-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2015-0007.4
Synopsis: VMware vCenter and ESXi updates address critical security
issues
Issue date: 2015-10-01
Updated on: 2016-04-27
CVE number: CVE-2015-5177 CVE-2015-2342 CVE-2015-1047
- ------------------------------------------------------------------------
1. Summary
VMware vCenter and ESXi updates address critical security issues.
NOTE: See section 3.b for a critical update on an incomplete fix
for the JMX RMI issue.
2. Relevant Releases
VMware ESXi 5.5 without patch ESXi550-201509101-SG
VMware ESXi 5.1 without patch ESXi510-201510101-SG
VMware ESXi 5.0 without patch ESXi500-201510101-SG
VMware vCenter Server 6.0 prior to version 6.0.0b
VMware vCenter Server 5.5 prior to version 5.5 update 3
VMware vCenter Server 5.1 prior to version 5.1 update u3b
VMware vCenter Server 5.0 prior to version 5.0 update u3e
3. Problem Description
a. VMWare ESXi OpenSLP Remote Code Execution
VMware ESXi contains a double free flaw in OpenSLP's
SLPDProcessMessage() function. Exploitation of this issue may
allow an unauthenticated attacker to remotely execute code on
the ESXi host.
VMware would like to thank Qinghao Tang of QIHU 360 for reporting
this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2015-5177 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
ESXi 6.0 ESXi not affected
ESXi 5.5 ESXi ESXi550-201509101-SG*
ESXi 5.1 ESXi ESXi510-201510101-SG
ESXi 5.0 ESXi ESXi500-201510101-SG
* Customers who have installed the complete set of ESXi 5.5 U3
Bulletins, please review VMware KB 2133118. KB 2133118 documents
a known non-security issue and provides a solution.
b. VMware vCenter Server JMX RMI Remote Code Execution
VMware vCenter Server contains a remotely accessible JMX RMI
service that is not securely configured. An unauthenticated remote
attacker who is able to connect to the service may be able to use
it to execute arbitrary code on the vCenter Server. A local attacker
may be able to elevate their privileges on vCenter Server.
vCenter Server Appliance (vCSA) 5.1, 5.5 and 6.0 has remote access
to the JMX RMI service (port 9875) blocked by default.
VMware would like to thank Doug McLeod of 7 Elements Ltd and an
anonymous researcher working through HP's Zero Day Initiative for
reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2015-2342 to this issue.
CRITICAL UPDATE
VMSA-2015-0007.2 and earlier versions of this advisory documented
that CVE-2015-2342 was addressed in vCenter Server 5.0 U3e,
5.1 U3b, and 5.5 U3. Subsequently, it was found that the fix for
CVE-2015-2342 in vCenter Server 5.0 U3e, 5.1 U3b, and
5.5 U3/U3a/U3b running on Windows was incomplete and did not
address the issue.
In order to address the issue on these versions of vCenter Server
Windows, an additional patch must be installed. This additional
patch is available from VMware Knowledge Base (KB) article
2144428. Alternatively, on vSphere 5.5 updating to vCenter Server
5.5 U3d running on Windows will remediate the issue.
In case the Windows Firewall is enabled on the system that has
vCenter Server Windows installed, remote exploitation of
CVE-2015-2342 is not possible. Even if the Windows Firewall is
enabled, users are advised to install the additional patch in
order to remove the local privilege elevation.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= ===============
VMware vCenter Server 6.0 Any 6.0.0b and above
VMware vCenter Server 5.5 Windows (5.5 U3/U3a/U3b + KB*)
or 5.5 U3d
VMware vCenter Server 5.5 Linux 5.5 U3 and above
VMware vCenter Server 5.1 Windows 5.1 U3b + KB*
VMware vCenter Server 5.1 Linux 5.1 U3b
VMware vCenter Server 5.0 Windows 5.0 U3e + KB*
VMware vCenter Server 5.0 Linux 5.0 U3e
* An additional patch provided in VMware KB article 2144428 must be
installed on vCenter Server Windows 5.0 U3e, 5.1 U3b, 5.5 U3,
5.5 U3a, and 5.5 U3b in order to remediate CVE-2015-2342.
This patch is not needed when updating to 5.5 U3d or when
installing 5.5 U3d.
c. VMware vCenter Server vpxd denial-of-service vulnerability
VMware vCenter Server does not properly sanitize long heartbeat
messages. Exploitation of this issue may allow an unauthenticated
attacker to create a denial-of-service condition in the vpxd
service.
VMware would like to thank the Google Security Team for reporting
this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2015-1047 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= ==============
VMware vCenter Server 6.0 Any not affected
VMware vCenter Server 5.5 Any 5.5u2
VMware vCenter Server 5.1 Any 5.1u3
VMware vCenter Server 5.0 Any 5.0u3e
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
ESXi
--------------------------------
Downloads:
https://www.vmware.com/patchmgr/findPatch.portal
Documentation:
http://kb.vmware.com/kb/2110247
http://kb.vmware.com/kb/2114875
http://kb.vmware.com/kb/2120209
vCenter Server
--------------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5177
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2342
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1047
VMware Knowledge Base articles
http://kb.vmware.com/kb/2133118
http://kb.vmware.com/kb/2144428
- ------------------------------------------------------------------------
6. Change log
2015-10-01 VMSA-2015-0007
Initial security advisory in conjunction with ESXi 5.0, 5.1 patches
and VMware vCenter Server 5.1 u3b, 5.0 u3e on 2015-10-01.
2015-10-06 VMSA-2015-0007.1
Updated security advisory in conjunction with the release of ESXi 5.5
U3a on 2015-10-06. Added a note to section 3.a to alert customers to
a non-security issue in ESXi 5.5 U3 that is addressed in ESXi 5.5 U3a.
2015-10-20 VMSA-2015-0007.2
Updated security advisory to reflect that CVE-2015-2342 is fixed in
an earlier vCenter Server version (6.0.0b) than originally reported
(6.0 U1) and that the port required to exploit the vulnerability is
blocked in the appliance versions of the software (5.1 and above).
2016-02-12 VMSA-2015-0007.3
Updated security advisory to add that an additional patch is required
on vCenter Server 5.0 U3e, 5.1 U3b and 5.5 U3/U3a/U3b running on
Windows to remediate CVE-2015-2342.
2016-04-27 VMSA-2015-0007.4
Updated security advisory to add that vCenter Server 5.5 U3d running on
Windows addresses CVE-2105-2342 without the need to install the
additional patch.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2015 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFXITeXDEcm8Vbi9kMRAjyyAKDx36MfXmXrYcm0qbyK5L7Xc+BJ0gCgimdm
IcC5O8GNlscBblUBH3vTwaI=
=PIWY
-----END PGP SIGNATURE-----