-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2015-0003.1
Synopsis: VMware product updates address critical information
disclosure issue in JRE.
Issue date: 2015-04-02
Updated on: 2015-04-09
CVE number: CVE-2014-6593, for other CVEs see JRE reference
- ------------------------------------------------------------------------
1. Summary
VMware product updates address critical information disclosure
issue in JRE.
2. Relevant Releases
Horizon View 6.x or 5.x
Horizon Workspace Portal Server 2.1 or 2.0
Horizon DaaS Platform 6.1.4 or 5.4.5
vRealize Operations Manager 6.0
vCenter Operations Manager 5.8.x or 5.7.x
vRealize Application Services 6.2 or 6.1
vCloud Application Director 6.0
vRealize Automation 6.2 or 6.1
vCloud Automation Center 6.0.1
vSphere Replication prior to 5.8.0.2 or 5.6.0.3
vRealize Automation 6.2.x or 6.1.x
vRealize Code Stream 1.1 or 1.0
vRealize Hyperic 5.8.x, 5.7.x or 5.0.x
vSphere AppHA Prior to 1.1.x
vCenter Chargeback Manager 2.7 or 2.6
vRealize Business Standard prior to 1.1.x or 1.0.x
NSX for Multi-Hypervisor prior to 4.2.4
vCloud Director prior to 5.5.3
vCloud Director Service Providers prior to 5.6.4.1
vRealize Configuration Manager 5.7.x or 5.6.x
vRealize Infrastructure 5.8 or 5.7
vRealize Log Insight 2.5, 2.0, 1.5 or 1.0
3. Problem Description
a. Oracle JRE Update
Oracle JRE is updated in VMware products to address a
critical security issue that existed in earlier releases of
Oracle JRE.
VMware products running JRE 1.7 Update 75 or newer and
JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593,
as documented in the Oracle Java SE Critical Patch Update
Advisory of January 2015.
This advisory also includes the other security issues that
are addressed in JRE 1.7 Update 75 and JRE 1.6 Update 91. The
References section provides a link to the JRE advisory.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2014-6593 to this issue. This
issue is also known as "SKIP" or "SKIP-TLS".
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch**
============= ======= ======= =================
Horizon View 6.x any 6.1
Horizon View 5.x any 5.3.4
Horizon Workspace Portal 2.1 ,2.0 any 2.1.1
Server
Horizon DaaS Platform 6.1 any 6.1.4
Horizon DaaS Platform 6.0 any patch pending
Horizon DaaS Platform 5.4 any 5.4.5
vCloud Networking and Security 5.5 any patch pending*
vCloud Connector 2.7 any patch pending*
vCloud Usage Meter 3.3 any patch pending*
vCenter Site Recovery Manager 5.5.x any patch pending***
vCenter Site Recovery Manager 5.1.x any patch pending***
vCenter Site Recovery Manager 5.0.x any patch pending***
vCenter Server 6.0 any patch pending
vCenter Server 5.5 any patch pending
vCenter Server 5.1 any patch pending
vCenter Server 5.0 any patch pending
vRealize Operations Manager 6.0 any KB2112028
vCenter Operations Manager 5.8.x any KB2111172
vCenter Operations Manager 5.7.x any KB2111172
vCenter Support Assistant 5.5.1.x any patch pending
vRealize Application Services 6.2 any KB2111981
vRealize Application Services 6.1 any KB2111981
vCloud Application Director 6.0 any KB2111981
vCloud Application Director 5.2 any KB2111981
vRealize Automation 6.2 any KB2111658
vRealize Automation 6.1 any KB2111658
vCloud Automation Center 6.0.1 any KB2111658
vRealize Code Stream 1.1 any KB2111658
vRealize Code Stream 1.0 any KB2111658
vPostgres 9.3.x any patch pending
vPostgres 9.2.x any patch pending
vPostgres 9.1.x any patch pending
vSphere Replication 5.8.1 any patch pending
vSphere Replication 5.8.0 any 5.8.0.2
vSphere Replication 5.6.0 any 5.6.0.3
vSphere Replication 5.1 any patch pending
vSphere Storage Appliance 5.x any patch pending*
vRealize Hyperic 5.8 any KB2111337
vRealize Hyperic 5.7 any KB2111337
vRealize Hyperic 5.0 any KB2111337
vSphere AppHA 1.1 any KB2111336
vSphere Big Data Extensions 2.1 any patch pending*
vSphere Big Data Extensions 2.0 any patch pending*
vSphere Data Protection 6.0 any patch pending*
vSphere Data Protection 5.8 any patch pending*
vSphere Data Protection 5.5 any patch pending*
vSphere Data Protection 5.1 any patch pending*
vCenter Chargeback Manager 2.7 any KB2112011*
vCenter Chargeback Manager 2.6 any KB2113178*
vRealize Business Adv/Ent 8.1 any patch pending*
vRealize Business Adv/Ent 8.0 any patch pending*
vRealize Business Standard 6.0 any KB2111802
vRealize Business Standard 1.1 any KB2111802
vRealize Business Standard 1.0 any KB2111802
NSX for vSphere 6.1 any patch pending*
NSX for Multi-Hypervisor 4.2 any 4.2.4*
vCloud Director 5.5.x any 5.5.3*
vCloud Director For 5.6.4 any 5.6.4.1*
Service Providers
vCenter Application Discovery 7.0 any patch pending*
Manager
vRealize Configuration Manager 5.7.x any KB2111670
vRealize Configuration Manager 5.6 any KB2111670
vRealize Infrastructure 5.8 any 5.8.4
Navigator
vRealize Infrastructure 5.7 any KB2111334*
Navigator
vRealize Orchestrator 6.0 any patch pending*
vRealize Orchestrator 5.2 any patch pending*
vRealize Orchestrator 5.1 any patch pending*
vShield 5.5 any patch pending*
vRealize Log Insight 2.5 any KB2113235*
vRealize Log Insight 2.0 any KB2113235*
vRealize Log Insight 1.5 any KB2113235*
vRealize Log Insight 1.0 any KB2113235*
vSphere Management Assistant 5.x any patch pending
vSphere Update Manager 6.0 any patch pending*
vSphere Update Manager 5.5 any patch pending*
vSphere Update Manager 5.1 any patch pending*
vSphere Update Manager 5.0 any patch pending*
* The severity of critical is lowered to important for this product
as is not considered Internet facing
** Knowledge Base (KB) articles provides details of the patches and
how to install them.
*** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not
include JRE but they include the vSphere Replication appliance
which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include
JRE nor the vSphere Replication appliance.
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
Horizon View 6.1, 5.3.4:
========================
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productI
d=492
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&pro
ductId=396
VMware Workspace Portal 2.1.1
=============================
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=5
01&rPId=7586
Documentation:
https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.h
tml
Horizon DaaS Platform 6.1.4
===========================
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN
&productId=405&rPId=6527
Horizon DaaS Platform 5.4.5
===========================
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM-
540&productId=398&rPId=5214
vRealize Operations Manager 6.0.1
=================================
Downloads and Documentation: http://kb.vmware.com/kb/2112028
vRealize Application Services 6.2, 6.1
======================================
Downloads and Documentation: http://kb.vmware.com/kb/2111981
vCloud Application Director 6.0
======================================
Downloads and Documentation: http://kb.vmware.com/kb/2111981
vCloud Director for Service Providers 5.6.4.1
=============================================
Downloads and Documentation:
https://www.vmware.com/support/pubs/vcd_sp_pubs.html
vCenter Operations Manager 6.0, 5.8.5, 5.7.4
=======================================
Downloads and Documentation: http://kb.vmware.com/kb/2111172
vCloud Automation Center 6.0.1.2
================================
Downloads and Documentation: http://kb.vmware.com/kb/2111685
vSphere Replication 5.8.0.2, 5.6.0.3
====================================
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603
Documentation:
http://kb.vmware.com/kb/2112025
http://kb.vmware.com/kb/2112022
vRealize Automation 6.2.1, 6.1.1
================================
Downloads and Documentation: http://kb.vmware.com/kb/2111658
vRealize Code Stream 1.1, 1.0
=============================
Downloads and Documentation: http://kb.vmware.com/kb/2111685
vRealize Hyperic 5.8.4, 5.7.2, 5.0.3
====================================
Downloads and Documentation: http://kb.vmware.com/kb/KB2111337
vSphere AppHA 1.1.1
===================
Downloads and Documentation: http://kb.vmware.com/kb/2111336
vCenter Chargeback Manager 2.7
====================================
Downloads and Documentation: http://kb.vmware.com/kb/2112011
vCenter Chargeback Manager 2.6
====================================
Downloads and Documentation: http://kb.vmware.com/kb/2113178
vRealize Business Standard 6.0, 1.1 , 1.0
=======================================
Downloads and Documentation: http://kb.vmware.com/kb/2111802
vRealize Configuration Manager 5.7.3
===================================
Downloads and Documentation: http://kb.vmware.com/kb/2111670
vRealize Infrastructure Navigator 5.8.4
=======================================
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=47
6
vRealize Infrastructure Navigator 5.7
=====================================
Downloads and Documentation: http://kb.vmware.com/kb/2111334
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593
JRE
Oracle Java SE Critical Patch Update Advisory of January 2015
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
- ------------------------------------------------------------------------
6. Change log
2015-04-02 VMSA-2015-0003
Initial security advisory in conjunction with the release of VMware
Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5;
vCenter Operations Manager 5.7.4; vCloud Automation Center
6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize
Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0;
vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1;
vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration
Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches
released on 2015-04-02.
2015-04-09 VMSA-2015-0003.1
Initial security advisory in conjunction with the release of VMware
Horizon DaaS Platform 6.1.4, 5.4.5; vRealize Operations Manager 6.0;
vRealize Application Services 6.2; vRealize Application Services 6.1;
vCloud Application Director 6.0; vCenter Chargeback Manager 2.7, 2.6;
vCloud Director For Service Providers 5.6.4.1;
vRealize Log Insight 2.5, 2.0, 1.5, 1.0 Patches
released on 2015-04-09.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2015 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8
wj8DBQFVJvoJDEcm8Vbi9kMRAuK6AKCNUgtSbHFVZ3QovAUJZyYX68sxQgCeLWoD
fO7UbDkp1+c7pNQ0y6ErD24=
=Mn/A
-----END PGP SIGNATURE-----
Monthly Archives: April 2015
WP Super Cache Cross-Site Scripting (XSS) Vulnerability
Original release date: April 09, 2015
WP Super Cache, a WordPress plugin, contains a persistent XSS vulnerability in versions prior to 1.4.4. Exploitation of this vulnerability could allow a remote attacker to take control of the affected system.
