?-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2016-0006
Synopsis: VMware vCenter Server updates address an important cross-site
scripting issue
Issue date: 2016-05-24
Updated on: 2016-05-24 (Initial Advisory)
CVE number: CVE-2016-2078
1. Summary
VMware vCenter Server updates address an important cross-site scripting
issue.
2. Relevant Releases
vCenter Server 6.0 prior to 6.0 update 2
vCenter Server 5.5 prior to 5.5 update 3d
vCenter Server 5.1 prior to 5.1 update 3d
3. Problem Description
a. Reflected cross-site scripting issue through flash parameter
injection
The vSphere Web Client contains a reflected cross-site scripting
vulnerability that occurs through flash parameter injection. An attacker
can exploit this issue by tricking a victim into clicking a malicious
link.
VMware would like to thank John Page aka hyp3rlinx for reporting this
issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-2078 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============ ========== ========== =============
vCenter Server 6.0 Window 6.0 U2*
vCenter Server 6.0 Linux not affected
vCenter Server 5.5 Window 5.5 U3d*
vCenter Server 5.5 Linux not affected
vCenter Server 5.1 Window 5.1 U3d*
vCenter Server 5.1 Linux not affected
vCenter Server 5.0 any not affected
*Client side component of the vSphere Web Client does not need to be
updated to remediate CVE-2016-2078. Updating the vCenter Server is sufficient
to remediate this issue.
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
vCenter Server
--------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2078
- ------------------------------------------------------------------------
6. Change log
2016-05-24 VMSA-2016-0006
Initial security advisory in conjunction with the release of VMware
vCenter Server 5.1 U3d on 2016-05-24.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2016 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 21165)
Charset: utf-8
wj8DBQFXQ9NcDEcm8Vbi9kMRAqwrAJ9b7+p4TGNBRGhHQUFmYsawBbOp5wCg0/aw
NRfGidYCwwF9ALq6OGrnMAU=
=j89F
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org
http://lists.vmware.com/mailman/listinfo/security-announce
Category Archives: VMWare
VMWare
NEW: VMSA-2016-0005 – VMware product updates address critical and important security issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2016-0005
Synopsis: VMware product updates address critical and important
security issues
Issue date: 2016-05-17
Updated on: 2016-05-17 (Initial Advisory)
CVE number: CVE-2016-3427, CVE-2016-2077
1. Summary
VMware product updates address critical and important
security issues.
2. Relevant Releases
vCenter Server 6.0 prior to 6.0 U2
vCenter Server 5.5 prior to 5.5 U3d (on Windows), 5.5 U3 (VCSA)
vCenter Server 5.1 prior to 5.1 U3b
vCenter Server 5.0 prior to 5.0 U3e
vCloud Director prior to 8.0.1.1
vCloud Director prior to 5.6.5.1
vCloud Director prior to 5.5.6.1
vSphere Replication prior to 6.0.0.3
vSphere Replication prior to 5.8.1.2
vSphere Replication prior to 5.6.0.6
vRealize Operations Manager 6.x (non-appliance version)
VMware Workstation prior to 11.1.3
VMware Player prior to 7.1.3
3. Problem Description
a. Critical JMX issue when deserializing authentication credentials
The RMI server of Oracle JRE JMX deserializes any class when
deserializing authentication credentials. This may allow a remote,
unauthenticated attacker to cause deserialization flaws and execute
their commands.
Workarounds CVE-2016-3427
vCenter Server
Apply the steps of VMware Knowledge Base article 2145343 to vCenter
Server 6.0 on Windows. See the table below for the specific vCenter
Server 6.0 versions on Windows this applies to.
