL 1.0.1 and clients are
running a vulnerable version of OpenSSL 0.9.8 or 1.0.1. Updating
the server will mitigate this issue for both the server and all
affected clients.
CVE-2014-0224 may affect products differently depending on
whether the product is acting as a client or a server and of
which version of OpenSSL the product is using. For readability
the affected products have been split into 3 tables below,
based on the different client-server configurations and
deployment scenarios.
MITIGATIONS
Clients that communicate with a patched or non-vulnerable server
are not vulnerable to CVE-2014-0224. Applying these patches to
affected servers will mitigate the affected clients (See Table 1
below).
Clients that communicate over untrusted networks such as public
Wi-Fi and communicate to a server running a vulnerable version of
OpenSSL 1.0.1. can be mitigated by using a secure network such as
VPN (see Table 2 below).
Clients and servers that are deployed on an isolated network are
less exposed to CVE-2014-0224 (see Table 3 below). The affected
products are typically deployed to communicate over the
management network.
RECOMMENDATIONS
VMware recommends customers evaluate and deploy patches for
affected Servers in Table 1 below as these patches become
available. Patching these servers will remove the ability to
exploit the vulnerability described in CVE-2014-0224 on both
clients and servers.
VMware recommends customers consider
applying patches to products listed in Table 2 & 3 as required.
Column 4 of the following tables lists the action required to
remediate the vulnerability in each release, if a solution is
available.
Table 1
=======
Affected servers running a vulnerable version of OpenSSL 1.0.1.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
ESXi 5.5 ESXi ESXi550-
201406401-SG
Big Data Extensions 1.1 2.0.0
vCenter Chargeback Manager 2.6 2.6.0.1
Horizon Workspace Server 1.5.x horizon-nginx-
rpm-1.5.0.0-
1876270.
x86_64.rpm
Horizon Workspace Server 1.8.x horizon-nginx-
rpm-1.8.2.1820-
1876338.
x86_64.rpm
Horizon Mirage Edge Gateway 4.4.x 4.4.3
Horizon View 5.x 5.3.2
Horizon View Feature Pack 5.x 5.3 FP3
NSX for Multi-Hypervisor 4.1.2 4.1.3
NSX for Multi-Hypervisor 4.0.3 4.0.4
NSX for vSphere 6.0.4 6.0.5
NVP 3.2.2 3.2.3
vCloud Networking and Security 5.5.2 5.5.2.1
vCloud Networking and Security 5.1.4 5.1.4.1
Pivotal Web Server 5.4 5.4.1
vFabric Web Server 5.x Pivotal Web
Server 5.4.1
Table 2
========
Affected clients running a vulnerable version of OpenSSL 0.9.8
or 1.0.1 and communicating over an untrusted network.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
vCSA 5.5 5.5u1b
vCSA 5.1 5.1u2a
vCSA 5.0 5.0u3a
ESXi 5.1 ESXi ESXi510-
201406401-SG
ESXi 5.0 ESXi ESXi500-
201407401-SG
Workstation 10.x any 10.0.3
Workstation 9.x any 9.0.4
Fusion 6.x OSX 6.0.4
Fusion 5.x OSX 5.0.5
Player 6.x any 6.0.3
Player 5.x any 5.0.4
vCenter Chargeback Manager 2.5.x 2.6.0.1
Horizon Workspace Client 1.x OSX 1.8.2
Horizon Workspace Client 1.x Windows 1.8.2
Horizon View Client 2.x Android 3.0
Horizon View Client 2.x iOS 3.0
Horizon View Client 2.x OSX 3.0
Horizon View Client 2.x Windows 3.0
Horizon View Client 2.x WinStore 3.0
OVF Tool 3.5.1 3.5.2
OVF Tool 3.0.1 3.5.2
vCenter Operations Manager 5.8.x 5.8.2
vCenter Operations Manager 5.7.x 5.7.3
vCenter Support Assistant 5.5.1 5.5.1.1
vCD 5.5.1.x 5.5.1.2
vCD 5.1.x 5.1.3.1
vCenter Site Recovery Manager 5.5.x 5.5.1.1
vCenter Site Recovery Manager 5.1.x 5.1.2.1
vCenter Site Recovery Manager 5.0.3.x 5.0.3.2
vSphere Client 5.5 Windows 5.5u1b
vSphere Client 5.1 Windows 5.1u2a
vSphere Client 5.0 Windows 5.0u3a
Table 3
=======
The following table lists all affected clients running a
vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating
over a trusted or isolated network.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
vCenter Server 5.5 any 5.5u1b
vCenter Server 5.1 any 5.1u2a
vCenter Server 5.0 any 5.0u3a
Update Manager 5.5 Windows 5.5u1b
vCenter Configuration
Manager (VCM) 5.6 5.7.2
ITBM Standard 1.0.1 1.1
