-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2016-0005.4 Synopsis: VMware product updates address critical and important security issues Issue date: 2016-05-17 Updated on: 2016-06-14 CVE number: CVE-2016-3427, CVE-2016-2077 - ------------------------------------------------------------------------ 1. Summary VMware product updates address critical and important security issues. 2. Relevant Releases vCenter Server 6.0 on Windows without workaround of KB 2145343 vCenter Server 6.0 on Linux (VCSA) prior to 6.0.0b vCenter Server 5.5 prior to 5.5 U3d (on Windows), 5.5 U3 (VCSA) vCenter Server 5.1 prior to 5.1 U3b vCenter Server 5.0 prior to 5.0 U3e vCloud Director prior to 8.0.1.1 vCloud Director prior to 5.6.5.1 vCloud Director prior to 5.5.6.1 vSphere Replication prior to 6.1.1 vSphere Replication prior to 6.0.0.3 vSphere Replication prior to 5.8.1.2 vSphere Replication prior to 5.6.0.6 vRealize Operations Manager 6.x (non-appliance version) vRealize Infrastructure Navigator prior to 5.8.6 VMware Workstation prior to 11.1.3 VMware Player prior to 7.1.3 3. Problem Description a. Critical JMX issue when deserializing authentication credentials The RMI server of Oracle JRE JMX deserializes any class when deserializing authentication credentials. This may allow a remote, unauthenticated attacker to cause deserialization flaws and execute their commands. Workarounds CVE-2016-3427 vCenter Server Apply the steps of VMware Knowledge Base article 2145343 to vCenter Server 6.0 on Windows. See the table below for the specific vCenter Server 6.0 versions on Windows this applies to. vCloud Director No workaround identified vSphere Replication No workaround identified vRealize Operations Manager (non-appliance) The non-appliance version of vRealize Operations Manager (vROps), which can be installed on Windows and Linux has no default firewall. In order to remove the remote exploitation possibility, access to the following external ports will need to be blocked on the system where the non-appliance version of vROps is installed: - vROps 6.2.x: port 9004, 9005, 9006, 9007, 9008 - vROps 6.1.x: port 9004, 9005, 9007, 9008 - vROps 6.0.x: port 9004, 9005 Note: These ports are already blocked by default in the appliance version of vROps. vRealize Infrastructure Navigator No workaround identified The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-3427 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ====================== ========= ======= ============= vCenter Server 6.0 Windows 6.0.0b + KB 2145343 * vCenter Server 6.0 Linux 6.0.0b vCenter Server 5.5 Windows (5.5 U3b + KB 2144428 **) or 5.5 U3d vCenter Server 5.5 Linux 5.5 U3 vCenter Server 5.1 Windows (5.1 U3b + KB 2144428 **) or 5.1U3d vCenter Server 5.1 Linux 5.1 U3b vCenter Server 5.0 Windows (5.0 U3e + KB 2144428 **) or 5.0 U3g vCenter Server 5.0 Linux 5.0 U3e vCloud Director 8.0.x Linux 8.0.1.1 vCloud Director 5.6.x Linux 5.6.5.1 vCloud Director 5.5.x Linux 5.5.6.1 vSphere Replication 6.1.x Linux 6.1.1 *** vSphere Replication 6.0.x Linux 6.0.0.3 *** vSphere Replication 5.8.x Linux 5.8.1.2 *** vSphere Replication 5.6.x Linux 5.6.0.6 *** vROps (non-appliance) 6.x All Apply workaround vROps (appliance) 6.x Linux Not affected vRealize Infrastructure 5.8.x All 5.8.6 Navigator * Remote and local exploitation is feasible on vCenter Server 6.0 and 6.0.0a for Windows. Remote exploitation is not feasible on vCenter Server 6.0.0b (and above) for Windows but local exploitation is. The local exploitation possibility can be removed by applying the steps of KB 2145343 to vCenter Server 6.0.0b (and above) for Windows. ** See VMSA-2015-0007 for details. vCenter Server 5.5 U3d, 5.1 U3d, and 5.0 U3g running on Windows address CVE-2016-3427 without the need to install the additional patch of KB 2144428 documented in VMSA-2015-0007. *** vSphere Replication is affected if its vCloud Tunneling Agent is running, which is not enabled by default. This agent is used in environments that replicate data between the cloud and an on-premise datacenter. b. Important VMware Workstation and Player for Windows host privilege escalation vulnerability. VMware Workstation and Player for Windows do not properly reference one of their executables. This may allow a local attacker on the host to elevate their privileges. VMware would like to thank Andrew Smith of Sword & Shield Enterprise Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-2077 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ================== ======= ======= ================= VMware Workstation 12.x any not affected VMware Workstation 11.x Windows 11.1.3 VMware Workstation 11.x Linux not affected VMware Player 8.x any not affected VMware Player 7.x Windows 7.1.3 VMware Player 7.x Linux not affected 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Server -------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere vCloud Director --------------- Downloads and Documentation: https://www.vmware.com/go/download/vcloud-director vSphere Replication ------------------- Downloads and Documentation: https://my.vmware.com/web/vmware/get-download?downloadGroup=VR611 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR6003 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5812 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5606 https://www.vmware.com/support/pubs/vsphere-replication-pubs.html vRealize Infrastructure Navigator --------------------------------- Downloads and Documentation: https://my.vmware.com/web/vmware/details?downloadGroup=VIN_586&productId=54 2&rPId=11127 VMware Workstation ------------------------- Downloads and Documentation: https://www.vmware.com/go/downloadworkstation VMware Player ------------- Downloads and Documentation: https://www.vmware.com/go/downloadplayer 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2077 VMware Security Advisory VMSA-2015-0007 http://www.vmware.com/security/advisories/VMSA-2015-0007.html VMware Knowledge Base article 2145343 kb.vmware.com/kb/2145343 VMware Knowledge Base article 2144428 kb.vmware.com/kb/2144428 - ------------------------------------------------------------------------ 6. Change log 2016-05-17 VMSA-2016-0005 Initial security advisory in conjunction with the release of VMware vCloud Director 8.0.1.1, 5.6.5.1, and 5.5.6.1, and vSphere Replication 6.0.0.3, 5.8.1.2, and 5.6.0.6 on 2016-05-17. 2016-05-24 VMSA-2016-0005.1 Updated security advisory in conjunction with the release of vSphere 5.1 U3d on 2016-05-24. vCenter Server 5.1 U3d running on Windows addresses CVE-2016-3427 without the need to install the additional patch. 2016-05-27 VMSA-2016-0005.2 Updated security advisory in conjunction with the release of vSphere Replication 6.1.1 on 2016-05-26. 2016-06-03 VMSA-2016-0005.3 Updated security advisory in conjunction with the release of vRealize Infrastructure Navigator 5.8.6 on 2016-06-02 2016-06-14 VMSA-2016-0005.4 Updated security advisory in conjunction with the release of vSphere 5.0 U3g on 2016-06-14. vCenter Server 5.0 U3g running on Windows addresses CVE-2016-3427 without the need to install the additional patch. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2016 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFXYOFvDEcm8Vbi9kMRAuovAKDtHfrRsPdxfY8NrfTvxUGH8CiQaQCdGoZY YdbtA9ZFozV6QqTZMD+G7Nk= =EBfq -----END PGP SIGNATURE-----
