Category Archives: VMWare

VMWare

UPDATE VMSA-2016-0005.4 VMware product updates address critical and important security issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2016-0005.4
Synopsis:    VMware product updates address critical and important
             security issues
Issue date:  2016-05-17
Updated on:  2016-06-14
CVE number:  CVE-2016-3427, CVE-2016-2077
- ------------------------------------------------------------------------

1. Summary

   VMware product updates address critical and important
   security issues.

2. Relevant Releases

   vCenter Server 6.0 on Windows without workaround of KB 2145343
   vCenter Server 6.0 on Linux (VCSA) prior to 6.0.0b
   vCenter Server 5.5 prior to 5.5 U3d (on Windows), 5.5 U3 (VCSA)
   vCenter Server 5.1 prior to 5.1 U3b
   vCenter Server 5.0 prior to 5.0 U3e

   vCloud Director prior to 8.0.1.1
   vCloud Director prior to 5.6.5.1
   vCloud Director prior to 5.5.6.1

   vSphere Replication prior to 6.1.1
   vSphere Replication prior to 6.0.0.3
   vSphere Replication prior to 5.8.1.2
   vSphere Replication prior to 5.6.0.6

   vRealize Operations Manager 6.x (non-appliance version)

   vRealize Infrastructure Navigator prior to 5.8.6

   VMware Workstation prior to 11.1.3

   VMware Player prior to 7.1.3


3. Problem Description

   a. Critical JMX issue when deserializing authentication credentials

      The RMI server of Oracle JRE JMX deserializes any class when
      deserializing authentication credentials. This may allow a remote,
      unauthenticated attacker to cause deserialization flaws and execute
      their commands.

      Workarounds CVE-2016-3427

      vCenter Server
      Apply the steps of VMware Knowledge Base article 2145343 to vCenter
      Server 6.0 on Windows. See the table below for the specific vCenter
      Server 6.0 versions on Windows this applies to.

      vCloud Director
      No workaround identified

      vSphere Replication
      No workaround identified

      vRealize Operations Manager (non-appliance)
      The non-appliance version of vRealize Operations Manager (vROps),
      which can be installed on Windows and Linux has no default
      firewall. In order to remove the remote exploitation possibility,
      access to the following external ports will need to be blocked on
      the system where the non-appliance version of vROps is installed:
         - vROps 6.2.x: port 9004, 9005, 9006, 9007, 9008
         - vROps 6.1.x: port 9004, 9005, 9007, 9008
         - vROps 6.0.x: port 9004, 9005
      Note: These ports are already blocked by default in the appliance
      version of vROps.

      vRealize Infrastructure Navigator
      No workaround identified

      The Common Vulnerabilities and Exposures project (cve.mitre.org) has
      assigned the identifier CVE-2016-3427 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware                  Product    Running   Replace with/
      Product                 Version    on        Apply Patch
      ======================  =========  =======   =============
      vCenter Server          6.0        Windows   6.0.0b + KB 2145343 *
      vCenter Server          6.0        Linux     6.0.0b
      vCenter Server          5.5        Windows   (5.5 U3b + KB 2144428
**)
                                                   or 5.5 U3d
      vCenter Server          5.5        Linux     5.5 U3
      vCenter Server          5.1        Windows   (5.1 U3b + KB 2144428
**)
                                                   or 5.1U3d
      vCenter Server          5.1        Linux     5.1 U3b
      vCenter Server          5.0        Windows   (5.0 U3e + KB 2144428
**)
                                                   or 5.0 U3g
      vCenter Server          5.0        Linux     5.0 U3e

      vCloud Director         8.0.x      Linux     8.0.1.1
      vCloud Director         5.6.x      Linux     5.6.5.1
      vCloud Director         5.5.x      Linux     5.5.6.1

      vSphere Replication     6.1.x      Linux     6.1.1 ***
      vSphere Replication     6.0.x      Linux     6.0.0.3 ***
      vSphere Replication     5.8.x      Linux     5.8.1.2 ***
      vSphere Replication     5.6.x      Linux     5.6.0.6 ***

      vROps (non-appliance)   6.x        All       Apply workaround
      vROps (appliance)       6.x        Linux     Not affected

      vRealize Infrastructure 5.8.x      All       5.8.6
      Navigator


    * Remote and local exploitation is feasible on vCenter Server 6.0 and
      6.0.0a for Windows. Remote exploitation is not feasible on vCenter
      Server 6.0.0b (and above) for Windows but local exploitation is. The
      local exploitation possibility can be removed by applying the steps
      of KB 2145343 to vCenter Server 6.0.0b (and above) for Windows.

   ** See VMSA-2015-0007 for details.
      vCenter Server 5.5 U3d, 5.1 U3d, and 5.0 U3g running on Windows
      address CVE-2016-3427 without the need to install the additional
      patch of KB 2144428 documented in VMSA-2015-0007.

  *** vSphere Replication is affected if its vCloud Tunneling Agent
      is running, which is not enabled by default. This agent is used
      in environments that replicate data between the cloud and an
      on-premise datacenter.


   b. Important VMware Workstation and Player for Windows host privilege
      escalation vulnerability.

      VMware Workstation and Player for Windows do not properly reference
      one of their executables. This may allow a local attacker on the host
      to elevate their privileges.

      VMware would like to thank Andrew Smith of Sword & Shield Enterprise
      Security for reporting this issue to us.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2016-2077 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware                      Product    Running   Replace with/
      Product                     Version    on        Apply Patch
      ==================          =======    =======   =================
      VMware Workstation          12.x       any       not affected
      VMware Workstation          11.x       Windows   11.1.3
      VMware Workstation          11.x       Linux     not affected

      VMware Player               8.x        any       not affected
      VMware Player               7.x        Windows   7.1.3
      VMware Player               7.x        Linux     not affected


4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   vCenter Server
   --------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   vCloud Director
   ---------------
   Downloads and Documentation:
   https://www.vmware.com/go/download/vcloud-director

   vSphere Replication
   -------------------
   Downloads and Documentation:
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR611
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR6003
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5812
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5606
   https://www.vmware.com/support/pubs/vsphere-replication-pubs.html

   vRealize Infrastructure Navigator
   ---------------------------------
   Downloads and Documentation:
  
https://my.vmware.com/web/vmware/details?downloadGroup=VIN_586&productId=54
2&rPId=11127

   VMware Workstation
   -------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/downloadworkstation

   VMware Player
   -------------
   Downloads and Documentation:
   https://www.vmware.com/go/downloadplayer

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2077

   VMware Security Advisory VMSA-2015-0007
   http://www.vmware.com/security/advisories/VMSA-2015-0007.html

   VMware Knowledge Base article 2145343
   kb.vmware.com/kb/2145343

   VMware Knowledge Base article 2144428
   kb.vmware.com/kb/2144428

- ------------------------------------------------------------------------

6. Change log

   2016-05-17 VMSA-2016-0005
   Initial security advisory in conjunction with the release of VMware
   vCloud Director 8.0.1.1, 5.6.5.1, and 5.5.6.1, and vSphere
   Replication 6.0.0.3, 5.8.1.2, and 5.6.0.6 on 2016-05-17.