ITBM Standard 1.0 1.1
Studio 2.6.0.0 patch pending
Usage Meter 3.3 3.3.1
vCenter Converter Standalone 5.5 5.5.2
vCenter Converter Standalone 5.1 5.1.1
vCloud Automation Center 6.0.x 6.0.1.2
VIX API 1.12 patch pending
vMA (Management Assistant) 5.5.01 patch pending
vSphere PowerCLI 5.x See VMware
KB 2082132
vSphere Data Protection 5.5.6 patch pending
vSphere Data Protection 5.1.11 patch pending
vSphere Replication 5.5.1 5.5.1.1
vSphere Replication 5.6 5.8
vSphere SDK for Perl 5.5 5.5 Update 2
VDDK 5.5.x 5.5.2
VDDK 5.1.x 5.1.3
VDDK 5.0.x 5.0.4
4. Solution
Big Data Extensions 2.0.0
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-bde
ESXi 5.5, 5.1 and 5.0
----------------------------
Download:
https://www.vmware.com/patchmgr/findPatch.portal
Horizon Mirage Edge Gateway 4.4.3
---------------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-horizon-mirage
vCD 5.5.1.2
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download/vcloud-director
vCenter Server 5.5u1b, 5.1u2a, 5.0u3a
------------------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
vCSA 5.5u1b, 5.1u2a and 5.0u3a
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
Update Manager 5.5u1b
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
VDDK 5.x
----------------------------
Downloads and Documentation:
https://www.vmware.com/support/developer/vddk
vCenter Configuration Manager (VCM) 5
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download_vcm
vCenter Operations Manager 5.8 and 5.7.3
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere-ops-mgr
OVF Tool 3.5.2
--------------
Download:
https://www.vmware.com/support/developer/ovf/
vCenter Converter Standalone 5.5.2
-----------------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-converter
Horizon View 5
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/downloadview
Horizon View 5.3 Feature Pack 3
-----------------------------------
Downloads and Documentation:
https://www.vmware.com/go/downloadview
Horizon Workspace Server 1.5 and 1.8.x
----------------------------
Release Notes and download:
http://kb.vmware.com/kb/2082181
Workstation
----------------------
https://www.vmware.com/go/downloadworkstation
Fusion
------------------
https://www.vmware.com/go/downloadfusion
VMware Player
------------------
https://www.vmware.com/go/downloadplayer
vCenter Server 5.1 Update 2a
----------------------------------------------------
Download link:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_1
vCenter Server 5.0 Update 3a
----------------------------------------------------
Download link:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_0
vCloud Networking and Security 5.5.2.1
------------------------------------
Download
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS552_GA&productId
=353&rPId=5255
vCloud Networking and Security 5.1.4.1
------------------------------------
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS514_GA&productId
=285&rPId=5131
NSX for Multi-Hypervisor, NSX for vSphere and NVP
-------------------------------------------------
Remediation Instructions and Download, available under support:
http://www.vmware.com/products/nsx
vCD 5.5.1.2 and vCD 5.1.3.1
---------------------------
Download link:
https://www.vmware.com/go/download-vcd-ns
VMware vCenter Chargeback Manager
---------------------------------
Download link:
https://www.vmware.com/go/download-chargeback
Converter Standalone 5.1.1
---------------------------
Download link:
https://www.vmware.com/go/download-converter
Usage Manager 3.3
-----------------
Downloads and Documentation:
https://communities.vmware.com/community/vmtn/vcd/vcloud_usage_meter
vCenter Support Assistant
--------------------------
Downloads:
https://www.vmware.com/go/download-vsphere
Pivotal Web Server 5.4.1
------------------------
https://my.vmware.com/web/vmware/details?downloadGroup=VF_530_PVTL_WSVR_541
&productId=335&rPId=6214
vCloud Automation Center
--------------------------
Downloads:
https://www.vmware.com/go/download-vcac