Category Archives: VMWare
VMWare
NEW VMSA-2016-0009 VMware vCenter Server updates address an important reflective cross-site scripting issue
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2016-0009 Synopsis: VMware vCenter Server updates address an important reflective cross-site scripting issue Issue date: 2016-06-14 Updated on: 2016-06-14 (Initial Advisory) CVE number: CVE-2015-6931 - ------------------------------------------------------------------------ 1. Summary VMware vCenter Server updates address an important reflective cross-site scripting issue. 2. Relevant Releases vCenter Server 5.5 prior to 5.5 update 2d vCenter Server 5.1 prior to 5.1 update 3d vCenter Server 5.0 prior to 5.0 update 3g 3. Problem Description a. Important vCenter Server reflected cross-site scripting issue The vSphere Web Client contains a reflected cross-site scripting vulnerability due to a lack of input sanitization. An attacker can exploit this issue by tricking a victim into clicking a malicious link. VMware would like to thank Matt Schmidt for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-6931 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ============= vCenter Server 6.0 Any not affected vCenter Server 5.5 Any 5.5 U2d * vCenter Server 5.1 Any 5.1 U3d * vCenter Server 5.0 Any 5.0 U3g * * The client side component of the vSphere Web Client does not need to be updated to remediate CVE-2015-6931. Updating the vCenter Server is sufficient to remediate this issue. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Server -------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6931 - ------------------------------------------------------------------------ 6. Change log 2016-06-14 VMSA-2016-0009 Initial security advisory in conjunction with the release of VMware vCenter Server 5.0 U3g on 2016-06-14. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2016 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFXYODdDEcm8Vbi9kMRAhi/AJ45s8NycL/AbvIawr+DK0QhGq19QwCeIJha /NW3n6JSlZk+zaj6w33ZLyI= =CSDo -----END PGP SIGNATURE-----
UPDATED VMSA-2015-0009.3 VMware product updates address a critical deserialization vulnerability
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0009.3 Synopsis: VMware product updates address a critical deserialization vulnerability Issue date: 2015-12-18 Updated on: 2016-06-14 CVE number: CVE-2015-6934 - ------------------------------------------------------------------------ 1. Summary VMware product updates address a critical deserialization vulnerability 2. Relevant Releases vRealize Orchestrator 6.x vCenter Orchestrator 5.x vRealize Operations 6.x vRealize Infrastructure Navigator 5.8.x 3. Problem Description a. Deserialization vulnerability A deserialization vulnerability involving Apache Commons-collections and a specially constructed chain of classes exists. Successful exploitation could result in remote code execution, with the permissions of the application using the Commons-collections library. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-6934 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ===================== ======= ======= ================= vRealize Orchestrator 7.0 Any Not Affected vRealize Orchestrator 6.x Any See KB2141244 vCenter Orchestrator 5.x Any See KB2141244 vRealize Operations 6.x Windows 6.2 * vRealize Operations 6.x Linux Not Affected vCenter Operations 5.x Any Not Affected vCenter Application 7.x Any No patch planned * Discovery Manager (vADM) vRealize Infrastructure 5.8.x Linux 5.8.5 Navigator * Exploitation of the issue on vRealize Operations and vCenter Application Discovery Manager is limited to local privilege escalation. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vRealize Orchestrator 6.x and vCenter Orchestrator 5.x Downloads and Documentation: http://kb.vmware.com/kb/2141244 vRealize Operations 6.x Release Notes http://pubs.vmware.com/Release_Notes/en/vrops/62/vrops-62-release-notes.htm l vRealize Infrastructure Navigator 5.8.5 Release Notes http://pubs.vmware.com/Release_Notes/en/vin/585/releasenotes-vin585.html 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6934 - ------------------------------------------------------------------------ 6. Change log 2015-12-18 VMSA-2015-0009 Initial security advisory in conjunction with the release of vRealize Orchestrator 6.x and vCenter Orchestrator 5.x patches on 2015-12-18. 2016-01-29 VMSA-2015-0009.1 Updated security advisory in conjunction with the release of vRealize Operations 6.2 on 2016-01-28. Added a note below the table in section 3.a that exploitation of this issue in vCenter Application Discovery Manager is limited to local privilege escalation. 2016-03-15 VMSA-2015-0009.2 Updated security advisory to reflect the release of vRealize Infrastructure Navigator 5.8.5, which addresses CVE-2015-6934. 2016-06-14 VMSA-2015-0009.3 Updated security advisory to reflect that vCenter Operations 5.x is not affected (earlier versions of this advisory said “Patch Pending”). Added that no patch is planned for vCenter Application Discovery Manager. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFXYOHhDEcm8Vbi9kMRAiL6AJ954G5q+cy2y3J6+tfv5DW+fwJ71QCfTXuy 3mud0ovsyCQIhMCfTOjs0Jg= =r5lg -----END PGP SIGNATURE-----
UPDATED VMSA-2015-0007.6 VMware vCenter and ESXi updates address critical security issues