vCloud Director
No workaround identified
vSphere Replication
No workaround identified
vRealize Operations Manager (non-appliance)
The non-appliance version of vRealize Operations Manager (vROps),
which can be installed on Windows and Linux has no default
firewall. In order to remove the remote exploitation possibility,
access to the following external ports will need to be blocked on
the system where the non-appliance version of vROps is installed:
- vROps 6.2.x: port 9004, 9005, 9006, 9007, 9008
- vROps 6.1.x: port 9004, 9005, 9007, 9008
- vROps 6.0.x: port 9004, 9005
Note: These ports are already blocked by default in the appliance
version of vROps.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-3427 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
====================== ========= ======= =============
vCenter Server 6.0 Windows 6.0.0b + KB 2145343 *
vCenter Server 6.0 Linux 6.0.0b
vCenter Server 5.5 Windows 5.5 U3d
vCenter Server 5.5 Linux 5.5 U3
vCenter Server 5.1 Windows 5.1 U3b + KB 2144428 **
vCenter Server 5.1 Linux 5.1 U3b
vCenter Server 5.0 Windows 5.0 U3e + KB 2144428 **
vCenter Server 5.0 Linux 5.0 U3e
vCloud Director 8.0.x Linux 8.0.1.1
vCloud Director 5.6.x Linux 5.6.5.1
vCloud Director 5.5.x Linux 5.5.6.1
vSphere Replication 6.1.x Linux patch pending ***
vSphere Replication 6.0.x Linux 6.0.0.3 ***
vSphere Replication 5.8.x Linux 5.8.1.2 ***
vSphere Replication 5.6.x Linux 5.6.0.6 ***
vROps (non-appliance) 6.x All Apply workaround
vROps (appliance) 6.x Linux Not affected
* Remote and local exploitation is feasible on vCenter Server 6.0 and
6.0.0a for Windows. Remote exploitation is not feasible on vCenter
Server 6.0.0b (and above) for Windows but local exploitation is. The
local exploitation possibility can be removed by applying the steps
of KB 2145343 to vCenter Server 6.0.0b (and above) for Windows.
** See VMSA-2015-0007 for details.
*** vSphere Replication is affected if its vCloud Tunneling Agent
is running, which is not enabled by default. This agent is used
in environments that replicate data between the cloud and an
on-premise datacenter.
b. Important VMware Workstation and Player for Windows host privilege
escalation vulnerability.
VMware Workstation and Player for Windows do not properly reference
one of their executables. This may allow a local attacker on the host
to elevate their privileges.
VMware would like to thank Andrew Smith of Sword & Shield Enterprise
Security for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2016-2077 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
================== ======= ======= =================
VMware Workstation 12.x any not affected
VMware Workstation 11.x Windows 11.1.3
VMware Workstation 11.x Linux not affected
VMware Player 8.x any not affected
VMware Player 7.x Windows 7.1.3
VMware Player 7.x Linux not affected
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
vCenter Server
--------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
vCloud Director
---------------
Downloads and Documentation:
https://www.vmware.com/go/download/vcloud-director
vSphere Replication
-------------------
Downloads and Documentation:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR6003
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5812
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5606
https://www.vmware.com/support/pubs/vsphere-replication-pubs.html
VMware Workstation
-------------------------
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
VMware Player
-------------
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2077
VMware Security Advisory VMSA-2015-0007
http://www.vmware.com/security/advisories/VMSA-2015-0007.html
VMware Knowledge Base article 2145343
kb.vmware.com/kb/2145343
VMware Knowledge Base article 2144428
kb.vmware.com/kb/2144428
- ------------------------------------------------------------------------
6. Change log
2016-05-17 VMSA-2016-0005
Initial security advisory in conjunction with the release of VMware
vCloud Director 8.0.1.1, 5.6.5.1, and 5.5.6.1, and vSphere
Replication 6.0.0.3, 5.8.1.2, and 5.6.0.6 on 2016-05-17.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2016 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFXOqarDEcm8Vbi9kMRAt20AJ9PiPKOH80e0bWPfI6xdEDAuiGJHACgzkHO
7bb8idI4udBztfyULZJf5mQ=
=gk4u
-----END PGP SIGNATURE-----
UPDATE: VMSA-2015-0007.4 – VMware vCenter and ESXi updates address critical security issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2015-0007.4
Synopsis: VMware vCenter and ESXi updates address critical security
issues
Issue date: 2015-10-01
Updated on: 2016-04-27
CVE number: CVE-2015-5177 CVE-2015-2342 CVE-2015-1047
- ------------------------------------------------------------------------
1. Summary
VMware vCenter and ESXi updates address critical security issues.
NOTE: See section 3.b for a critical update on an incomplete fix
for the JMX RMI issue.