   2016-05-24 VMSA-2016-0005.1
   Updated security advisory in conjunction with the release of vSphere
   5.1 U3d on 2016-05-24. vCenter Server 5.1 U3d running on
   Windows addresses CVE-2016-3427 without the need to install the
   additional patch.

   2016-05-27 VMSA-2016-0005.2
   Updated security advisory in conjunction with the release of vSphere
   Replication 6.1.1 on 2016-05-26.

   2016-06-03 VMSA-2016-0005.3
   Updated security advisory in conjunction with the release of vRealize
   Infrastructure Navigator 5.8.6 on 2016-06-02

   2016-06-14 VMSA-2016-0005.4
   Updated security advisory in conjunction with the release of vSphere
   5.0 U3g on 2016-06-14. vCenter Server 5.0 U3g running on
   Windows addresses CVE-2016-3427 without the need to install the
   additional patch.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2016 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFXYOFvDEcm8Vbi9kMRAuovAKDtHfrRsPdxfY8NrfTvxUGH8CiQaQCdGoZY
YdbtA9ZFozV6QqTZMD+G7Nk=
=EBfq
-----END PGP SIGNATURE-----

NEW VMSA-2016-0009 VMware vCenter Server updates address an important reflective cross-site scripting issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2016-0009
Synopsis:    VMware vCenter Server updates address an important
             reflective cross-site scripting issue
Issue date:  2016-06-14
Updated on:  2016-06-14 (Initial Advisory)
CVE number:  CVE-2015-6931
- ------------------------------------------------------------------------

1. Summary

   VMware vCenter Server updates address an important reflective
   cross-site scripting issue.

2. Relevant Releases

   vCenter Server 5.5 prior to 5.5 update 2d
   vCenter Server 5.1 prior to 5.1 update 3d
   vCenter Server 5.0 prior to 5.0 update 3g


3. Problem Description

   a. Important vCenter Server reflected cross-site scripting issue

   The vSphere Web Client contains a reflected cross-site scripting
   vulnerability due to a lack of input sanitization. An attacker can
   exploit this issue by tricking a victim into clicking a malicious
   link.

   VMware would like to thank Matt Schmidt for reporting this issue to
   us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2015-6931 to this issue.

   Column 4 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware             Product    Running   Replace with/
   Product            Version    on        Apply Patch
   ==============     =======    =======   =============
   vCenter Server     6.0        Any       not affected
   vCenter Server     5.5        Any       5.5 U2d *
   vCenter Server     5.1        Any       5.1 U3d *
   vCenter Server     5.0        Any       5.0 U3g *

   * The client side component of the vSphere Web Client does not need
     to be updated to remediate CVE-2015-6931. Updating the vCenter
     Server is sufficient to remediate this issue.


4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   vCenter Server
   --------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere


5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6931

- ------------------------------------------------------------------------

6. Change log

   2016-06-14 VMSA-2016-0009
   Initial security advisory in conjunction with the release of VMware
   vCenter Server 5.0 U3g on 2016-06-14.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

   security-announce at lists.vmware.com
   bugtraq at securityfocus.com
   fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2016 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFXYODdDEcm8Vbi9kMRAhi/AJ45s8NycL/AbvIawr+DK0QhGq19QwCeIJha
/NW3n6JSlZk+zaj6w33ZLyI=
=CSDo
-----END PGP SIGNATURE-----

UPDATED VMSA-2015-0009.3 VMware product updates address a critical deserialization vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2015-0009.3
Synopsis:    VMware product updates address a critical deserialization
             vulnerability
Issue date:  2015-12-18
Updated on:  2016-06-14
CVE number:  CVE-2015-6934

- ------------------------------------------------------------------------

1. Summary

   VMware product updates address a critical deserialization
   vulnerability

2. Relevant Releases

   vRealize Orchestrator 6.x
   vCenter Orchestrator 5.x
   vRealize Operations 6.x
   vRealize Infrastructure Navigator 5.8.x

3. Problem Description

   a. Deserialization vulnerability

   A deserialization vulnerability involving Apache Commons-collections
   and a specially constructed chain of classes exists. Successful
   exploitation could result in remote code execution, with the
   permissions of the application using the Commons-collections library.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2015-6934 to this issue.

   Column 4 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware                       Product   Running   Replace with/
   Product                      Version   on        Apply Patch
   =====================        =======   =======   =================
   vRealize Orchestrator        7.0       Any       Not Affected
   vRealize Orchestrator        6.x       Any       See KB2141244
   vCenter Orchestrator         5.x       Any       See KB2141244

   vRealize Operations          6.x       Windows   6.2 *
   vRealize Operations          6.x       Linux     Not Affected
   vCenter Operations           5.x       Any       Not Affected

   vCenter Application          7.x       Any       No patch planned *
   Discovery Manager (vADM)

   vRealize Infrastructure      5.8.x     Linux     5.8.5
   Navigator

   * Exploitation of the issue on vRealize Operations and vCenter
     Application Discovery Manager is limited to local privilege
escalation.

4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   vRealize Orchestrator 6.x and
   vCenter Orchestrator 5.x
   Downloads and Documentation:
   http://kb.vmware.com/kb/2141244

   vRealize Operations 6.x
   Release Notes
  
http://pubs.vmware.com/Release_Notes/en/vrops/62/vrops-62-release-notes.htm
l

   vRealize Infrastructure Navigator 5.8.5
   Release Notes
   http://pubs.vmware.com/Release_Notes/en/vin/585/releasenotes-vin585.html


5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6934

- ------------------------------------------------------------------------

6. Change log

   2015-12-18 VMSA-2015-0009
   Initial security advisory in conjunction with the release of vRealize
   Orchestrator 6.x and vCenter Orchestrator 5.x patches on 2015-12-18.

   2016-01-29 VMSA-2015-0009.1
   Updated security advisory in conjunction with the release of vRealize
   Operations 6.2 on 2016-01-28. Added a note below the table in
   section 3.a that exploitation of this issue in vCenter Application
   Discovery Manager is limited to local privilege escalation.

   2016-03-15 VMSA-2015-0009.2
   Updated security advisory to reflect the release of vRealize
   Infrastructure Navigator 5.8.5, which addresses CVE-2015-6934.

   2016-06-14 VMSA-2015-0009.3
   Updated security advisory to reflect that vCenter Operations 5.x is 
   not affected (earlier versions of this advisory said “Patch
   Pending”). Added that no patch is planned for vCenter Application
   Discovery Manager.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2015 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFXYOHhDEcm8Vbi9kMRAiL6AJ954G5q+cy2y3J6+tfv5DW+fwJ71QCfTXuy
3mud0ovsyCQIhMCfTOjs0Jg=
=r5lg
-----END PGP SIGNATURE-----

UPDATED VMSA-2015-0007.6 VMware vCenter and ESXi updates address critical security issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2015-0007.6
Synopsis:    VMware vCenter and ESXi updates address critical security
             issues
Issue date:  2015-10-01
Updated on:  2016-06-14
CVE number:  CVE-2015-5177 CVE-2015-2342 CVE-2015-1047
- ------------------------------------------------------------------------

1. Summary

   VMware vCenter and ESXi updates address critical security issues.

   NOTE: See section 3.b for a critical update on an incomplete fix
   for the JMX RMI issue.