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0007.6 Synopsis: VMware vCenter and ESXi updates address critical security issues Issue date: 2015-10-01 Updated on: 2016-06-14 CVE number: CVE-2015-5177 CVE-2015-2342 CVE-2015-1047 - ------------------------------------------------------------------------ 1. Summary VMware vCenter and ESXi updates address critical security issues. NOTE: See section 3.b for a critical update on an incomplete fix for the JMX RMI issue. 2. Relevant Releases VMware ESXi 5.5 without patch ESXi550-201509101-SG VMware ESXi 5.1 without patch ESXi510-201510101-SG VMware ESXi 5.0 without patch ESXi500-201510101-SG VMware vCenter Server 6.0 prior to version 6.0.0b VMware vCenter Server 5.5 prior to version 5.5 update 3 VMware vCenter Server 5.1 prior to version 5.1 update u3b VMware vCenter Server 5.0 prior to version 5.0 update u3e 3. Problem Description a. VMWare ESXi OpenSLP Remote Code Execution VMware ESXi contains a double free flaw in OpenSLP's SLPDProcessMessage() function. Exploitation of this issue may allow an unauthenticated attacker to remotely execute code on the ESXi host. VMware would like to thank Qinghao Tang of QIHU 360 for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-5177 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= ESXi 6.0 ESXi not affected ESXi 5.5 ESXi ESXi550-201509101-SG* ESXi 5.1 ESXi ESXi510-201510101-SG ESXi 5.0 ESXi ESXi500-201510101-SG * Customers who have installed the complete set of ESXi 5.5 U3 Bulletins, please review VMware KB 2133118. KB 2133118 documents a known non-security issue and provides a solution. b. VMware vCenter Server JMX RMI Remote Code Execution VMware vCenter Server contains a remotely accessible JMX RMI service that is not securely configured. An unauthenticated remote attacker who is able to connect to the service may be able to use it to execute arbitrary code on the vCenter Server. A local attacker may be able to elevate their privileges on vCenter Server. vCenter Server Appliance (vCSA) 5.1, 5.5 and 6.0 has remote access to the JMX RMI service (port 9875) blocked by default. VMware would like to thank Doug McLeod of 7 Elements Ltd and an anonymous researcher working through HP's Zero Day Initiative for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-2342 to this issue. CRITICAL UPDATE VMSA-2015-0007.2 and earlier versions of this advisory documented that CVE-2015-2342 was addressed in vCenter Server 5.0 U3e, 5.1 U3b, and 5.5 U3. Subsequently, it was found that the fix for CVE-2015-2342 in vCenter Server 5.0 U3e, 5.1 U3b, and 5.5 U3/U3a/U3b running on Windows was incomplete and did not address the issue. In order to address the issue on these versions of vCenter Server Windows, an additional patch must be installed. This additional patch is available from VMware Knowledge Base (KB) article 2144428. Alternatively, updating to vCenter Server 5.0 U3g, 5.1 U3d, and 5.5 U3d running on Windows will remediate the issue. In case the Windows Firewall is enabled on the system that has vCenter Server Windows installed, remote exploitation of CVE-2015-2342 is not possible. Even if the Windows Firewall is enabled, users are advised to install the additional patch in order to remove the local privilege elevation. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= =============== VMware vCenter Server 6.0 Any 6.0.0b and above VMware vCenter Server 5.5 Windows (5.5 U3/U3a/U3b + KB*) or 5.5 U3d VMware vCenter Server 5.5 Linux 5.5 U3 and above VMware vCenter Server 5.1 Windows (5.1 U3b + KB*) or 5.1 U3d VMware vCenter Server 5.1 Linux 5.1 U3b and above VMware vCenter Server 5.0 Windows (5.0 U3e + KB*) or 5.0 U3g VMware vCenter Server 5.0 Linux 5.0 U3e and above * An additional patch provided in VMware KB article 2144428 must be installed on vCenter Server Windows 5.0 U3e, 5.1 U3b, 5.5 U3, 5.5 U3a, and 5.5 U3b in order to remediate CVE-2015-2342. This patch is not needed when updating to 5.0 U3g, 5.1 U3d or 5.5 U3d, or when installing 5.0 U3g, 5.1 U3d or 5.5 U3d. c. VMware vCenter Server vpxd denial-of-service vulnerability VMware vCenter Server does not properly sanitize long heartbeat messages. Exploitation of this issue may allow an unauthenticated attacker to create a denial-of-service condition in the vpxd service. VMware would like to thank the Google Security Team for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-1047 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ============== VMware vCenter Server 6.0 Any not affected VMware vCenter Server 5.5 Any 5.5u2 VMware vCenter Server 5.1 Any 5.1u3 VMware vCenter Server 5.0 Any 5.0u3e 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. ESXi -------------------------------- Downloads: https://www.vmware.com/patchmgr/findPatch.portal Documentation: http://kb.vmware.com/kb/2110247 http://kb.vmware.com/kb/2114875 http://kb.vmware.com/kb/2120209 vCenter Server -------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5177 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2342 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1047 VMware Knowledge Base articles http://kb.vmware.com/kb/2133118 http://kb.vmware.com/kb/2144428 - ------------------------------------------------------------------------ 6. Change log 2015-10-01 VMSA-2015-0007 Initial security advisory in conjunction with ESXi 5.0, 5.1 patches and VMware vCenter Server 5.1 u3b, 5.0 u3e on 2015-10-01. 2015-10-06 VMSA-2015-0007.1 Updated security advisory in conjunction with the release of ESXi 5.5 U3a on 2015-10-06. Added a note to section 3.a to alert customers to a non-security issue in ESXi 5.5 U3 that is addressed in ESXi 5.5 U3a. 2015-10-20 VMSA-2015-0007.2 Updated security advisory to reflect that CVE-2015-2342 is fixed in an earlier vCenter Server version (6.0.0b) than originally reported (6.0 U1) and that the port required to exploit the vulnerability is blocked in the appliance versions of the software (5.1 and above). 2016-02-12 VMSA-2015-0007.3 Updated security advisory to add that an additional patch is required on vCenter Server 5.0 U3e, 5.1 U3b and 5.5 U3/U3a/U3b running on Windows to remediate CVE-2015-2342. 2016-04-27 VMSA-2015-0007.4 Updated security advisory to add that vCenter Server 5.5 U3d running on Windows addresses CVE-2105-2342 without the need to install the additional patch. 2016-05-24 VMSA-2015-0007.5 Updated security advisory to add that vCenter Server 5.1 U3d running on Windows addresses CVE-2105-2342 without the need to install the additional patch. 2016-06-14 VMSA-2015-0007.6 Updated security advisory to add that vCenter Server 5.0 U3g running on Windows addresses CVE-2105-2342 without the need to install the additional patch. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFXYOI+DEcm8Vbi9kMRAo5NAKDXxOUz7aLdAbLN91d35cTgWjnBUwCgmYEe UBtln1x1l7M8vaPkawZdpNE= =c1Np -----END PGP SIGNATURE-----