vCenter Site Recovery Manager 5.5.1.1
-------------------------------------
Remediation Instructions and Download:
http://kb.vmware.com/kb/2081861
vCenter Site Recovery Manager 5.1.2.1
-------------------------------------
Remediation Instructions and Download:
http://kb.vmware.com/kb/2081860
vCenter Site Recovery Manager 5.0.3.2
-------------------------------------
Remediation Instructions and Download:
http://kb.vmware.com/kb/2081859
vSphere Replication 5.8
-----------------------
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=SDKPERL552&productId
=353
vSphere Replication 5.5.1.1
---------------------------
Remediation Instructions and Download:
http://kb.vmware.com/kb/2082666
ITBM Standard 1.1
-----------------
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-110&product
Id=384&rPId=6384
Release Notes:
https://www.vmware.com/support/itbms/doc/itbm-standard-edition-11-release-n
otes.html
vSphere SDK for Perl 5.5 Update 2
----------------------------------
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=VR580&productId=451&
rPId=6436
Release Notes:
https://www.vmware.com/support/vsphere-replication/doc/vsphere-replication-
58-release-notes.html
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470
https://www.openssl.org/news/secadv_20140605.txt
http://www.gopivotal.com/security/cve-2014-0224
VMware Knowledge Base Article 2082132
http://kb.vmware.com/kb/2082132
- -----------------------------------------------------------------------
6. Change Log
2014-06-10 VMSA-2014-0006
Initial security advisory in conjunction with the release of
ESXi 5.5 updates on 2014-06-10
2014-06-12 VMSA-2014-0006.1
Updated security advisory in conjunction with the release of
Big Data Extensions 2.0.0, Horizon Mirage Edge Gateway 4.4.3,
vCD 5.5.1.2, vCenter Server 5.5u1b, vCSA 5.5u1b, and Update
Manager 5.5u1b on 2014-06-12
2014-06-17 VMSA-2014-0006.2
Updated security advisory in conjunction with the release of
ESXi 5.1 updates, VDDK 5.5.2, 5.1.3, and 5.0.4 on 2014-06-17
2014-06-24 VMSA-2014-0006.3
Updated security advisory in conjunction with the release of
Horizon View 5.3.2, Horizon View 5.3 Feature Pack 3,
vCenter Configuration Manager 5.7.2, vCenter
Converter Standalone 5.5.2, vCenter Operations
Manager 5.8.2, OVF Tool 5.3.2 on 2014-06-24
2014-07-01 VMSA-2014-0006.4
Updated security advisory in conjunction with the release of
ESX 5.0 patches, Workstation 10.0.3, Player 6.0.3, Fusion 6.0.4,
Horizon Workspace Server 1.5.x and 1.8.x updates, vCD
5.1.3.1, vCenter Server 5.1 update 2a and 5.0 update 3a,
vCSA 5.1 update 2a and 5.0 update 3a, Converter Standalone 5.1.1,
vCenter Chargeback Manager 2.6.0.1,
vCloud Networking and Security 5.5.2.1 and 5.1.4.1,
NSX for Multi-Hypervisor 4.1.3,
NSX for Multi-Hypervisor 4.0.4, NVP 3.2.3 and
NSX 6.0.5 for vSphere on 2014-07-01
2014-07-03 VMSA-2014-0006.5
Updated security advisory in conjunction with the release of
Workstation 9.0.4, Player 5.0.4, Fusion 5.0.5, vCenter Support
Assistant 5.5.1.1, on 2014-07-03
2014-07-08 VMSA-2014-0006.6
Updated security advisory in conjunction with the release of
vSphere PowerCLI 5.x on 2014-07-04 and Pivotal Web Server 5.4.1
on 2014-07-08
2014-07-10 VMSA-2014-0006.7
Updated security advisory in conjunction with the release of
vCloud Automation Center 6.0.1.2 and vCenter Operations Manager
5.7.3 on 2014-07-10
2014-07-18 VMSA-2014-0006.8
Updated security advisory in conjunction with the release of
patches for vCenter Site Recovery Manager 5.5.1.1 and
vSphere Replication 5.5.1.1 on 2014-07-17
2014-07-22 VMSA-2014-0006.9
Updated security advisory in conjunction with the release of
patches for vCenter Site Recovery Manager 5.1.2.1 and 5.0.3.2
on 2014-07-22
2014-09-09 VMSA-2014-0006.10
Updated security advisory in conjunction with the release of
patches for ITBM Standard 1.1, vSphere Replication 5.8 and
vSphere SDK for Perl 5.5 Update 2 on 2014-09-09. vFabric
Application Director has been removed from the table above since
it is not affected by this issue.