2. Relevant Releases

   VMware ESXi 5.5 without patch ESXi550-201509101-SG
   VMware ESXi 5.1 without patch ESXi510-201510101-SG
   VMware ESXi 5.0 without patch ESXi500-201510101-SG

   VMware vCenter Server 6.0 prior to version 6.0.0b
   VMware vCenter Server 5.5 prior to version 5.5 update 3
   VMware vCenter Server 5.1 prior to version 5.1 update u3b
   VMware vCenter Server 5.0 prior to version 5.0 update u3e


3. Problem Description

   a. VMWare ESXi OpenSLP Remote Code Execution

      VMware ESXi contains a double free flaw in OpenSLP's
      SLPDProcessMessage() function. Exploitation of this issue may
      allow an unauthenticated attacker to remotely execute code on
      the ESXi host.

      VMware would like to thank Qinghao Tang of QIHU 360 for reporting
      this issue to us.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2015-5177 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

        VMware          Product Running   Replace with/
        Product         Version on        Apply Patch
        =============   =======   =======   =================
        ESXi            6.0       ESXi      not affected
        ESXi            5.5       ESXi      ESXi550-201509101-SG*
        ESXi            5.1       ESXi      ESXi510-201510101-SG
        ESXi            5.0       ESXi      ESXi500-201510101-SG

        * Customers who have installed the complete set of ESXi 5.5 U3
        Bulletins, please review VMware KB 2133118. KB 2133118 documents
        a known non-security issue and provides a solution.

   b. VMware vCenter Server JMX RMI Remote Code Execution

      VMware vCenter Server contains a remotely accessible JMX RMI
      service that is not securely configured. An unauthenticated remote
      attacker who is able to connect to the service may be able to use
      it to execute arbitrary code on the vCenter Server. A local attacker
      may be able to elevate their privileges on vCenter Server.

      vCenter Server Appliance (vCSA) 5.1, 5.5 and 6.0 has remote access
      to the JMX RMI service (port 9875) blocked by default.

      VMware would like to thank Doug McLeod of 7 Elements Ltd and an
      anonymous researcher working through HP's Zero Day Initiative for
      reporting this issue to us.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2015-2342 to this issue.

      CRITICAL UPDATE

      VMSA-2015-0007.2 and earlier versions of this advisory documented
      that CVE-2015-2342 was addressed in vCenter Server 5.0 U3e,
      5.1 U3b, and 5.5 U3. Subsequently, it was found that the fix for
      CVE-2015-2342 in vCenter Server 5.0 U3e, 5.1 U3b, and
      5.5 U3/U3a/U3b running on Windows was incomplete and did not
      address the issue.
      In order to address the issue on these versions of vCenter Server
      Windows, an additional patch must be installed. This additional
      patch is available from VMware Knowledge Base (KB) article
      2144428. Alternatively, updating to vCenter Server 5.0 U3g,
      5.1 U3d, and 5.5 U3d running on Windows will remediate the issue.
      In case the Windows Firewall is enabled on the system that has
      vCenter Server Windows installed, remote exploitation of
      CVE-2015-2342 is not possible. Even if the Windows Firewall is
      enabled, users are advised to install the additional patch in
      order to remove the local privilege elevation.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware                  Product    Running   Replace with/
      Product                 Version    on        Apply Patch
      =============           =======    =======   ===============
      VMware vCenter Server   6.0        Any       6.0.0b and above
      VMware vCenter Server   5.5        Windows   (5.5 U3/U3a/U3b + KB*)
                                                   or 5.5 U3d
      VMware vCenter Server   5.5        Linux     5.5 U3 and above
      VMware vCenter Server   5.1        Windows   (5.1 U3b + KB*)
                                                   or 5.1 U3d
      VMware vCenter Server   5.1        Linux     5.1 U3b and above
      VMware vCenter Server   5.0        Windows   (5.0 U3e + KB*)
                                                   or 5.0 U3g
      VMware vCenter Server   5.0        Linux     5.0 U3e and above

     * An additional patch provided in VMware KB article 2144428 must be
       installed on vCenter Server Windows 5.0 U3e, 5.1 U3b, 5.5 U3,
       5.5 U3a, and 5.5 U3b in order to remediate CVE-2015-2342.
       This patch is not needed when updating to 5.0 U3g, 5.1 U3d or
       5.5 U3d, or when installing 5.0 U3g, 5.1 U3d or 5.5 U3d.

   c. VMware vCenter Server vpxd denial-of-service vulnerability

      VMware vCenter Server does not properly sanitize long heartbeat
      messages. Exploitation of this issue may allow an unauthenticated
      attacker to create a denial-of-service condition in the vpxd
      service.

      VMware would like to thank the Google Security Team for reporting
      this issue to us.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2015-1047 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware                       Product    Running   Replace with/
      Product                      Version    on        Apply Patch
      =============                =======    =======   ==============
      VMware vCenter Server        6.0        Any       not affected
      VMware vCenter Server        5.5        Any       5.5u2
      VMware vCenter Server        5.1        Any       5.1u3
      VMware vCenter Server        5.0        Any       5.0u3e


4. Solution

   Please review the patch/release notes for your product and version
   and verify the checksum of your downloaded file.

   ESXi
   --------------------------------
   Downloads:
   https://www.vmware.com/patchmgr/findPatch.portal

   Documentation:
   http://kb.vmware.com/kb/2110247
   http://kb.vmware.com/kb/2114875
   http://kb.vmware.com/kb/2120209

   vCenter Server
   --------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere


5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5177
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2342
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1047

   VMware Knowledge Base articles
   http://kb.vmware.com/kb/2133118
   http://kb.vmware.com/kb/2144428

- ------------------------------------------------------------------------

6. Change log


   2015-10-01 VMSA-2015-0007
   Initial security advisory in conjunction with ESXi 5.0, 5.1 patches
   and VMware vCenter Server 5.1 u3b, 5.0 u3e on 2015-10-01.

   2015-10-06 VMSA-2015-0007.1
   Updated security advisory in conjunction with the release of ESXi 5.5
   U3a on 2015-10-06. Added a note to section 3.a to alert customers to
   a non-security issue in ESXi 5.5 U3 that is addressed in ESXi 5.5 U3a.

   2015-10-20 VMSA-2015-0007.2
   Updated security advisory to reflect that CVE-2015-2342 is fixed in
   an earlier vCenter Server version (6.0.0b) than originally reported
   (6.0 U1) and that the port required to exploit the vulnerability is
   blocked in the appliance versions of the software (5.1 and above).

   2016-02-12 VMSA-2015-0007.3
   Updated security advisory to add that an additional patch is required
   on vCenter Server 5.0 U3e, 5.1 U3b and 5.5 U3/U3a/U3b running on
   Windows to remediate CVE-2015-2342.

   2016-04-27 VMSA-2015-0007.4
   Updated security advisory to add that vCenter Server 5.5 U3d running on
   Windows addresses CVE-2105-2342 without the need to install the
   additional patch.

   2016-05-24 VMSA-2015-0007.5
   Updated security advisory to add that vCenter Server 5.1 U3d running on
   Windows addresses CVE-2105-2342 without the need to install the
   additional patch.