New VMSA-2016-0008 VMware vRealize Log Insight addresses important and moderate security issues
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2016-0008 Synopsis: VMware vRealize Log Insight addresses important and moderate security issues. Issue date: 2016-06-09 Updated on: 2016-06-09 (Initial Advisory) CVE number: CVE-2016-2081, CVE-2016-2082 1. Summary VMware vRealize Log Insight addresses important and moderate security issues. 2. Relevant Releases VMware vRealize Log Insight prior to 3.3.2 3. Problem Description a. Important stored cross-site scripting issue in VMware vRealize Log Insight VMware vRealize Log Insight contains a vulnerability that may allow for a stored cross-site scripting attack. Exploitation of this issue may lead to the hijack of an authenticated user's session. VMware would like to thank Lukasz Plonka for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-2081 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch =========================== ======= ======= ================= VMware vRealize Log Insight 3.x Virtual 3.3.2 Appliance VMware vRealize Log Insight 2.x Virtual 3.3.2 Appliance b. Moderate cross-site request forgery issue in VMware vRealize Log Insight VMware vRealize Log Insight contains a vulnerability that may allow for a cross-site request forgery attack. Exploitation of this issue may lead to an attacker replacing trusted content in the Log Insight UI without the user's authorization. VMware would like to thank Lukasz Plonka for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-2082 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch =========================== ======= ======= ================= VMware vRealize Log Insight 3.x Virtual 3.3.2 Appliance VMware vRealize Log Insight 2.x Virtual 3.3.2 Appliance 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware vRealize Log Insight 3.3.2 Downloads and Documentation: https://my.vmware.com/en/web/vmware/info/slug/infrastructure_operations_man agement/vmware_vrealize_log_insight/3_3 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2081 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2082 - ------------------------------------------------------------------------ 6. Change log 2016-06-09 VMSA-2016-0008 Initial security advisory in conjunction with the release of VMware vRealize Log Insight 3.3.2 on 2016-06-09. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2016 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 21165) Charset: utf-8 wj8DBQFXWj/PDEcm8Vbi9kMRAnAIAJ41gvMcGGXT4455eNmt7tR48d8pmgCgun/W uMHWtNOrpA7NINIY+E8ASpo= =QmsU -----END PGP SIGNATURE----- _______________________________________________ Security-announce mailing list Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org http://lists.vmware.com/mailman/listinfo/security-announce
New VMSA-2016-0007 VMware NSX and vCNS product updates address a critical information disclosure vulnerability
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Advisory ID: VMSA-2016-0007 Synopsis: VMware NSX and vCNS product updates address a critical information disclosure vulnerability Issue date: 2016-06-09 Updated on: 2016-06-09 (Initial Advisory) CVE number: CVE-2016-2079 1. Summary VMware NSX and vCNS product updates address a critical information disclosure vulnerability. 2. Relevant Releases NSX 6.2 prior to 6.2.3 NSX 6.1 prior to 6.1.7 vCNS 5.5.4 prior to 5.5.4.3 3. Problem Description a. VMware NSX and vCNS critical information disclosure vulnerability VMware NSX and vCNS with SSL-VPN enabled contain a critical input validation vulnerability. This issue may allow a remote attacker to gain access to sensitive information. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-2079 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============ ========== ========== ============= NSX Edge 6.2 Any 6.2.3 NSX Edge 6.1 Any 6.1.7 vCNS Edge 5.5 Any 5.5.4.3 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware NSX Downloads: https://www.vmware.com/go/download-nsx-vsphere Documentation: https://www.vmware.com/support/pubs/nsx_pubs.html vCNS Downloads: https://www.vmware.com/go/download-vcd-ns Documentation: https://www.vmware.com/support/pubs/vshield_pubs.html 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2079 - - - - - - ------------------------------------------------------------------------ 6. Change log 2016-06-09 VMSA-2016-0007 Initial security advisory in conjunction with the release of VMware NSX 6.2.3, 6.1.7 and vCNS 5.5.4.3 on 2016-06-09. - - - - - - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2016 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 21165) Charset: utf-8 wj8DBQFXWj8bDEcm8Vbi9kMRAstiAKC5ejIGTYxy1cyZICirCBe7ZZ0qHwCg3ohk /WKIK9nNhceGenKdZBakL04= =VsXF -----END PGP SIGNATURE-----? _______________________________________________ Security-announce mailing list Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org http://lists.vmware.com/mailman/listinfo/security-announce
UPDATE: VMSA-2016-0005.3 – VMware product updates address critical and important security issues
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2016-0005.3 Synopsis: VMware product updates address critical and important security issues Issue date: 2016-05-17 Updated on: 2016-06-03 CVE number: CVE-2016-3427, CVE-2016-2077 - ------------------------------------------------------------------------ 1. Summary VMware product updates address critical and important security issues. 2. Relevant Releases vCenter Server 6.0 on Windows without workaround of KB 2145343 vCenter Server 6.0 on Linux (VCSA) prior to 6.0.0b vCenter Server 5.5 prior to 5.5 U3d (on Windows), 5.5 U3 (VCSA) vCenter Server 5.1 prior to 5.1 U3b vCenter Server 5.0 prior to 5.0 U3e vCloud Director prior to 8.0.1.1 vCloud Director prior to 5.6.5.1 vCloud Director prior to 5.5.6.1 vSphere Replication prior to 6.1.1 vSphere Replication prior to 6.0.0.3 vSphere Replication prior to 5.8.1.2 vSphere Replication prior to 5.6.0.6 vRealize Operations Manager 6.x (non-appliance version) vRealize Infrastructure Navigator prior to 5.8.6 VMware Workstation prior to 11.1.3 VMware Player prior to 7.1.3 3. Problem Description a. Critical JMX issue when deserializing authentication credentials The RMI server of Oracle JRE JMX deserializes any class when deserializing authentication credentials. This may allow a remote, unauthenticated attacker to cause deserialization flaws and execute their commands. Workarounds CVE-2016-3427 vCenter