- -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2014 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8
wj8DBQFUD16eDEcm8Vbi9kMRAgBdAJsG4mzXIKqUyD2j5rTkDDQvG9giYwCfTmv4
S8n3FBEzi2wj9s5V00WS7/4=
=2ZcF
-----END PGP SIGNATURE-----
Monthly Archives: September 2014
NEW VMSA-2014-0008 VMware vSphere product updates to third party libraries
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2014-0008
Synopsis: VMware vSphere product updates to third party libraries
Issue date: 2014-09-09
Updated on: 2014-09-09 (Initial Advisory)
CVE numbers: --- Struts ---
CVE-2014-0114
--- tc-server ---
CVE-2013-4590, CVE-2013-4322, and CVE-2014-0050
--- glibc ---
CVE-2013-0242 and CVE-2013-1914
--- JRE ---
See references
- ------------------------------------------------------------------------
1. Summary
VMware has updated vSphere third party libraries
2. Relevant releases
VMware vCenter Server 5.5 prior to Update 2
VMware vCenter Update Manager 5.5 prior to Update 2
VMware ESXi 5.5 without patch ESXi550-201409101-SG
3. Problem Description
a. vCenter Server Apache Struts Update
The Apache Struts library is updated to address a security issue.
This issue may lead to remote code execution after authentication.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2014-0114 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware ProductRunningReplace with/
Product Versionon Apply Patch
============= ===============================
vCenter Server 5.5 any 5.5 Update 2
vCenter Server 5.1 any Patch Pending
vCenter Server 5.0 any Patch Pending
b. vCenter Server tc-server 2.9.5 / Apache Tomcat 7.0.52 updates
tc-server has been updated to version 2.9.5 to address multiple
security issues. This version of tc-server includes Apache Tomcat
7.0.52.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifiers CVE-2013-4590, CVE-2013-4322, and
CVE-2014-0050 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware ProductRunning Replace with/
Product Versionon Apply Patch
============= ============== =================
vCenter Server 5.5 any 5.5 Update 2
vCenter Server 5.1 any Patch Pending
vCenter Server 5.0 any Patch Pending
c. Update to ESXi glibc package
glibc is updated to address multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifiers CVE-2013-0242 and CVE-2013-1914 to
these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware ProductRunning Replace with/
Product Versionon Apply Patch
============= ============== =================
ESXi 5.5 any ESXi550-201409101-SG
ESXi 5.1 any Patch Pending
ESXi 5.0 any Patch Pending
d. vCenter and Update Manager, Oracle JRE 1.7 Update 55
Oracle has documented the CVE identifiers that are addressed in
JRE 1.7.0 update 55 in the Oracle Java SE Critical Patch Update
Advisory of April 2014. The References section provides a link to
this advisory.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware ProductRunning Replace with/
Product Versionon Apply Patch
============= ============== =================
vCenter Server 5.5 any 5.5 Update 2
vCenter Server 5.1 any not applicable *
vCenter Server 5.0 any not applicable *
vCenter Update Manager 5.5 any 5.5 Update 2
vCenter Update Manager 5.1 any not applicable *
vCenter Update Manager 5.0 any not applicable *
* this product uses the Oracle JRE 1.6.0 family *
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
vCenter Server and Update Manager 5.5u2
---------------------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
ESXi 5.5
--------
Download:
https://www.vmware.com/patchmgr/findPatch.portal
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0242
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1914
JRE
---
Oracle Java SE Critical Patch Update Advisory of April 2014
http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html
- ------------------------------------------------------------------------
6. Change log
2014-09-09 VMSA-2014-0008
Initial security advisory in conjunction with the release of vSphere
5.5 Update 2 on 2014-09-09.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2014 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8
wj8DBQFUD2LADEcm8Vbi9kMRAp0lAKCCB15Aa21ThBMqWRJTeYEweSVrdQCaAsNC
he8AihUDo3UB9amCBiImxq0=
=W0+t
-----END PGP SIGNATURE-----
NEW VMSA-2014-0008 VMware vSphere product updates to third party libraries
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2014-0008
Synopsis: VMware vSphere product updates to third party libraries
Issue date: 2014-09-09
Updated on: 2014-09-09 (Initial Advisory)
CVE numbers: --- Struts ---
CVE-2014-0114
--- tc-server ---