   2016-06-14 VMSA-2015-0007.6
   Updated security advisory to add that vCenter Server 5.0 U3g running on
   Windows addresses CVE-2105-2342 without the need to install the
   additional patch.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2015 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFXYOI+DEcm8Vbi9kMRAo5NAKDXxOUz7aLdAbLN91d35cTgWjnBUwCgmYEe
UBtln1x1l7M8vaPkawZdpNE=
=c1Np
-----END PGP SIGNATURE-----

New VMSA-2016-0008 VMware vRealize Log Insight addresses important and moderate security issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2016-0008
Synopsis:    VMware vRealize Log Insight addresses important and
             moderate security issues.
Issue date:  2016-06-09
Updated on:  2016-06-09 (Initial Advisory)
CVE number:  CVE-2016-2081, CVE-2016-2082

1. Summary

   VMware vRealize Log Insight addresses important and moderate security
   issues.

2. Relevant Releases

   VMware vRealize Log Insight prior to 3.3.2

3. Problem Description

   a. Important stored cross-site scripting issue in VMware vRealize Log
      Insight

   VMware vRealize Log Insight contains a vulnerability that may
   allow for a stored cross-site scripting attack. Exploitation of this
   issue may lead to the hijack of an authenticated user's session.

   VMware would like to thank Lukasz Plonka for reporting this issue to
   us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2016-2081 to this issue.

   Column 4 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware                        Product   Running   Replace with/
   Product                       Version   on        Apply Patch
   ===========================   =======   =======   =================
   VMware vRealize Log Insight   3.x       Virtual   3.3.2
                                           Appliance
   VMware vRealize Log Insight   2.x       Virtual   3.3.2
                                           Appliance

   b. Moderate cross-site request forgery issue in VMware vRealize Log
      Insight

   VMware vRealize Log Insight contains a vulnerability that may
   allow for a cross-site request forgery attack. Exploitation of this
   issue may lead to an attacker replacing trusted content in the Log
   Insight UI without the user's authorization.

   VMware would like to thank Lukasz Plonka for reporting this issue to
   us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2016-2082 to this issue.

   Column 4 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware                        Product   Running   Replace with/
   Product                       Version   on        Apply Patch
   ===========================   =======   =======   =================
   VMware vRealize Log Insight   3.x       Virtual   3.3.2
                                           Appliance
   VMware vRealize Log Insight   2.x       Virtual   3.3.2
                                           Appliance

4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   VMware vRealize Log Insight 3.3.2
   Downloads and Documentation:


https://my.vmware.com/en/web/vmware/info/slug/infrastructure_operations_man
agement/vmware_vrealize_log_insight/3_3

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2081
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2082

- ------------------------------------------------------------------------

6. Change log

   2016-06-09 VMSA-2016-0008 Initial security advisory in conjunction
   with the release of VMware vRealize Log Insight 3.3.2 on 2016-06-09.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2016 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 21165)
Charset: utf-8

wj8DBQFXWj/PDEcm8Vbi9kMRAnAIAJ41gvMcGGXT4455eNmt7tR48d8pmgCgun/W
uMHWtNOrpA7NINIY+E8ASpo=
=QmsU
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org
http://lists.vmware.com/mailman/listinfo/security-announce

New VMSA-2016-0007 VMware NSX and vCNS product updates address a critical information disclosure vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Advisory ID: VMSA-2016-0007
Synopsis:    VMware NSX and vCNS product updates address a critical
information disclosure vulnerability

Issue date:  2016-06-09
Updated on:  2016-06-09 (Initial Advisory)
CVE number:  CVE-2016-2079

1. Summary

   VMware NSX and vCNS product updates address a critical information
   disclosure vulnerability.

2. Relevant Releases

   NSX 6.2 prior to 6.2.3
   NSX 6.1 prior to 6.1.7

   vCNS 5.5.4 prior to 5.5.4.3

3. Problem Description

   a. VMware NSX and vCNS critical information disclosure vulnerability

      VMware NSX and vCNS with SSL-VPN enabled contain a critical input
      validation vulnerability. This issue may allow a remote attacker
      to gain access to sensitive information.


   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2016-2079 to this issue.

   Column 4 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware              Product       Running      Replace with/
   Product             Version         on          Apply Patch
   ============       ==========    ==========    =============
   NSX Edge             6.2           Any            6.2.3
   NSX Edge             6.1           Any            6.1.7
   vCNS Edge            5.5           Any            5.5.4.3


4. Solution

    Please review the patch/release notes for your product and version and
verify
the checksum of your downloaded file.

VMware NSX
    Downloads:
    https://www.vmware.com/go/download-nsx-vsphere

    Documentation:
    https://www.vmware.com/support/pubs/nsx_pubs.html

    vCNS
    Downloads:
    https://www.vmware.com/go/download-vcd-ns

    Documentation:
    https://www.vmware.com/support/pubs/vshield_pubs.html

5. References

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2079

- - - -
- - ------------------------------------------------------------------------

6. Change log

    2016-06-09 VMSA-2016-0007
    Initial security advisory in conjunction with the release of VMware
    NSX 6.2.3, 6.1.7 and vCNS 5.5.4.3 on 2016-06-09.

- - - -
- - ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

   security-announce at lists.vmware.com
   bugtraq at securityfocus.com
   fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2016 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 21165)
Charset: utf-8

wj8DBQFXWj8bDEcm8Vbi9kMRAstiAKC5ejIGTYxy1cyZICirCBe7ZZ0qHwCg3ohk
/WKIK9nNhceGenKdZBakL04=
=VsXF
-----END PGP SIGNATURE-----?

_______________________________________________
Security-announce mailing list
Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org
http://lists.vmware.com/mailman/listinfo/security-announce

UPDATE: VMSA-2016-0005.3 – VMware product updates address critical and important security issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2016-0005.3
Synopsis:    VMware product updates address critical and important
             security issues
Issue date:  2016-05-17
Updated on:  2016-06-03
CVE number:  CVE-2016-3427, CVE-2016-2077
- ------------------------------------------------------------------------

1. Summary

   VMware product updates address critical and important
   security issues.

2. Relevant Releases

   vCenter Server 6.0 on Windows without workaround of KB 2145343
   vCenter Server 6.0 on Linux (VCSA) prior to 6.0.0b
   vCenter Server 5.5 prior to 5.5 U3d (on Windows), 5.5 U3 (VCSA)
   vCenter Server 5.1 prior to 5.1 U3b
   vCenter Server 5.0 prior to 5.0 U3e

   vCloud Director prior to 8.0.1.1
   vCloud Director prior to 5.6.5.1
   vCloud Director prior to 5.5.6.1

   vSphere Replication prior to 6.1.1
   vSphere Replication prior to 6.0.0.3
   vSphere Replication prior to 5.8.1.2
   vSphere Replication prior to 5.6.0.6

   vRealize Operations Manager 6.x (non-appliance version)

   vRealize Infrastructure Navigator prior to 5.8.6

   VMware Workstation prior to 11.1.3

   VMware Player prior to 7.1.3


3. Problem Description

   a. Critical JMX issue when deserializing authentication credentials

      The RMI server of Oracle JRE JMX deserializes any class when
      deserializing authentication credentials. This may allow a remote,
      unauthenticated attacker to cause deserialization flaws and execute
      their commands.