Server Apply the steps of VMware Knowledge Base article 2145343 to vCenter Server 6.0 on Windows. See the table below for the specific vCenter Server 6.0 versions on Windows this applies to. vCloud Director No workaround identified vSphere Replication No workaround identified vRealize Operations Manager (non-appliance) The non-appliance version of vRealize Operations Manager (vROps), which can be installed on Windows and Linux has no default firewall. In order to remove the remote exploitation possibility, access to the following external ports will need to be blocked on the system where the non-appliance version of vROps is installed: - vROps 6.2.x: port 9004, 9005, 9006, 9007, 9008 - vROps 6.1.x: port 9004, 9005, 9007, 9008 - vROps 6.0.x: port 9004, 9005 Note: These ports are already blocked by default in the appliance version of vROps. vRealize Infrastructure Navigator No workaround identified The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-3427 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ====================== ========= ======= ============= vCenter Server 6.0 Windows 6.0.0b + KB 2145343 * vCenter Server 6.0 Linux 6.0.0b vCenter Server 5.5 Windows (5.5 U3b + KB 2144428 **) or 5.5 U3d vCenter Server 5.5 Linux 5.5 U3 vCenter Server 5.1 Windows (5.1 U3b + KB 2144428 **) or 5.1U3d vCenter Server 5.1 Linux 5.1 U3b vCenter Server 5.0 Windows 5.0 U3e + KB 2144428 ** vCenter Server 5.0 Linux 5.0 U3e vCloud Director 8.0.x Linux 8.0.1.1 vCloud Director 5.6.x Linux 5.6.5.1 vCloud Director 5.5.x Linux 5.5.6.1 vSphere Replication 6.1.x Linux 6.1.1 *** vSphere Replication 6.0.x Linux 6.0.0.3 *** vSphere Replication 5.8.x Linux 5.8.1.2 *** vSphere Replication 5.6.x Linux 5.6.0.6 *** vROps (non-appliance) 6.x All Apply workaround vROps (appliance) 6.x Linux Not affected vRealize Infrastructure 5.8.x All 5.8.6 Navigator * Remote and local exploitation is feasible on vCenter Server 6.0 and 6.0.0a for Windows. Remote exploitation is not feasible on vCenter Server 6.0.0b (and above) for Windows but local exploitation is. The local exploitation possibility can be removed by applying the steps of KB 2145343 to vCenter Server 6.0.0b (and above) for Windows. ** See VMSA-2015-0007 for details. vCenter Server 5.5 U3d and 5.1 U3d running on Windows addresses CVE-2016-3427 without the need to install the additional patch of KB 2144428 documented in VMSA-2015-0007. *** vSphere Replication is affected if its vCloud Tunneling Agent is running, which is not enabled by default. This agent is used in environments that replicate data between the cloud and an on-premise datacenter. b. Important VMware Workstation and Player for Windows host privilege escalation vulnerability. VMware Workstation and Player for Windows do not properly reference one of their executables. This may allow a local attacker on the host to elevate their privileges. VMware would like to thank Andrew Smith of Sword & Shield Enterprise Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-2077 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ================== ======= ======= ================= VMware Workstation 12.x any not affected VMware Workstation 11.x Windows 11.1.3 VMware Workstation 11.x Linux not affected VMware Player 8.x any not affected VMware Player 7.x Windows 7.1.3 VMware Player 7.x Linux not affected 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Server -------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere vCloud Director --------------- Downloads and Documentation: https://www.vmware.com/go/download/vcloud-director vSphere Replication ------------------- Downloads and Documentation: https://my.vmware.com/web/vmware/get-download?downloadGroup=VR611 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR6003 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5812 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5606 https://www.vmware.com/support/pubs/vsphere-replication-pubs.html vRealize Infrastructure Navigator --------------------------------- Downloads and Documentation: https://my.vmware.com/web/vmware/details?downloadGroup=VIN_586&productId=54 2&rPId=11127 VMware Workstation ------------------------- Downloads and Documentation: https://www.vmware.com/go/downloadworkstation VMware Player ------------- Downloads and Documentation: https://www.vmware.com/go/downloadplayer 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2077 VMware Security Advisory VMSA-2015-0007 http://www.vmware.com/security/advisories/VMSA-2015-0007.html VMware Knowledge Base article 2145343 kb.vmware.com/kb/2145343 VMware Knowledge Base article 2144428 kb.vmware.com/kb/2144428 - ------------------------------------------------------------------------ 6. Change log 2016-05-17 VMSA-2016-0005 Initial security advisory in conjunction with the release of VMware vCloud Director 8.0.1.1, 5.6.5.1, and 5.5.6.1, and vSphere Replication 6.0.0.3, 5.8.1.2, and 5.6.0.6 on 2016-05-17. 2016-05-24 VMSA-2016-0005.1 Updated security advisory in conjunction with the release of vSphere 5.1 U3d on 2016-05-24. vCenter Server 5.1 U3d running on Windows addresses CVE-2016-3427 without the need to install the additional patch. 2016-05-27 VMSA-2016-0005.2 Updated security advisory in conjunction with the release of vSphere Replication 6.1.1 on 2016-05-26. 2016-06-03 VMSA-2016-0005.3 Updated security advisory in conjunction with the release of vRealize Infrastructure Navigator 5.8.6 on 2016-06-02 - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2016 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFXUfNgDEcm8Vbi9kMRAuQ8AJsFuZLqvbAgpSDEku8sccEQvTQTewCg6ZeQ OPEXvu2rnhSu/qqOfWvgpsw= =+1IH -----END PGP SIGNATURE-----
UPDATE: VMSA-2016-0005.2 – VMware product updates address critical and important security issues