2. Relevant Releases
VMware ESXi 5.5 without patch ESXi550-201509101-SG
VMware ESXi 5.1 without patch ESXi510-201510101-SG
VMware ESXi 5.0 without patch ESXi500-201510101-SG
VMware vCenter Server 6.0 prior to version 6.0.0b
VMware vCenter Server 5.5 prior to version 5.5 update 3
VMware vCenter Server 5.1 prior to version 5.1 update u3b
VMware vCenter Server 5.0 prior to version 5.0 update u3e
3. Problem Description
a. VMWare ESXi OpenSLP Remote Code Execution
VMware ESXi contains a double free flaw in OpenSLP's
SLPDProcessMessage() function. Exploitation of this issue may
allow an unauthenticated attacker to remotely execute code on
the ESXi host.
VMware would like to thank Qinghao Tang of QIHU 360 for reporting
this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2015-5177 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
ESXi 6.0 ESXi not affected
ESXi 5.5 ESXi ESXi550-201509101-SG*
ESXi 5.1 ESXi ESXi510-201510101-SG
ESXi 5.0 ESXi ESXi500-201510101-SG
* Customers who have installed the complete set of ESXi 5.5 U3
Bulletins, please review VMware KB 2133118. KB 2133118 documents
a known non-security issue and provides a solution.
b. VMware vCenter Server JMX RMI Remote Code Execution
VMware vCenter Server contains a remotely accessible JMX RMI
service that is not securely configured. An unauthenticated remote
attacker who is able to connect to the service may be able to use
it to execute arbitrary code on the vCenter Server. A local attacker
may be able to elevate their privileges on vCenter Server.
vCenter Server Appliance (vCSA) 5.1, 5.5 and 6.0 has remote access
to the JMX RMI service (port 9875) blocked by default.
VMware would like to thank Doug McLeod of 7 Elements Ltd and an
anonymous researcher working through HP's Zero Day Initiative for
reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2015-2342 to this issue.
CRITICAL UPDATE
VMSA-2015-0007.2 and earlier versions of this advisory documented
that CVE-2015-2342 was addressed in vCenter Server 5.0 U3e,
5.1 U3b, and 5.5 U3. Subsequently, it was found that the fix for
CVE-2015-2342 in vCenter Server 5.0 U3e, 5.1 U3b, and
5.5 U3/U3a/U3b running on Windows was incomplete and did not
address the issue.
In order to address the issue on these versions of vCenter Server
Windows, an additional patch must be installed. This additional
patch is available from VMware Knowledge Base (KB) article
2144428. Alternatively, on vSphere 5.5 updating to vCenter Server
5.5 U3d running on Windows will remediate the issue.
In case the Windows Firewall is enabled on the system that has
vCenter Server Windows installed, remote exploitation of
CVE-2015-2342 is not possible. Even if the Windows Firewall is
enabled, users are advised to install the additional patch in
order to remove the local privilege elevation.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= ===============
VMware vCenter Server 6.0 Any 6.0.0b and above
VMware vCenter Server 5.5 Windows (5.5 U3/U3a/U3b + KB*)
or 5.5 U3d
VMware vCenter Server 5.5 Linux 5.5 U3 and above
VMware vCenter Server 5.1 Windows 5.1 U3b + KB*
VMware vCenter Server 5.1 Linux 5.1 U3b
VMware vCenter Server 5.0 Windows 5.0 U3e + KB*
VMware vCenter Server 5.0 Linux 5.0 U3e
* An additional patch provided in VMware KB article 2144428 must be
installed on vCenter Server Windows 5.0 U3e, 5.1 U3b, 5.5 U3,
5.5 U3a, and 5.5 U3b in order to remediate CVE-2015-2342.
This patch is not needed when updating to 5.5 U3d or when
installing 5.5 U3d.
c. VMware vCenter Server vpxd denial-of-service vulnerability
VMware vCenter Server does not properly sanitize long heartbeat
messages. Exploitation of this issue may allow an unauthenticated
attacker to create a denial-of-service condition in the vpxd
service.
VMware would like to thank the Google Security Team for reporting
this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2015-1047 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= ==============
VMware vCenter Server 6.0 Any not affected
VMware vCenter Server 5.5 Any 5.5u2
VMware vCenter Server 5.1 Any 5.1u3
VMware vCenter Server 5.0 Any 5.0u3e
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
ESXi
--------------------------------
Downloads:
https://www.vmware.com/patchmgr/findPatch.portal
Documentation:
http://kb.vmware.com/kb/2110247
http://kb.vmware.com/kb/2114875
http://kb.vmware.com/kb/2120209
vCenter Server
--------------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5177
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2342
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1047
VMware Knowledge Base articles
http://kb.vmware.com/kb/2133118
http://kb.vmware.com/kb/2144428
- ------------------------------------------------------------------------
6. Change log
2015-10-01 VMSA-2015-0007
Initial security advisory in conjunction with ESXi 5.0, 5.1 patches
and VMware vCenter Server 5.1 u3b, 5.0 u3e on 2015-10-01.