      Workarounds CVE-2016-3427

      vCenter Server
      Apply the steps of VMware Knowledge Base article 2145343 to vCenter
      Server 6.0 on Windows. See the table below for the specific vCenter
      Server 6.0 versions on Windows this applies to.

      vCloud Director
      No workaround identified

      vSphere Replication
      No workaround identified

      vRealize Operations Manager (non-appliance)
      The non-appliance version of vRealize Operations Manager (vROps),
      which can be installed on Windows and Linux has no default
      firewall. In order to remove the remote exploitation possibility,
      access to the following external ports will need to be blocked on
      the system where the non-appliance version of vROps is installed:
         - vROps 6.2.x: port 9004, 9005, 9006, 9007, 9008
         - vROps 6.1.x: port 9004, 9005, 9007, 9008
         - vROps 6.0.x: port 9004, 9005
      Note: These ports are already blocked by default in the appliance
      version of vROps.

      vRealize Infrastructure Navigator
      No workaround identified

      The Common Vulnerabilities and Exposures project (cve.mitre.org) has
      assigned the identifier CVE-2016-3427 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware                  Product    Running   Replace with/
      Product                 Version    on        Apply Patch
      ======================  =========  =======   =============
      vCenter Server          6.0        Windows   6.0.0b + KB 2145343 *
      vCenter Server          6.0        Linux     6.0.0b
      vCenter Server          5.5        Windows   (5.5 U3b + KB 2144428
**)
                                                   or 5.5 U3d
      vCenter Server          5.5        Linux     5.5 U3
      vCenter Server          5.1        Windows   (5.1 U3b + KB 2144428
**)
                                                   or 5.1U3d
      vCenter Server          5.1        Linux     5.1 U3b
      vCenter Server          5.0        Windows   5.0 U3e + KB 2144428 **
      vCenter Server          5.0        Linux     5.0 U3e

      vCloud Director         8.0.x      Linux     8.0.1.1
      vCloud Director         5.6.x      Linux     5.6.5.1
      vCloud Director         5.5.x      Linux     5.5.6.1

      vSphere Replication     6.1.x      Linux     6.1.1 ***
      vSphere Replication     6.0.x      Linux     6.0.0.3 ***
      vSphere Replication     5.8.x      Linux     5.8.1.2 ***
      vSphere Replication     5.6.x      Linux     5.6.0.6 ***

      vROps (non-appliance)   6.x        All       Apply workaround
      vROps (appliance)       6.x        Linux     Not affected

      vRealize Infrastructure 5.8.x      All       5.8.6
      Navigator


    * Remote and local exploitation is feasible on vCenter Server 6.0 and
      6.0.0a for Windows. Remote exploitation is not feasible on vCenter
      Server 6.0.0b (and above) for Windows but local exploitation is. The
      local exploitation possibility can be removed by applying the steps
      of KB 2145343 to vCenter Server 6.0.0b (and above) for Windows.

   ** See VMSA-2015-0007 for details.
      vCenter Server 5.5 U3d and 5.1 U3d running on Windows addresses
      CVE-2016-3427 without the need to install the additional patch
      of KB 2144428 documented in VMSA-2015-0007.


  *** vSphere Replication is affected if its vCloud Tunneling Agent
      is running, which is not enabled by default. This agent is used
      in environments that replicate data between the cloud and an
      on-premise datacenter.


   b. Important VMware Workstation and Player for Windows host privilege
      escalation vulnerability.

      VMware Workstation and Player for Windows do not properly reference
      one of their executables. This may allow a local attacker on the host
      to elevate their privileges.

      VMware would like to thank Andrew Smith of Sword & Shield Enterprise
      Security for reporting this issue to us.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2016-2077 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware                      Product    Running   Replace with/
      Product                     Version    on        Apply Patch
      ==================          =======    =======   =================
      VMware Workstation          12.x       any       not affected
      VMware Workstation          11.x       Windows   11.1.3
      VMware Workstation          11.x       Linux     not affected

      VMware Player               8.x        any       not affected
      VMware Player               7.x        Windows   7.1.3
      VMware Player               7.x        Linux     not affected


4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   vCenter Server
   --------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   vCloud Director
   ---------------
   Downloads and Documentation:
   https://www.vmware.com/go/download/vcloud-director

   vSphere Replication
   -------------------
   Downloads and Documentation:
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR611
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR6003
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5812
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5606
   https://www.vmware.com/support/pubs/vsphere-replication-pubs.html

   vRealize Infrastructure Navigator
   ---------------------------------
   Downloads and Documentation:
  
https://my.vmware.com/web/vmware/details?downloadGroup=VIN_586&productId=54
2&rPId=11127

   VMware Workstation
   -------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/downloadworkstation

   VMware Player
   -------------
   Downloads and Documentation:
   https://www.vmware.com/go/downloadplayer

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2077

   VMware Security Advisory VMSA-2015-0007
   http://www.vmware.com/security/advisories/VMSA-2015-0007.html

   VMware Knowledge Base article 2145343
   kb.vmware.com/kb/2145343

   VMware Knowledge Base article 2144428
   kb.vmware.com/kb/2144428

- ------------------------------------------------------------------------

6. Change log

   2016-05-17 VMSA-2016-0005
   Initial security advisory in conjunction with the release of VMware
   vCloud Director 8.0.1.1, 5.6.5.1, and 5.5.6.1, and vSphere
   Replication 6.0.0.3, 5.8.1.2, and 5.6.0.6 on 2016-05-17.

   2016-05-24 VMSA-2016-0005.1
   Updated security advisory in conjunction with the release of vSphere
   5.1 U3d on 2016-05-24. vCenter Server 5.1 U3d running on
   Windows addresses CVE-2016-3427 without the need to install the
   additional patch.

   2016-05-27 VMSA-2016-0005.2
   Updated security advisory in conjunction with the release of vSphere
   Replication 6.1.1 on 2016-05-26.

   2016-06-03 VMSA-2016-0005.3
   Updated security advisory in conjunction with the release of vRealize
   Infrastructure Navigator 5.8.6 on 2016-06-02

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2016 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFXUfNgDEcm8Vbi9kMRAuQ8AJsFuZLqvbAgpSDEku8sccEQvTQTewCg6ZeQ
OPEXvu2rnhSu/qqOfWvgpsw=
=+1IH
-----END PGP SIGNATURE-----

UPDATE: VMSA-2016-0005.2 – VMware product updates address critical and important security issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2016-0005.2
Synopsis:    VMware product updates address critical and important
             security issues
Issue date:  2016-05-17
Updated on:  2016-05-27
CVE number:  CVE-2016-3427, CVE-2016-2077
- ------------------------------------------------------------------------

1. Summary

   VMware product updates address critical and important
   security issues.