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2016-0005.2 Synopsis: VMware product updates address critical and important security issues Issue date: 2016-05-17 Updated on: 2016-05-27 CVE number: CVE-2016-3427, CVE-2016-2077 - ------------------------------------------------------------------------ 1. Summary VMware product updates address critical and important security issues. 2. Relevant Releases vCenter Server 6.0 on Windows without workaround of KB 2145343 vCenter Server 6.0 on Linux (VCSA) prior to 6.0.0b vCenter Server 5.5 prior to 5.5 U3d (on Windows), 5.5 U3 (VCSA) vCenter Server 5.1 prior to 5.1 U3b vCenter Server 5.0 prior to 5.0 U3e vCloud Director prior to 8.0.1.1 vCloud Director prior to 5.6.5.1 vCloud Director prior to 5.5.6.1 vSphere Replication prior to 6.1.1 vSphere Replication prior to 6.0.0.3 vSphere Replication prior to 5.8.1.2 vSphere Replication prior to 5.6.0.6 vRealize Operations Manager 6.x (non-appliance version) VMware Workstation prior to 11.1.3 VMware Player prior to 7.1.3 3. Problem Description a. Critical JMX issue when deserializing authentication credentials The RMI server of Oracle JRE JMX deserializes any class when deserializing authentication credentials. This may allow a remote, unauthenticated attacker to cause deserialization flaws and execute their commands. Workarounds CVE-2016-3427 vCenter Server Apply the steps of VMware Knowledge Base article 2145343 to vCenter Server 6.0 on Windows. See the table below for the specific vCenter Server 6.0 versions on Windows this applies to. vCloud Director No workaround identified vSphere Replication No workaround identified vRealize Operations Manager (non-appliance) The non-appliance version of vRealize Operations Manager (vROps), which can be installed on Windows and Linux has no default firewall. In order to remove the remote exploitation possibility, access to the following external ports will need to be blocked on the system where the non-appliance version of vROps is installed: - vROps 6.2.x: port 9004, 9005, 9006, 9007, 9008 - vROps 6.1.x: port 9004, 9005, 9007, 9008 - vROps 6.0.x: port 9004, 9005 Note: These ports are already blocked by default in the appliance version of vROps. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-3427 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ====================== ========= ======= ============= vCenter Server 6.0 Windows 6.0.0b + KB 2145343 * vCenter Server 6.0 Linux 6.0.0b vCenter Server 5.5 Windows (5.5 U3b + KB 2144428 **) or 5.5 U3d vCenter Server 5.5 Linux 5.5 U3 vCenter Server 5.1 Windows (5.1 U3b + KB 2144428 **) or 5.1U3d vCenter Server 5.1 Linux 5.1 U3b vCenter Server 5.0 Windows 5.0 U3e + KB 2144428 ** vCenter Server 5.0 Linux 5.0 U3e vCloud Director 8.0.x Linux 8.0.1.1 vCloud Director 5.6.x Linux 5.6.5.1 vCloud Director 5.5.x Linux 5.5.6.1 vSphere Replication 6.1.x Linux 6.1.1 *** vSphere Replication 6.0.x Linux 6.0.0.3 *** vSphere Replication 5.8.x Linux 5.8.1.2 *** vSphere Replication 5.6.x Linux 5.6.0.6 *** vROps (non-appliance) 6.x All Apply workaround vROps (appliance) 6.x Linux Not affected * Remote and local exploitation is feasible on vCenter Server 6.0 and 6.0.0a for Windows. Remote exploitation is not feasible on vCenter Server 6.0.0b (and above) for Windows but local exploitation is. The local exploitation possibility can be removed by applying the steps of KB 2145343 to vCenter Server 6.0.0b (and above) for Windows. ** See VMSA-2015-0007 for details. vCenter Server 5.5 U3d and 5.1 U3d running on Windows addresses CVE-2016-3427 without the need to install the additional patch of KB 2144428 documented in VMSA-2015-0007. *** vSphere Replication is affected if its vCloud Tunneling Agent is running, which is not enabled by default. This agent is used in environments that replicate data between the cloud and an on-premise datacenter. b. Important VMware Workstation and Player for Windows host privilege escalation vulnerability. VMware Workstation and Player for Windows do not properly reference one of their executables. This may allow a local attacker on the host to elevate their privileges. VMware would like to thank Andrew Smith of Sword & Shield Enterprise Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-2077 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ================== ======= ======= ================= VMware Workstation 12.x any not affected VMware Workstation 11.x Windows 11.1.3 VMware Workstation 11.x Linux not affected VMware Player 8.x any not affected VMware Player 7.x Windows 7.1.3 VMware Player 7.x Linux not affected 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Server -------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere vCloud Director --------------- Downloads and Documentation: https://www.vmware.com/go/download/vcloud-director vSphere Replication ------------------- Downloads and Documentation: https://my.vmware.com/web/vmware/get-download?downloadGroup=VR611 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR6003 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5812 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5606 https://www.vmware.com/support/pubs/vsphere-replication-pubs.html VMware Workstation ------------------------- Downloads and Documentation: https://www.vmware.com/go/downloadworkstation VMware Player ------------- Downloads and Documentation: https://www.vmware.com/go/downloadplayer 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2077 VMware Security Advisory VMSA-2015-0007 http://www.vmware.com/security/advisories/VMSA-2015-0007.html VMware Knowledge Base article 2145343 kb.vmware.com/kb/2145343 VMware Knowledge Base article 2144428 kb.vmware.com/kb/2144428 - ------------------------------------------------------------------------ 6. Change log 2016-05-17 VMSA-2016-0005 Initial security advisory in conjunction with the release of VMware vCloud Director 8.0.1.1, 5.6.5.1, and 5.5.6.1, and vSphere Replication 6.0.0.3, 5.8.1.2, and 5.6.0.6 on 2016-05-17. 2016-05-24 VMSA-2016-0005.1 Updated security advisory in conjunction with the release of vSphere 5.1 U3d on 2016-05-24. vCenter Server 5.1 U3d running on Windows addresses CVE-2016-3427 without the need to install the additional patch. 2016-05-27 VMSA-2016-0005.2 Updated security advisory in conjunction with the release of vSphere Replication 6.1.1 on 2016-05-26. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2016 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFXSJIHDEcm8Vbi9kMRAt8oAJ9cSrgfC5OlS+lgV8O+6uxcGt5CdQCggsNB iQZm8gTv4gEEKxa2Af9YbSQ= =8szQ -----END PGP SIGNATURE-----
UPDATED VMSA-2016-0005.1 VMware product updates address critical and important security issues