2015-10-06 VMSA-2015-0007.1
Updated security advisory in conjunction with the release of ESXi 5.5
U3a on 2015-10-06. Added a note to section 3.a to alert customers to
a non-security issue in ESXi 5.5 U3 that is addressed in ESXi 5.5 U3a.
2015-10-20 VMSA-2015-0007.2
Updated security advisory to reflect that CVE-2015-2342 is fixed in
an earlier vCenter Server version (6.0.0b) than originally reported
(6.0 U1) and that the port required to exploit the vulnerability is
blocked in the appliance versions of the software (5.1 and above).
2016-02-12 VMSA-2015-0007.3
Updated security advisory to add that an additional patch is required
on vCenter Server 5.0 U3e, 5.1 U3b and 5.5 U3/U3a/U3b running on
Windows to remediate CVE-2015-2342.
2016-04-27 VMSA-2015-0007.4
Updated security advisory to add that vCenter Server 5.5 U3d running on
Windows addresses CVE-2105-2342 without the need to install the
additional patch.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2015 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFXITeXDEcm8Vbi9kMRAjyyAKDx36MfXmXrYcm0qbyK5L7Xc+BJ0gCgimdm
IcC5O8GNlscBblUBH3vTwaI=
=PIWY
-----END PGP SIGNATURE-----
NEW VMSA-2016-0004 VMware product updates address a critical security issue in the VMware Client Integration Plugin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2016-0004
Synopsis: VMware product updates address a critical security issue in
the VMware Client Integration Plugin
Issue date: 2016-04-14
Updated on: 2016-04-14 (Initial Advisory)
CVE number: CVE-2016-2076
1. Summary
VMware vCenter Server, vCloud Director (vCD), vRealize Automation
(vRA) Identity Appliance, and the Client Integration Plugin (CIP)
updates address a critical security issue.
2. Relevant Releases
vCenter Server 6.0
vCenter Server 5.5 U3a, U3b, U3c
vCloud Director 5.5.5
vRealize Automation Identity Appliance 6.2.4
3. Problem Description
a. Critical VMware Client Integration Plugin incorrect session
handling
The VMware Client Integration Plugin does not handle session content
in a safe way. This may allow for a Man in the Middle attack or Web
session hijacking in case the user of the vSphere Web Client visits
a malicious Web site.
The vulnerability is present in versions of CIP that shipped with:
- vCenter Server 6.0 (any 6.0 version up to 6.0 U2)
- vCenter Server 5.5 U3a, U3b, U3c
- vCloud Director 5.5.5
- vRealize Automation Identity Appliance 6.2.4
In order to remediate the issue, both the server side (i.e. vCenter
Server, vCloud Director, and vRealize Automation Identity Appliance)
and the client side (i.e. CIP of the vSphere Web Client) will need
to be updated.
The steps to remediate the issue are as follows:
A) Install an updated version of:
- vCenter Server,
- vCloud Director,
- vRealize Automation Identity Appliance,
B) Subsequently update the Client Integration Plugin on the system
from which the vSphere Web Client is used.
Updating the plugin on vSphere and vRA Identity Appliance is
explained in VMware Knowledge Base article 2145066.
Updating the plugin on vCloud Director is initiated by a prompt
when connecting the vSphere Web Client to the updated version of
vCloud Director.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-2076 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
====================== ============= ======= =============
vCenter Server 6.0 any 6.0 U2 *
vCenter Server 5.5 U3a - U3c any 5.5 U3d *
vCenter Server 5.1 any not affected
vCenter Server 5.0 any not affected
vCloud Director 8.0.x Windows not affected **
vCloud Director 5.6.x Windows not affected
vCloud Director 5.5.5 Windows 5.5.6 *
vRA Identity Appliance 7.x Linux not affected
vRA Identity Appliance 6.2.4 Linux 6.2.4.1 *
Client Integration see text Windows, see item B above
Plugin above Mac OS
* After installing the updated version, the Client Integration Plugin
will need to be updated on all systems from which the vSphere Web
Client is used to connect to vCenter Server, vCloud Director and
vRealize Automation Identity Manager.