2. Relevant Releases

   vCenter Server 6.0 on Windows without workaround of KB 2145343
   vCenter Server 6.0 on Linux (VCSA) prior to 6.0.0b
   vCenter Server 5.5 prior to 5.5 U3d (on Windows), 5.5 U3 (VCSA)
   vCenter Server 5.1 prior to 5.1 U3b
   vCenter Server 5.0 prior to 5.0 U3e

   vCloud Director prior to 8.0.1.1
   vCloud Director prior to 5.6.5.1
   vCloud Director prior to 5.5.6.1

   vSphere Replication prior to 6.1.1
   vSphere Replication prior to 6.0.0.3
   vSphere Replication prior to 5.8.1.2
   vSphere Replication prior to 5.6.0.6

   vRealize Operations Manager 6.x (non-appliance version)

   VMware Workstation prior to 11.1.3

   VMware Player prior to 7.1.3


3. Problem Description

   a. Critical JMX issue when deserializing authentication credentials

      The RMI server of Oracle JRE JMX deserializes any class when
      deserializing authentication credentials. This may allow a remote,
      unauthenticated attacker to cause deserialization flaws and execute
      their commands.

      Workarounds CVE-2016-3427

      vCenter Server
      Apply the steps of VMware Knowledge Base article 2145343 to vCenter
      Server 6.0 on Windows. See the table below for the specific vCenter
      Server 6.0 versions on Windows this applies to.

      vCloud Director
      No workaround identified

      vSphere Replication
      No workaround identified

      vRealize Operations Manager (non-appliance)
      The non-appliance version of vRealize Operations Manager (vROps),
      which can be installed on Windows and Linux has no default
      firewall. In order to remove the remote exploitation possibility,
      access to the following external ports will need to be blocked on
      the system where the non-appliance version of vROps is installed:
         - vROps 6.2.x: port 9004, 9005, 9006, 9007, 9008
         - vROps 6.1.x: port 9004, 9005, 9007, 9008
         - vROps 6.0.x: port 9004, 9005
      Note: These ports are already blocked by default in the appliance
      version of vROps.

      The Common Vulnerabilities and Exposures project (cve.mitre.org) has
      assigned the identifier CVE-2016-3427 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware                  Product    Running   Replace with/
      Product                 Version    on        Apply Patch
      ======================  =========  =======   =============
      vCenter Server          6.0        Windows   6.0.0b + KB 2145343 *
      vCenter Server          6.0        Linux     6.0.0b
      vCenter Server          5.5        Windows   (5.5 U3b + KB 2144428
**)
                                                   or 5.5 U3d
      vCenter Server          5.5        Linux     5.5 U3
      vCenter Server          5.1        Windows   (5.1 U3b + KB 2144428
**)
                                                   or 5.1U3d
      vCenter Server          5.1        Linux     5.1 U3b
      vCenter Server          5.0        Windows   5.0 U3e + KB 2144428 **
      vCenter Server          5.0        Linux     5.0 U3e

      vCloud Director         8.0.x      Linux     8.0.1.1
      vCloud Director         5.6.x      Linux     5.6.5.1
      vCloud Director         5.5.x      Linux     5.5.6.1

      vSphere Replication     6.1.x      Linux     6.1.1 ***
      vSphere Replication     6.0.x      Linux     6.0.0.3 ***
      vSphere Replication     5.8.x      Linux     5.8.1.2 ***
      vSphere Replication     5.6.x      Linux     5.6.0.6 ***

      vROps (non-appliance)   6.x        All       Apply workaround
      vROps (appliance)       6.x        Linux     Not affected


    * Remote and local exploitation is feasible on vCenter Server 6.0 and
      6.0.0a for Windows. Remote exploitation is not feasible on vCenter
      Server 6.0.0b (and above) for Windows but local exploitation is. The
      local exploitation possibility can be removed by applying the steps
      of KB 2145343 to vCenter Server 6.0.0b (and above) for Windows.

   ** See VMSA-2015-0007 for details.
      vCenter Server 5.5 U3d and 5.1 U3d running on Windows addresses
      CVE-2016-3427 without the need to install the additional patch
      of KB 2144428 documented in VMSA-2015-0007.


  *** vSphere Replication is affected if its vCloud Tunneling Agent
      is running, which is not enabled by default. This agent is used
      in environments that replicate data between the cloud and an
      on-premise datacenter.


   b. Important VMware Workstation and Player for Windows host privilege
      escalation vulnerability.

      VMware Workstation and Player for Windows do not properly reference
      one of their executables. This may allow a local attacker on the host
      to elevate their privileges.

      VMware would like to thank Andrew Smith of Sword & Shield Enterprise
      Security for reporting this issue to us.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2016-2077 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware                      Product    Running   Replace with/
      Product                     Version    on        Apply Patch
      ==================          =======    =======   =================
      VMware Workstation          12.x       any       not affected
      VMware Workstation          11.x       Windows   11.1.3
      VMware Workstation          11.x       Linux     not affected

      VMware Player               8.x        any       not affected
      VMware Player               7.x        Windows   7.1.3
      VMware Player               7.x        Linux     not affected


4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   vCenter Server
   --------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   vCloud Director
   ---------------
   Downloads and Documentation:
   https://www.vmware.com/go/download/vcloud-director

   vSphere Replication
   -------------------
   Downloads and Documentation:
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR611
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR6003
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5812
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5606
   https://www.vmware.com/support/pubs/vsphere-replication-pubs.html

   VMware Workstation
   -------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/downloadworkstation

   VMware Player
   -------------
   Downloads and Documentation:
   https://www.vmware.com/go/downloadplayer

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2077

   VMware Security Advisory VMSA-2015-0007
   http://www.vmware.com/security/advisories/VMSA-2015-0007.html

   VMware Knowledge Base article 2145343
   kb.vmware.com/kb/2145343

   VMware Knowledge Base article 2144428
   kb.vmware.com/kb/2144428

- ------------------------------------------------------------------------

6. Change log

   2016-05-17 VMSA-2016-0005
   Initial security advisory in conjunction with the release of VMware
   vCloud Director 8.0.1.1, 5.6.5.1, and 5.5.6.1, and vSphere
   Replication 6.0.0.3, 5.8.1.2, and 5.6.0.6 on 2016-05-17.

   2016-05-24 VMSA-2016-0005.1
   Updated security advisory in conjunction with the release of vSphere
   5.1 U3d on 2016-05-24. vCenter Server 5.1 U3d running on
   Windows addresses CVE-2016-3427 without the need to install the
   additional patch.

   2016-05-27 VMSA-2016-0005.2
   Updated security advisory in conjunction with the release of vSphere
   Replication 6.1.1 on 2016-05-26.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2016 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFXSJIHDEcm8Vbi9kMRAt8oAJ9cSrgfC5OlS+lgV8O+6uxcGt5CdQCggsNB
iQZm8gTv4gEEKxa2Af9YbSQ=
=8szQ
-----END PGP SIGNATURE-----

UPDATED VMSA-2015-0007.5 – VMware vCenter and ESXi updates address critical security issues

​-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2015-0007.5
Synopsis:    VMware vCenter and ESXi updates address critical security
             issues
Issue date:  2015-10-01
Updated on:  2016-05-24
CVE number:  CVE-2015-5177 CVE-2015-2342 CVE-2015-1047
- ------------------------------------------------------------------------

1. Summary

   VMware vCenter and ESXi updates address critical security issues.

   NOTE: See section 3.b for a critical update on an incomplete fix
   for the JMX RMI issue.