CVE-2013-4590, CVE-2013-4322, and CVE-2014-0050
--- glibc ---
CVE-2013-0242 and CVE-2013-1914
--- JRE ---
See references
- ------------------------------------------------------------------------
1. Summary
VMware has updated vSphere third party libraries
2. Relevant releases
VMware vCenter Server 5.5 prior to Update 2
VMware vCenter Update Manager 5.5 prior to Update 2
VMware ESXi 5.5 without patch ESXi550-201409101-SG
3. Problem Description
a. vCenter Server Apache Struts Update
The Apache Struts library is updated to address a security issue.
This issue may lead to remote code execution after authentication.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2014-0114 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware ProductRunningReplace with/
Product Versionon Apply Patch
============= ===============================
vCenter Server 5.5 any 5.5 Update 2
vCenter Server 5.1 any Patch Pending
vCenter Server 5.0 any Patch Pending
b. vCenter Server tc-server 2.9.5 / Apache Tomcat 7.0.52 updates
tc-server has been updated to version 2.9.5 to address multiple
security issues. This version of tc-server includes Apache Tomcat
7.0.52.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifiers CVE-2013-4590, CVE-2013-4322, and
CVE-2014-0050 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware ProductRunning Replace with/
Product Versionon Apply Patch
============= ============== =================
vCenter Server 5.5 any 5.5 Update 2
vCenter Server 5.1 any Patch Pending
vCenter Server 5.0 any Patch Pending
c. Update to ESXi glibc package
glibc is updated to address multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifiers CVE-2013-0242 and CVE-2013-1914 to
these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware ProductRunning Replace with/
Product Versionon Apply Patch
============= ============== =================
ESXi 5.5 any ESXi550-201409101-SG
ESXi 5.1 any Patch Pending
ESXi 5.0 any Patch Pending
d. vCenter and Update Manager, Oracle JRE 1.7 Update 55
Oracle has documented the CVE identifiers that are addressed in
JRE 1.7.0 update 55 in the Oracle Java SE Critical Patch Update
Advisory of April 2014. The References section provides a link to
this advisory.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware ProductRunning Replace with/
Product Versionon Apply Patch
============= ============== =================
vCenter Server 5.5 any 5.5 Update 2
vCenter Server 5.1 any not applicable *
vCenter Server 5.0 any not applicable *
vCenter Update Manager 5.5 any 5.5 Update 2
vCenter Update Manager 5.1 any not applicable *
vCenter Update Manager 5.0 any not applicable *
* this product uses the Oracle JRE 1.6.0 family *
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
vCenter Server and Update Manager 5.5u2
---------------------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
ESXi 5.5
--------
Download:
https://www.vmware.com/patchmgr/findPatch.portal
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0242
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1914
JRE
---
Oracle Java SE Critical Patch Update Advisory of April 2014
http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html
- ------------------------------------------------------------------------
6. Change log
2014-09-09 VMSA-2014-0008
Initial security advisory in conjunction with the release of vSphere
5.5 Update 2 on 2014-09-09.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2014 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8
wj8DBQFUD2LADEcm8Vbi9kMRAp0lAKCCB15Aa21ThBMqWRJTeYEweSVrdQCaAsNC
he8AihUDo3UB9amCBiImxq0=
=W0+t
-----END PGP SIGNATURE-----
UPDATED: VMSA-2014-0007.2 – VMware product updates address security vulnerabilities in Apache Struts library
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2014-0007.2
Synopsis: VMware product updates address security vulnerabilities in
Apache Struts library
Issue date: 2014-06-24
Updated on: 2014-09-09
CVE number: CVE-2014-0050, CVE-2014-0094, CVE-2014-0112
- ------------------------------------------------------------------------
1. Summary
VMware product updates address security vulnerabilities in Apache
Struts library
2. Relevant releases
VMware vCenter Operations Management Suite prior to 5.8.2
VMware vCenter Operations Management Suite prior to 5.7.3
VMware vCenter Orchestrator prior to 5.5.2
3. Problem Description
a. The Apache Struts library is updated to version 2.3.16.2 to
address multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2014-0050, CVE-2014-0094, and
CVE-2014-0112 to these issues.