Users and administrators are encouraged to review the WP Super Cache Changelog for more information and update to version 1.4.4 if affected.
This product is provided subject to this Notification and this Privacy & Use policy.
APPLE-SA-2015-04-08-5 Xcode 6.3
From: Apple Product Security
Reply to list
APPLE-SA-2015-04-08-5 Xcode 6.3 Xcode 6.3 is now available and addresses the following: Clang Available for: OS X Mavericks v10.9.4 or later Impact: An attacker may be able to bypass stack guards Description: A register allocation issue existed in clang which [...]
Bugtraq: APPLE-SA-2015-04-08-5 Xcode 6.3
APPLE-SA-2015-04-08-5 Xcode 6.3
Bugtraq: [ MDVSA-2015:198 ] java-1.8.0-openjdk
[ MDVSA-2015:198 ] java-1.8.0-openjdk
Bugtraq: SEC Consult SA-20150409-0 :: Multiple XSS & XSRF vulnerabilities in Comalatech Comala Workflows
SEC Consult SA-20150409-0 :: Multiple XSS & XSRF vulnerabilities in Comalatech Comala Workflows
Bugtraq: [SECURITY] [DSA 3217-1] dpkg security update
[SECURITY] [DSA 3217-1] dpkg security update
Debian Security Advisory 3217-1
Debian Linux Security Advisory 3217-1 – Jann Horn discovered that the source package integrity verification in dpkg-source can be bypassed via a specially crafted Debian source control file (.dsc). Note that this flaw only affects extraction of local Debian source packages via dpkg-source but not the installation of packages from the Debian archive.
Barracuda Firmware 5.0.0.012 Post-Auth Remote Root
This Metasploit module exploits a remote command execution vulnerability in Barracuda Firmware versions 5.0.0.012 and below by exploiting a vulnerability in the web administration interface. By sending a specially crafted request it’s possible to inject system commands while escalating to root do to relaxed sudo configuration on the local machine.
MDVSA-2015:198: java-1.8.0-openjdk
Multiple vulnerabilities has been discovered and corrected in
java-1.8.0-openjdk:
Multiple flaws were found in the way the Hotspot component in OpenJDK
verified bytecode from the class files, and in the way this component
generated code for bytecode. An untrusted Java application or applet
could possibly use these flaws to bypass Java sandbox restrictions
(CVE-2014-6601, CVE-2015-0437).
Multiple improper permission check issues were discovered in the
JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java
application or applet could use these flaws to bypass Java sandbox
restrictions (CVE-2015-0412, CVE-2014-6549, CVE-2015-0408).
A flaw was found in the way the Hotspot garbage collector handled
phantom references. An untrusted Java application or applet could
use this flaw to corrupt the Java Virtual Machine memory and,
possibly, execute arbitrary code, bypassing Java sandbox restrictions
(CVE-2015-0395).
A flaw was found in the way the DER (Distinguished Encoding Rules)
decoder in the Security component in OpenJDK handled negative length
values. A specially crafted, DER-encoded input could cause a Java
application to enter an infinite loop when decoded (CVE-2015-0410).
A flaw was found in the way the SSL 3.0 protocol handled padding bytes
when decrypting messages that were encrypted using block ciphers in
cipher block chaining (CBC) mode. This flaw could possibly allow a
man-in-the-middle (MITM) attacker to decrypt portions of the cipher
text using a padding oracle attack (CVE-2014-3566).
Note: This update disables SSL 3.0 by default to address this
issue. The jdk.tls.disabledAlgorithms security property can be used
to re-enable SSL 3.0 support if needed. For additional information,
refer to the Red Hat Bugzilla bug linked to in the References section.
It was discovered that the SSL/TLS implementation in the JSSE component
in OpenJDK failed to properly check whether the ChangeCipherSpec was
received during the SSL/TLS connection handshake. An MITM attacker
could possibly use this flaw to force a connection to be established
without encryption being enabled (CVE-2014-6593).
An information leak flaw was found in the Swing component in
OpenJDK. An untrusted Java application or applet could use this flaw
to bypass certain Java sandbox restrictions (CVE-2015-0407).
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted
Java application or applet could possibly use this flaw to bypass
certain Java sandbox restrictions (CVE-2014-6587).
Multiple boundary check flaws were found in the font parsing code
in the 2D component in OpenJDK. A specially crafted font file could
allow an untrusted Java application or applet to disclose portions
of the Java Virtual Machine memory (CVE-2014-6585, CVE-2014-6591).
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error
log files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack (CVE-2015-0383).
The updated packages provides a solution for these security issues.