2. Relevant Releases

   VMware ESXi 5.5 without patch ESXi550-201509101-SG
   VMware ESXi 5.1 without patch ESXi510-201510101-SG
   VMware ESXi 5.0 without patch ESXi500-201510101-SG

   VMware vCenter Server 6.0 prior to version 6.0.0b
   VMware vCenter Server 5.5 prior to version 5.5 update 3
   VMware vCenter Server 5.1 prior to version 5.1 update u3b
   VMware vCenter Server 5.0 prior to version 5.0 update u3e


3. Problem Description

   a. VMWare ESXi OpenSLP Remote Code Execution

      VMware ESXi contains a double free flaw in OpenSLP's
      SLPDProcessMessage() function. Exploitation of this issue may
      allow an unauthenticated attacker to remotely execute code on
      the ESXi host.

      VMware would like to thank Qinghao Tang of QIHU 360 for reporting
      this issue to us.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2015-5177 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

        VMware          Product Running   Replace with/
        Product         Version on        Apply Patch
        =============   =======   =======   =================
        ESXi            6.0       ESXi      not affected
        ESXi            5.5       ESXi      ESXi550-201509101-SG*
        ESXi            5.1       ESXi      ESXi510-201510101-SG
        ESXi            5.0       ESXi      ESXi500-201510101-SG

        * Customers who have installed the complete set of ESXi 5.5 U3
        Bulletins, please review VMware KB 2133118. KB 2133118 documents
        a known non-security issue and provides a solution.

   b. VMware vCenter Server JMX RMI Remote Code Execution

      VMware vCenter Server contains a remotely accessible JMX RMI
      service that is not securely configured. An unauthenticated remote
      attacker who is able to connect to the service may be able to use
      it to execute arbitrary code on the vCenter Server. A local attacker
      may be able to elevate their privileges on vCenter Server.

      vCenter Server Appliance (vCSA) 5.1, 5.5 and 6.0 has remote access
      to the JMX RMI service (port 9875) blocked by default.

      VMware would like to thank Doug McLeod of 7 Elements Ltd and an
      anonymous researcher working through HP's Zero Day Initiative for
      reporting this issue to us.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2015-2342 to this issue.

      CRITICAL UPDATE

      VMSA-2015-0007.2 and earlier versions of this advisory documented
      that CVE-2015-2342 was addressed in vCenter Server 5.0 U3e,
      5.1 U3b, and 5.5 U3. Subsequently, it was found that the fix for
      CVE-2015-2342 in vCenter Server 5.0 U3e, 5.1 U3b, and
      5.5 U3/U3a/U3b running on Windows was incomplete and did not
      address the issue.
      In order to address the issue on these versions of vCenter Server
      Windows, an additional patch must be installed. This additional
      patch is available from VMware Knowledge Base (KB) article
      2144428. Alternatively, on vSphere 5.5 updating to vCenter Server
      5.5 U3d running on Windows will remediate the issue.
      In case the Windows Firewall is enabled on the system that has
      vCenter Server Windows installed, remote exploitation of
      CVE-2015-2342 is not possible. Even if the Windows Firewall is
      enabled, users are advised to install the additional patch in
      order to remove the local privilege elevation.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware                  Product    Running   Replace with/
      Product                 Version    on        Apply Patch
      =============           =======    =======   ===============
      VMware vCenter Server   6.0        Any       6.0.0b and above
      VMware vCenter Server   5.5        Windows   (5.5 U3/U3a/U3b + KB*)
                                                   or 5.5 U3d
      VMware vCenter Server   5.5        Linux     5.5 U3 and above
      VMware vCenter Server   5.1        Windows   (5.1 U3b + KB*)
                                                   or 5.1 U3d
      VMware vCenter Server   5.1        Linux     5.1 U3b
      VMware vCenter Server   5.0        Windows   5.0 U3e + KB*
      VMware vCenter Server   5.0        Linux     5.0 U3e

     * An additional patch provided in VMware KB article 2144428 must be
       installed on vCenter Server Windows 5.0 U3e, 5.1 U3b, 5.5 U3,
       5.5 U3a, and 5.5 U3b in order to remediate CVE-2015-2342.
       This patch is not needed when updating to 5.1 U3d or 5.5 U3d,
       or when installing 5.1 U3d or 5.5 U3d.

   c. VMware vCenter Server vpxd denial-of-service vulnerability

      VMware vCenter Server does not properly sanitize long heartbeat
      messages. Exploitation of this issue may allow an unauthenticated
      attacker to create a denial-of-service condition in the vpxd
      service.

      VMware would like to thank the Google Security Team for reporting
      this issue to us.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2015-1047 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware                       Product    Running   Replace with/
      Product                      Version    on        Apply Patch
      =============                =======    =======   ==============
      VMware vCenter Server        6.0        Any       not affected
      VMware vCenter Server        5.5        Any       5.5u2
      VMware vCenter Server        5.1        Any       5.1u3
      VMware vCenter Server        5.0        Any       5.0u3e


4. Solution

   Please review the patch/release notes for your product and version
   and verify the checksum of your downloaded file.

   ESXi
   --------------------------------
   Downloads:
   https://www.vmware.com/patchmgr/findPatch.portal

   Documentation:
   http://kb.vmware.com/kb/2110247
   http://kb.vmware.com/kb/2114875
   http://kb.vmware.com/kb/2120209

   vCenter Server
   --------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere


5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5177
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2342
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1047

   VMware Knowledge Base articles
   http://kb.vmware.com/kb/2133118
   http://kb.vmware.com/kb/2144428

- ------------------------------------------------------------------------

6. Change log


   2015-10-01 VMSA-2015-0007
   Initial security advisory in conjunction with ESXi 5.0, 5.1 patches
   and VMware vCenter Server 5.1 u3b, 5.0 u3e on 2015-10-01.

   2015-10-06 VMSA-2015-0007.1
   Updated security advisory in conjunction with the release of ESXi 5.5
   U3a on 2015-10-06. Added a note to section 3.a to alert customers to
   a non-security issue in ESXi 5.5 U3 that is addressed in ESXi 5.5 U3a.

   2015-10-20 VMSA-2015-0007.2
   Updated security advisory to reflect that CVE-2015-2342 is fixed in
   an earlier vCenter Server version (6.0.0b) than originally reported
   (6.0 U1) and that the port required to exploit the vulnerability is
   blocked in the appliance versions of the software (5.1 and above).

   2016-02-12 VMSA-2015-0007.3
   Updated security advisory to add that an additional patch is required
   on vCenter Server 5.0 U3e, 5.1 U3b and 5.5 U3/U3a/U3b running on
   Windows to remediate CVE-2015-2342.

   2016-04-27 VMSA-2015-0007.4
   Updated security advisory to add that vCenter Server 5.5 U3d running on
   Windows addresses CVE-2105-2342 without the need to install the
   additional patch.

   2016-05-24 VMSA-2015-0007.5
   Updated security advisory to add that vCenter Server 5.1 U3d running on
   Windows addresses CVE-2105-2342 without the need to install the
   additional patch.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2015 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFXRByjDEcm8Vbi9kMRAsoKAKC9iaRAMLJetgtRzBCU2cIehlGbbgCgys8M
T/+fEa9BVET8o1dbp8MPwqQ=
=SJBs
-----END PGP SIGNATURE-----

​

_______________________________________________
Security-announce mailing list
Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org
http://lists.vmware.com/mailman/listinfo/security-announce

UPDATED VMSA-2016-0005.1 VMware product updates address critical and important security issues

​-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

--------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2016-0005.1
Synopsis:    VMware product updates address critical and important
             security issues
Issue date:  2016-05-17
Updated on:  2016-05-24
CVE number:  CVE-2016-3427, CVE-2016-2077
- ------------------------------------------------------------------------

1. Summary

   VMware product updates address critical and important
   security issues.