** vCloud Director 8.0.0 did not ship with a vulnerable CIP version,
and vCloud Director 8.0.1 shipped with the updated version of the
CIP.
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
vCenter Server
--------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
http://pubs.vmware.com/Release_Notes/en/vsphere/55/vsphere-vcenter-server-5
5u3d-release-notes.html
vCloud Director
---------------
Downloads and Documentation:
https://www.vmware.com/go/download/vcloud-director
http://pubs.vmware.com/Release_Notes/en/vcd/556/rel_notes_vcloud_director_5
56.html
VMware vRealize Automation 6.2.4.1
----------------------------------
Downloads and Documentation:
https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_manage
ment/vmware_vrealize_automation/6_2
(select "Go to Downloads" and scroll down to "Security Update")
http://pubs.vmware.com/Release_Notes/en/vra/vrealize-automation-624-release
- -notes.html
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2076
VMware Knowledge Base article 2145066
kb.vmware.com/kb/2145066
- ------------------------------------------------------------------------
6. Change log
2016-04-14 VMSA-2016-0004
Initial security advisory in conjunction with the release of VMware
vSphere 5.5 U3d and vCloud Director 5.5.6 on 2016-04-14.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2016 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFXD+2rDEcm8Vbi9kMRAkavAJ9Jh0+7d46fu6t24ZTbfi+gZqNhNACfbiip
CTomNkThpHn4T6WPTz8LAuw=
=DZIG
-----END PGP SIGNATURE-----
NEW VMSA-2016-0003 – VMware vRealize Automation and vRealize Business Advanced and Enterprise address Cross-Site Scripting (XSS) issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2016-0003
Synopsis: VMware vRealize Automation and vRealize Business Advanced
and Enterprise address Cross-Site Scripting (XSS) issues.
Issue date: 2016-03-15
Updated on: 2016-03-15 (Initial Advisory)
CVE number: CVE-2015-2344, CVE-2016-2075
1. Summary
VMware vRealize Automation and vRealize Business Advanced and
Enterprise address Cross-Site Scripting (XSS) issues.
2. Relevant Releases
VMware vRealize Automation 6.x prior to 6.2.4
VMware vRealize Business Advanced and Enterprise 8.x prior to 8.2.5
3. Problem Description
a. Important Stored Cross-Site Scripting (XSS) issue in VMware
vRealize Automation
VMware vRealize Automation contains a vulnerability that may allow
for a Stored Cross-Site Scripting (XSS) attack. Exploitation of this
issue may lead to the compromise of a vRA user's client workstation.
VMware would like to thank would like to thank Lukasz Plonka for
reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2015-2344 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
VMware vRealize Automation 7.x Linux Not Affected
VMware vRealize Automation 6.x Linux 6.2.4
VMware vRealize Automation 5.x Windows Not Affected
b. Important Stored Cross-Site Scripting (XSS) issue in vRealize
Business Advanced and Enterprise
VMware vRealize Business Advanced and Enterprise contains a
vulnerability that may allow for a Stored Cross-Site Scripting (XSS)
attack. Exploitation of this issue may lead to the compromise of a
vRB user's client workstation.
VMware would like to thank Alvaro Trigo Martin de Vidales of Deloitte
Spain for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-2075 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
VMware vRealize Business 8.x Linux 8.2.5
Advanced and Enterprise
VMware vRealize Business 7.x Linux Not Affected
Standard
VMware vRealize Business 6.x Linux Not Affected
Standard
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
VMware vRealize Automation 6.2.4
Downloads and Doumentation:
https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_manage
ment/vmware_vrealize_automation/6_2
VMware vRealize Business Advanced and Enterprise 8.2.5
Downloads and Doumentation:
https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_manage
ment/vmware_vrealize_business/8_2
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2344
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2075
- - ------------------------------------------------------------------------
6. Change log
2016-03-15 VMSA-2016-0003 Initial security advisory in conjunction
with the release of VMware vRealize Automation 6.2.4 and VMware
vRealize Business Advanced and Enterprise 8.2.5 on 2016-03-15.
- - ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2016 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15337)
Charset: utf-8
wj8DBQFW6F8WDEcm8Vbi9kMRAqCcAJ4+Wo3ThKcaVY+gUDTuUl8ER8NlOgCgpcUf
2CAHJCdDsJT5L8/oyE8dpkc=
=kgj0
-----END PGP SIGNATURE-----
UPDATE: VMSA-2015-0009.2 VMware product updates address a critical deserialization vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2015-0009.2
Synopsis: VMware product updates address a critical deserialization
vulnerability
Issue date: 2015-12-18
Updated on: 2016-03-15
CVE number: CVE-2015-6934
- ------------------------------------------------------------------------
1. Summary
VMware product updates address a critical deserialization
vulnerability
2. Relevant Releases
vRealize Orchestrator 6.x
vCenter Orchestrator 5.x
vRealize Infrastructure Navigator 5.8.x
3. Problem Description
a. Deserialization vulnerability
A deserialization vulnerability involving Apache Commons-collections
and a specially constructed chain of classes exists. Successful
exploitation could result in remote code execution, with the
permissions of the application using the Commons-collections library.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2015-6934 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
===================== ======= ======= =================
vRealize Orchestrator 7.0 Any Not Affected
vRealize Orchestrator 6.x Any See KB2141244
vCenter Orchestrator 5.x Any See KB2141244
vRealize Operations 6.x Windows 6.2 *
vCenter Operations 5.x Windows Patch Pending *
vCenter Application 7.x Any Patch Pending *
Discovery Manager (vADM)
vRealize Infrastructure 5.8.x Linux 5.8.5
Navigator
* Exploitation of the issue on vRealize Operations, vCenter
Operations, and vCenter Application Discovery Manager is limited to
local privilege escalation.
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
vRealize Orchestrator 6.x and
vCenter Orchestrator 5.x
Downloads and Documentation:
http://kb.vmware.com/kb/2141244
vRealize Operations 6.x
Release Notes
http://pubs.vmware.com/Release_Notes/en/vrops/62/vrops-62-release-notes.htm
l
vRealize Infrastructure Navigator 5.8.5
Release Notes
http://pubs.vmware.com/Release_Notes/en/vin/585/releasenotes-vin585.html
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6934
- ------------------------------------------------------------------------
6. Change log
2015-12-18 VMSA-2015-0009
Initial security advisory in conjunction with the release of vRealize
Orchestrator 6.x and vCenter Orchestrator 5.x patches on 2015-12-18.
2016-01-29 VMSA-2015-0009.1
Updated security advisory in conjunction with the release of vRealize
Operations 6.2 on 2016-01-28. Added a note below the table in
section 3.a that exploitation of this issue in vCenter Application
Discovery Manager is limited to local privilege escalation.
2016-03-15 VMSA-2015-0009.2
Updated security advisory to reflect the release of vRealize
Infrastructure Navigator 5.8.5, which addresses CVE-2015-6934.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2015 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15337)
Charset: utf-8
wj8DBQFW6Fs4DEcm8Vbi9kMRAmQFAKDFI6Ij60rfu0ruRd+/SglVGh3E/QCdGJJJ
D27ELmdZmRq4mzpxkRqlXw8=
=hUe6
-----END PGP SIGNATURE-----
UPDATE: VMSA-2016-0002.1- VMware product updates address a critical glibc security vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2016-0002.1
Synopsis: VMware product updates address a critical glibc security
vulnerability
Issue date: 2016-02-22
Updated on: 2016-02-23
CVE numbers: CVE-2015-7547
- ------------------------------------------------------------------------
1. Summary
VMware product updates address a critical glibc security
vulnerability
2. Relevant Releases (Affected products that have remediation available)
ESXi 6.0 without patch ESXi600-201602401-SG
ESXi 5.5 without patch ESXi550-201602401-SG
VMware virtual appliances
3. Problem Description
a. glibc update for multiple products.
The glibc library has been updated in multiple products to resolve
a stack buffer overflow present in the glibc getaddrinfo function.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2015-7547.
VMware products have been grouped into the following four
categories:
I) ESXi and ESX Hypervisor
Versions of ESXi and ESX prior to 5.5 are not affected because
they do not ship with a vulnerable version of glibc.
ESXi 5.5 and ESXi 6.0 ship with a vulnerable version of glibc and
are affected.
See table 1 for remediation for ESXi 5.5 and ESXi 6.0.
II) Windows-based products
Windows-based products, including all versions of vCenter Server
running on Windows, are not affected.
III) VMware virtual appliances
VMware virtual appliances ship with a vulnerable version of glibc
and are affected.
See table 2 for remediation for appliances.