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 -------------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2016-0005.1 Synopsis: VMware product updates address critical and important security issues Issue date: 2016-05-17 Updated on: 2016-05-24 CVE number: CVE-2016-3427, CVE-2016-2077 - ------------------------------------------------------------------------ 1. Summary VMware product updates address critical and important security issues. 2. Relevant Releases vCenter Server 6.0 on Windows without workaround of KB 2145343 vCenter Server 6.0 on Linux (VCSA) prior to 6.0.0b vCenter Server 5.5 prior to 5.5 U3d (on Windows), 5.5 U3 (VCSA) vCenter Server 5.1 prior to 5.1 U3b vCenter Server 5.0 prior to 5.0 U3e vCloud Director prior to 8.0.1.1 vCloud Director prior to 5.6.5.1 vCloud Director prior to 5.5.6.1 vSphere Replication prior to 6.0.0.3 vSphere Replication prior to 5.8.1.2 vSphere Replication prior to 5.6.0.6 vRealize Operations Manager 6.x (non-appliance version) VMware Workstation prior to 11.1.3 VMware Player prior to 7.1.3 3. Problem Description a. Critical JMX issue when deserializing authentication credentials The RMI server of Oracle JRE JMX deserializes any class when deserializing authentication credentials. This may allow a remote, unauthenticated attacker to cause deserialization flaws and execute their commands. Workarounds CVE-2016-3427 vCenter Server Apply the steps of VMware Knowledge Base article 2145343 to vCenter Server 6.0 on Windows. See the table below for the specific vCenter Server 6.0 versions on Windows this applies to. vCloud Director No workaround identified vSphere Replication No workaround identified vRealize Operations Manager (non-appliance) The non-appliance version of vRealize Operations Manager (vROps), which can be installed on Windows and Linux has no default firewall. In order to remove the remote exploitation possibility, access to the following external ports will need to be blocked on the system where the non-appliance version of vROps is installed: - vROps 6.2.x: port 9004, 9005, 9006, 9007, 9008 - vROps 6.1.x: port 9004, 9005, 9007, 9008 - vROps 6.0.x: port 9004, 9005 Note: These ports are already blocked by default in the appliance version of vROps. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-3427 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ====================== ========= ======= ============= vCenter Server 6.0 Windows 6.0.0b + KB 2145343 * vCenter Server 6.0 Linux 6.0.0b vCenter Server 5.5 Windows (5.5 U3b + KB 2144428 **) or 5.5 U3d vCenter Server 5.5 Linux 5.5 U3 vCenter Server 5.1 Windows (5.1 U3b + KB 2144428 **) or 5.1U3d vCenter Server 5.1 Linux 5.1 U3b vCenter Server 5.0 Windows 5.0 U3e + KB 2144428 ** vCenter Server 5.0 Linux 5.0 U3e vCloud Director 8.0.x Linux 8.0.1.1 vCloud Director 5.6.x Linux 5.6.5.1 vCloud Director 5.5.x Linux 5.5.6.1 vSphere Replication 6.1.x Linux patch pending *** vSphere Replication 6.0.x Linux 6.0.0.3 *** vSphere Replication 5.8.x Linux 5.8.1.2 *** vSphere Replication 5.6.x Linux 5.6.0.6 *** vROps (non-appliance) 6.x All Apply workaround vROps (appliance) 6.x Linux Not affected * Remote and local exploitation is feasible on vCenter Server 6.0 and 6.0.0a for Windows. Remote exploitation is not feasible on vCenter Server 6.0.0b (and above) for Windows but local exploitation is. The local exploitation possibility can be removed by applying the steps of KB 2145343 to vCenter Server 6.0.0b (and above) for Windows. ** See VMSA-2015-0007 for details. vCenter Server 5.5 U3d and 5.1 U3d running on Windows addresses CVE-2016-3427 without the need to install the additional patch of KB 2144428 documented in VMSA-2015-0007. *** vSphere Replication is affected if its vCloud Tunneling Agent is running, which is not enabled by default. This agent is used in environments that replicate data between the cloud and an on-premise datacenter. b. Important VMware Workstation and Player for Windows host privilege escalation vulnerability. VMware Workstation and Player for Windows do not properly reference one of their executables. This may allow a local attacker on the host to elevate their privileges. VMware would like to thank Andrew Smith of Sword & Shield Enterprise Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-2077 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ================== ======= ======= ================= VMware Workstation 12.x any not affected VMware Workstation 11.x Windows 11.1.3 VMware Workstation 11.x Linux not affected VMware Player 8.x any not affected VMware Player 7.x Windows 7.1.3 VMware Player 7.x Linux not affected 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Server -------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere vCloud Director --------------- Downloads and Documentation: https://www.vmware.com/go/download/vcloud-director vSphere Replication ------------------- Downloads and Documentation: https://my.vmware.com/web/vmware/get-download?downloadGroup=VR6003 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5812 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5606 https://www.vmware.com/support/pubs/vsphere-replication-pubs.html VMware Workstation ------------------------- Downloads and Documentation: https://www.vmware.com/go/downloadworkstation VMware Player ------------- Downloads and Documentation: https://www.vmware.com/go/downloadplayer 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2077 VMware Security Advisory VMSA-2015-0007 http://www.vmware.com/security/advisories/VMSA-2015-0007.html VMware Knowledge Base article 2145343 kb.vmware.com/kb/2145343 VMware Knowledge Base article 2144428 kb.vmware.com/kb/2144428 - ------------------------------------------------------------------------ 6. Change log 2016-05-17 VMSA-2016-0005 Initial security advisory in conjunction with the release of VMware vCloud Director 8.0.1.1, 5.6.5.1, and 5.5.6.1, and vSphere Replication 6.0.0.3, 5.8.1.2, and 5.6.0.6 on 2016-05-17. 2016-05-24 VMSA-2016-0005.1 Updated security advisory in conjunction with the release of vSphere 5.1 U3d on 2016-05-24. vCenter Server 5.1 U3d running on Windows addresses CVE-2016-3427 without the need to install the additional patch. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2016 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFXRBrxDEcm8Vbi9kMRArdBAJ9folVLwEJ96XeQYcXgYZVhb91muQCgrCgl 6lMvZLSvXOxYO8jc6xakF5o= =sGc+ -----END PGP SIGNATURE----- _______________________________________________ Security-announce mailing list Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org http://lists.vmware.com/mailman/listinfo/security-announce
UPDATED VMSA-2015-0007.5 – VMware vCenter and ESXi updates address critical security issues