CVE-2014-0112 may lead to remote code execution. This issue was
found to be only partially addressed in CVE-2014-0094.
CVE-2014-0050 may lead to a denial of service condition.
vCenter Operations Management Suite (vCOps) is affected by both
CVE-2014-0112 and CVE-2014-0050. Exploitation of CVE-2014-0112
may lead to remote code execution without authentication.
vCenter Orchestrator (vCO) is affected by CVE-2014-0050 and not
by CVE-2014-0112.
Workaround
A workaround for CVE-2014-0112 is documented in VMware Knowledge Base
article 2081470.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product RunningReplace with/
Product Version on Apply Patch
========== ======= ========================
vCOPS 5.8.x any vCOPS 5.8.2
vCOPS 5.7.x any vCOPS 5.7.3
vCO 5.5 any vCO 5.5.2
vCO 5.1 any patch pending
vCO 4.2 any patch pending
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
vCenter Operations Management Suite 5.8.2 and 5.7.3
---------------------------------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vcops
vCenter Orchestrator 5.5.2
--------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0112
http://kb.vmware.com/kb/2081470
- ------------------------------------------------------------------------
6. Change log
2014-06-24 VMSA-2014-0007
Initial security advisory in conjunction with the release of vCenter
Operations Management Suite 5.8.2 on 2014-06-24.
2014-07-11 VMSA-2014-0007.1
Updated security advisory in conjunction with the release of vCenter
Operations Management Suite 5.7.3 on 2014-07-10.
2014-09-09 VMSA-2014-0007.2
Updated security advisory in conjunction with the release of vCenter
Orchestrator 5.5.2 on 2014-09-09.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2014 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8
wj8DBQFUD2OBDEcm8Vbi9kMRAvS6AKDqvOoAKkUoghqYONuEBm98u8/ZoACg1/s3
Sxk/o2UW00LIgdOXpUKB9D4=
=nRjh
-----END PGP SIGNATURE-----
UPDATED: VMSA-2014-0007.2 – VMware product updates address security vulnerabilities in Apache Struts library
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2014-0007.2
Synopsis: VMware product updates address security vulnerabilities in
Apache Struts library
Issue date: 2014-06-24
Updated on: 2014-09-09
CVE number: CVE-2014-0050, CVE-2014-0094, CVE-2014-0112
- ------------------------------------------------------------------------
1. Summary
VMware product updates address security vulnerabilities in Apache
Struts library
2. Relevant releases
VMware vCenter Operations Management Suite prior to 5.8.2
VMware vCenter Operations Management Suite prior to 5.7.3
VMware vCenter Orchestrator prior to 5.5.2
3. Problem Description
a. The Apache Struts library is updated to version 2.3.16.2 to
address multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2014-0050, CVE-2014-0094, and
CVE-2014-0112 to these issues.
CVE-2014-0112 may lead to remote code execution. This issue was
found to be only partially addressed in CVE-2014-0094.
CVE-2014-0050 may lead to a denial of service condition.
vCenter Operations Management Suite (vCOps) is affected by both
CVE-2014-0112 and CVE-2014-0050. Exploitation of CVE-2014-0112
may lead to remote code execution without authentication.
vCenter Orchestrator (vCO) is affected by CVE-2014-0050 and not
by CVE-2014-0112.