2. Relevant Releases

   vCenter Server 6.0 on Windows without workaround of KB 2145343
   vCenter Server 6.0 on Linux (VCSA) prior to 6.0.0b
   vCenter Server 5.5 prior to 5.5 U3d (on Windows), 5.5 U3 (VCSA)
   vCenter Server 5.1 prior to 5.1 U3b
   vCenter Server 5.0 prior to 5.0 U3e

   vCloud Director prior to 8.0.1.1
   vCloud Director prior to 5.6.5.1
   vCloud Director prior to 5.5.6.1

   vSphere Replication prior to 6.0.0.3
   vSphere Replication prior to 5.8.1.2
   vSphere Replication prior to 5.6.0.6

   vRealize Operations Manager 6.x (non-appliance version)

   VMware Workstation prior to 11.1.3

   VMware Player prior to 7.1.3


3. Problem Description

   a. Critical JMX issue when deserializing authentication credentials

      The RMI server of Oracle JRE JMX deserializes any class when
      deserializing authentication credentials. This may allow a remote,
      unauthenticated attacker to cause deserialization flaws and execute
      their commands.

      Workarounds CVE-2016-3427

      vCenter Server
      Apply the steps of VMware Knowledge Base article 2145343 to vCenter
      Server 6.0 on Windows. See the table below for the specific vCenter
      Server 6.0 versions on Windows this applies to.

      vCloud Director
      No workaround identified

      vSphere Replication
      No workaround identified

      vRealize Operations Manager (non-appliance)
      The non-appliance version of vRealize Operations Manager (vROps),
      which can be installed on Windows and Linux has no default
      firewall. In order to remove the remote exploitation possibility,
      access to the following external ports will need to be blocked on
      the system where the non-appliance version of vROps is installed:
         - vROps 6.2.x: port 9004, 9005, 9006, 9007, 9008
         - vROps 6.1.x: port 9004, 9005, 9007, 9008
         - vROps 6.0.x: port 9004, 9005
      Note: These ports are already blocked by default in the appliance
      version of vROps.

      The Common Vulnerabilities and Exposures project (cve.mitre.org) has
      assigned the identifier CVE-2016-3427 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware                  Product    Running   Replace with/
      Product                 Version    on        Apply Patch
      ======================  =========  =======   =============
      vCenter Server          6.0        Windows   6.0.0b + KB 2145343 *
      vCenter Server          6.0        Linux     6.0.0b
      vCenter Server          5.5        Windows   (5.5 U3b + KB 2144428
**)
                                                   or 5.5 U3d
      vCenter Server          5.5        Linux     5.5 U3
      vCenter Server          5.1        Windows   (5.1 U3b + KB 2144428
**)
                                                   or 5.1U3d
      vCenter Server          5.1        Linux     5.1 U3b
      vCenter Server          5.0        Windows   5.0 U3e + KB 2144428 **
      vCenter Server          5.0        Linux     5.0 U3e

      vCloud Director         8.0.x      Linux     8.0.1.1
      vCloud Director         5.6.x      Linux     5.6.5.1
      vCloud Director         5.5.x      Linux     5.5.6.1

      vSphere Replication     6.1.x      Linux     patch pending ***
      vSphere Replication     6.0.x      Linux     6.0.0.3 ***
      vSphere Replication     5.8.x      Linux     5.8.1.2 ***
      vSphere Replication     5.6.x      Linux     5.6.0.6 ***

      vROps (non-appliance)   6.x        All       Apply workaround
      vROps (appliance)       6.x        Linux     Not affected


    * Remote and local exploitation is feasible on vCenter Server 6.0 and
      6.0.0a for Windows. Remote exploitation is not feasible on vCenter
      Server 6.0.0b (and above) for Windows but local exploitation is. The
      local exploitation possibility can be removed by applying the steps
      of KB 2145343 to vCenter Server 6.0.0b (and above) for Windows.

   ** See VMSA-2015-0007 for details.
      vCenter Server 5.5 U3d and 5.1 U3d running on Windows addresses
      CVE-2016-3427 without the need to install the additional patch
      of KB 2144428 documented in VMSA-2015-0007.


  *** vSphere Replication is affected if its vCloud Tunneling Agent
      is running, which is not enabled by default. This agent is used
      in environments that replicate data between the cloud and an
      on-premise datacenter.


   b. Important VMware Workstation and Player for Windows host privilege
      escalation vulnerability.

      VMware Workstation and Player for Windows do not properly reference
      one of their executables. This may allow a local attacker on the host
      to elevate their privileges.

      VMware would like to thank Andrew Smith of Sword & Shield Enterprise
      Security for reporting this issue to us.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2016-2077 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware                      Product    Running   Replace with/
      Product                     Version    on        Apply Patch
      ==================          =======    =======   =================
      VMware Workstation          12.x       any       not affected
      VMware Workstation          11.x       Windows   11.1.3
      VMware Workstation          11.x       Linux     not affected

      VMware Player               8.x        any       not affected
      VMware Player               7.x        Windows   7.1.3
      VMware Player               7.x        Linux     not affected


4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   vCenter Server
   --------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   vCloud Director
   ---------------
   Downloads and Documentation:
   https://www.vmware.com/go/download/vcloud-director

   vSphere Replication
   -------------------
   Downloads and Documentation:
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR6003
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5812
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5606
   https://www.vmware.com/support/pubs/vsphere-replication-pubs.html

   VMware Workstation
   -------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/downloadworkstation

   VMware Player
   -------------
   Downloads and Documentation:
   https://www.vmware.com/go/downloadplayer

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2077

   VMware Security Advisory VMSA-2015-0007
   http://www.vmware.com/security/advisories/VMSA-2015-0007.html

   VMware Knowledge Base article 2145343
   kb.vmware.com/kb/2145343

   VMware Knowledge Base article 2144428
   kb.vmware.com/kb/2144428

- ------------------------------------------------------------------------

6. Change log

   2016-05-17 VMSA-2016-0005
   Initial security advisory in conjunction with the release of VMware
   vCloud Director 8.0.1.1, 5.6.5.1, and 5.5.6.1, and vSphere
   Replication 6.0.0.3, 5.8.1.2, and 5.6.0.6 on 2016-05-17.

   2016-05-24 VMSA-2016-0005.1
   Updated security advisory in conjunction with the release of vSphere
   5.1 U3d on 2016-05-24. vCenter Server 5.1 U3d running on
   Windows addresses CVE-2016-3427 without the need to install the
   additional patch.


- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2016 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFXRBrxDEcm8Vbi9kMRArdBAJ9folVLwEJ96XeQYcXgYZVhb91muQCgrCgl
6lMvZLSvXOxYO8jc6xakF5o=
=sGc+
-----END PGP SIGNATURE-----​

_______________________________________________
Security-announce mailing list
Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org
http://lists.vmware.com/mailman/listinfo/security-announce