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0007.5 Synopsis: VMware vCenter and ESXi updates address critical security issues Issue date: 2015-10-01 Updated on: 2016-05-24 CVE number: CVE-2015-5177 CVE-2015-2342 CVE-2015-1047 - ------------------------------------------------------------------------ 1. Summary VMware vCenter and ESXi updates address critical security issues. NOTE: See section 3.b for a critical update on an incomplete fix for the JMX RMI issue. 2. Relevant Releases VMware ESXi 5.5 without patch ESXi550-201509101-SG VMware ESXi 5.1 without patch ESXi510-201510101-SG VMware ESXi 5.0 without patch ESXi500-201510101-SG VMware vCenter Server 6.0 prior to version 6.0.0b VMware vCenter Server 5.5 prior to version 5.5 update 3 VMware vCenter Server 5.1 prior to version 5.1 update u3b VMware vCenter Server 5.0 prior to version 5.0 update u3e 3. Problem Description a. VMWare ESXi OpenSLP Remote Code Execution VMware ESXi contains a double free flaw in OpenSLP's SLPDProcessMessage() function. Exploitation of this issue may allow an unauthenticated attacker to remotely execute code on the ESXi host. VMware would like to thank Qinghao Tang of QIHU 360 for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-5177 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= ESXi 6.0 ESXi not affected ESXi 5.5 ESXi ESXi550-201509101-SG* ESXi 5.1 ESXi ESXi510-201510101-SG ESXi 5.0 ESXi ESXi500-201510101-SG * Customers who have installed the complete set of ESXi 5.5 U3 Bulletins, please review VMware KB 2133118. KB 2133118 documents a known non-security issue and provides a solution. b. VMware vCenter Server JMX RMI Remote Code Execution VMware vCenter Server contains a remotely accessible JMX RMI service that is not securely configured. An unauthenticated remote attacker who is able to connect to the service may be able to use it to execute arbitrary code on the vCenter Server. A local attacker may be able to elevate their privileges on vCenter Server. vCenter Server Appliance (vCSA) 5.1, 5.5 and 6.0 has remote access to the JMX RMI service (port 9875) blocked by default. VMware would like to thank Doug McLeod of 7 Elements Ltd and an anonymous researcher working through HP's Zero Day Initiative for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-2342 to this issue. CRITICAL UPDATE VMSA-2015-0007.2 and earlier versions of this advisory documented that CVE-2015-2342 was addressed in vCenter Server 5.0 U3e, 5.1 U3b, and 5.5 U3. Subsequently, it was found that the fix for CVE-2015-2342 in vCenter Server 5.0 U3e, 5.1 U3b, and 5.5 U3/U3a/U3b running on Windows was incomplete and did not address the issue. In order to address the issue on these versions of vCenter Server Windows, an additional patch must be installed. This additional patch is available from VMware Knowledge Base (KB) article 2144428. Alternatively, on vSphere 5.5 updating to vCenter Server 5.5 U3d running on Windows will remediate the issue. In case the Windows Firewall is enabled on the system that has vCenter Server Windows installed, remote exploitation of CVE-2015-2342 is not possible. Even if the Windows Firewall is enabled, users are advised to install the additional patch in order to remove the local privilege elevation. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= =============== VMware vCenter Server 6.0 Any 6.0.0b and above VMware vCenter Server 5.5 Windows (5.5 U3/U3a/U3b + KB*) or 5.5 U3d VMware vCenter Server 5.5 Linux 5.5 U3 and above VMware vCenter Server 5.1 Windows (5.1 U3b + KB*) or 5.1 U3d VMware vCenter Server 5.1 Linux 5.1 U3b VMware vCenter Server 5.0 Windows 5.0 U3e + KB* VMware vCenter Server 5.0 Linux 5.0 U3e * An additional patch provided in VMware KB article 2144428 must be installed on vCenter Server Windows 5.0 U3e, 5.1 U3b, 5.5 U3, 5.5 U3a, and 5.5 U3b in order to remediate CVE-2015-2342. This patch is not needed when updating to 5.1 U3d or 5.5 U3d, or when installing 5.1 U3d or 5.5 U3d. c. VMware vCenter Server vpxd denial-of-service vulnerability VMware vCenter Server does not properly sanitize long heartbeat messages. Exploitation of this issue may allow an unauthenticated attacker to create a denial-of-service condition in the vpxd service. VMware would like to thank the Google Security Team for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-1047 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ============== VMware vCenter Server 6.0 Any not affected VMware vCenter Server 5.5 Any 5.5u2 VMware vCenter Server 5.1 Any 5.1u3 VMware vCenter Server 5.0 Any 5.0u3e 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. ESXi -------------------------------- Downloads: https://www.vmware.com/patchmgr/findPatch.portal Documentation: http://kb.vmware.com/kb/2110247 http://kb.vmware.com/kb/2114875 http://kb.vmware.com/kb/2120209 vCenter Server -------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5177 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2342 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1047 VMware Knowledge Base articles http://kb.vmware.com/kb/2133118 http://kb.vmware.com/kb/2144428 - ------------------------------------------------------------------------ 6. Change log 2015-10-01 VMSA-2015-0007 Initial security advisory in conjunction with ESXi 5.0, 5.1 patches and VMware vCenter Server 5.1 u3b, 5.0 u3e on 2015-10-01. 2015-10-06 VMSA-2015-0007.1 Updated security advisory in conjunction with the release of ESXi 5.5 U3a on 2015-10-06. Added a note to section 3.a to alert customers to a non-security issue in ESXi 5.5 U3 that is addressed in ESXi 5.5 U3a. 2015-10-20 VMSA-2015-0007.2 Updated security advisory to reflect that CVE-2015-2342 is fixed in an earlier vCenter Server version (6.0.0b) than originally reported (6.0 U1) and that the port required to exploit the vulnerability is blocked in the appliance versions of the software (5.1 and above). 2016-02-12 VMSA-2015-0007.3 Updated security advisory to add that an additional patch is required on vCenter Server 5.0 U3e, 5.1 U3b and 5.5 U3/U3a/U3b running on Windows to remediate CVE-2015-2342. 2016-04-27 VMSA-2015-0007.4 Updated security advisory to add that vCenter Server 5.5 U3d running on Windows addresses CVE-2105-2342 without the need to install the additional patch. 2016-05-24 VMSA-2015-0007.5 Updated security advisory to add that vCenter Server 5.1 U3d running on Windows addresses CVE-2105-2342 without the need to install the additional patch. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFXRByjDEcm8Vbi9kMRAsoKAKC9iaRAMLJetgtRzBCU2cIehlGbbgCgys8M T/+fEa9BVET8o1dbp8MPwqQ= =SJBs -----END PGP SIGNATURE----- _______________________________________________ Security-announce mailing list Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org http://lists.vmware.com/mailman/listinfo/security-announce