Workaround
A workaround for CVE-2014-0112 is documented in VMware Knowledge Base
article 2081470.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product RunningReplace with/
Product Version on Apply Patch
========== ======= ========================
vCOPS 5.8.x any vCOPS 5.8.2
vCOPS 5.7.x any vCOPS 5.7.3
vCO 5.5 any vCO 5.5.2
vCO 5.1 any patch pending
vCO 4.2 any patch pending
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
vCenter Operations Management Suite 5.8.2 and 5.7.3
---------------------------------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vcops
vCenter Orchestrator 5.5.2
--------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0112
http://kb.vmware.com/kb/2081470
- ------------------------------------------------------------------------
6. Change log
2014-06-24 VMSA-2014-0007
Initial security advisory in conjunction with the release of vCenter
Operations Management Suite 5.8.2 on 2014-06-24.
2014-07-11 VMSA-2014-0007.1
Updated security advisory in conjunction with the release of vCenter
Operations Management Suite 5.7.3 on 2014-07-10.
2014-09-09 VMSA-2014-0007.2
Updated security advisory in conjunction with the release of vCenter
Orchestrator 5.5.2 on 2014-09-09.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2014 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8
wj8DBQFUD2OBDEcm8Vbi9kMRAvS6AKDqvOoAKkUoghqYONuEBm98u8/ZoACg1/s3
Sxk/o2UW00LIgdOXpUKB9D4=
=nRjh
-----END PGP SIGNATURE-----
The Net Neutrality Battle Is Like Gangs .. It Never Dies
Today companies and public interest organizations across the country are protesting to urge the U.S. Federal Communications Commission to maintain the principle of net neutrality on the Internet. This battle has been going on for many years as different interests try to create public policies that best serve their own business goals. This isn’t inherently bad except when if it’s at the expense of users and broader public interests. ISPs and cable providers are proposing a scheme that would allow web sites and services providers to pay more so their sites could be accessed faster by users online, effectively creating a “fast lane†and a “slow lane†on the Internet. This is a fine idea if you can pay and you’re in the fast lane, but unfortunately for those that can’t pay, their users (perhaps you and me) will likely get a degraded and slower Internet experience. It will also make the web sites and services for those that can’t pay less competitive and further accelerate the digital divide.
Net neutrality is a core principle that’s made the Internet work for a long time. It ensures that all content is treated equally and without discrimination by those that pass the bits along. For example, imagine if Comcast, the largest ISP, concludes the proposed merger with Time Warner, the second largest ISP (and which also owns HBO), could make online access to their own HBO content faster than other video content provided by their competitors like Apple, Netflix, Roku. Suppose they didn’t like editorials that were critical of their organization, and they made it harder for people to access it by making it slow. The Internet wouldn’t work and we wouldn’t have the robust market of ideas that the Internet affords us. Of course there are reasonable network management requirements that may impinge on the ideological goal, but net neutrality as a principle enables the Internet to fulfill its potential as an information medium that provides a rich, uncensored, although sometimes messy, diverse set of ideas and information.
Today, AVG joined many others in the “Internet Slowdown†campaign to encourage the FCC to take a stand and reject policies that would undermine net neutrality. And just like in the movie “Colors†unless you take action, this issue will never die. You can learn more in this nifty infographic called A Guide to the Open Internet or find out how to let your voice be heard at Fight for the Future.
DSA-3020 acpi-support – security update
During a review for EDF, Raphael Geissert discovered that the
acpi-support package did not properly handle data obtained from a
user’s environment. This could lead to program malfunction or allow a
local user to escalate privileges to the root user due to a programming
error.
DSA-3022 curl – security update
Two vulnerabilities have been discovered in cURL, an URL transfer
library. They can be use to leak cookie information:
Microsoft Releases September 2014 Security Bulletin
Original release date: September 09, 2014
Microsoft released updates to address vulnerabilities in Windows, .NET Framework, Internet Explorer and Lync Server as part of the Microsoft Security Bulletin Summary for September 2014. Some of these vulnerabilities could allow remote code execution, elevation of privilege, or denial of service.
US-CERT encourages users and administrators to review the bulletin and apply the necessary updates.
Â
This product is provided subject to this Notification and this Privacy & Use policy.
Adobe Patches Host of Memory Bugs in Flash Player
Adobe announced security updates and a new version of Flash Player for Windows, Mac and Linux; the company also announced it was postponing a scheduled update for Reader and Acrobat.