IV) Products that run on Linux
VMware products that run on Linux (excluding virtual appliances)
might use a vulnerable version of glibc as part of the base
operating system. If the operating system has a vulnerable version
of glibc, VMware recommends that customers contact their operating
system vendor for resolution.
WORKAROUND
Workarounds are available for several virtual appliances. These are
documented in VMware KB article 2144032.
RECOMMENDATIONS
VMware recommends customers evaluate and deploy patches for
affected products in Table 1 and 2 below as these patches become
available. In case patches are not available, customers are
advised to deploy the workaround.
Column 4 of the following tables lists the action required to
remediate the vulnerability in each release, if a solution is
available.
Table 1 - ESXi
==============
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
ESXi 6.0 ESXi ESXi600-201602401-SG
ESXi 5.5 ESXi ESXi550-201602401-SG
ESXi 5.1 ESXi Not affected
ESXi 5.0 ESXi Not affected
Table 2 - Products that are shipped as a virtual appliance.
=============================================================
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= ================
VMware virtual All Linux See VMware KB article 2144032
appliances
4. Solution
ESXi
----
Downloads:
https://www.vmware.com/patchmgr/findPatch.portal
Documentation:
http://kb.vmware.com/kb/2144057 (ESXi 6.0)
http://kb.vmware.com/kb/2144357 (ESXi 5.5)
VMware virtual appliances
-------------------------
Refer to VMware KB article 2144032
5. References
VMware Knowledge Base article 2144032
http://kb.vmware.com/kb/2144032
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547
- ------------------------------------------------------------------------
6. Change Log
2016-02-22 VMSA-2016-0002
Initial security advisory in conjunction with the release of ESXi 5.5
patches and patches for virtual appliances as documented in VMware
Knowledge Base article 2144032 on 2016-02-22.
2016-02-23 VMSA-2016-0002.1
Updated security advisory in conjunction with the release of ESXi 6.0
patches on 2016-02-23.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2016 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFWzUH1DEcm8Vbi9kMRAqzdAJ41gK0ZwrJ3VwuulRWe3oJp7eE4KgCfaCXz
uQ+wfohFVtr188M0qMbFfj8=
=ciJr
-----END PGP SIGNATURE-----
NEW: VMSA-2016-0002 VMware product updates address a critical glib security vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2016-0002
Synopsis: VMware product updates address a critical glibc security
vulnerability
Issue date: 2016-02-22
Updated on: 2016-02-22 (Initial Advisory)
CVE numbers: CVE-2015-7547
- ------------------------------------------------------------------------
1. Summary
VMware product updates address a critical glibc security
vulnerability
2. Relevant Releases (Affected products that have remediation available)
ESXi 5.5 without patch ESXi550-201602401-SG
VMware virtual appliances
3. Problem Description
a. glibc update for multiple products.
The glibc library has been updated in multiple products to resolve
a stack buffer overflow present in the glibc getaddrinfo function.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2015-7547.
VMware products have been grouped into the following four
categories:
I) ESXi and ESX Hypervisor
Versions of ESXi and ESX prior to 5.5 are not affected because
they do not ship with a vulnerable version of glibc.
ESXi 5.5 and ESXi 6.0 ship with a vulnerable version of glibc and
are affected.
See table 1 for remediation for ESXi 5.5 and ESXi 6.0.
II) Windows-based products
Windows-based products, including all versions of vCenter Server
running on Windows, are not affected.
III) VMware virtual appliances
VMware virtual appliances ship with a vulnerable version of glibc
and are affected.
See table 2 for remediation for appliances.
IV) Products that run on Linux
VMware products that run on Linux (excluding virtual appliances)
might use a vulnerable version of glibc as part of the base
operating system. If the operating system has a vulnerable version
of glibc, VMware recommends that customers contact their operating
system vendor for resolution.
WORKAROUND
Workarounds are available for several virtual appliances. These are
documented in VMware KB article 2144032.
RECOMMENDATIONS
VMware recommends customers evaluate and deploy patches for
affected products in Table 1 and 2 below as these patches become
available. In case patches are not available, customers are
advised to deploy the workaround.
Column 4 of the following tables lists the action required to
remediate the vulnerability in each release, if a solution is
available.
Table 1 - ESXi
==============
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
ESXi 6.0 ESXi Patch pending
ESXi 5.5 ESXi ESXi550-201602401-SG
ESXi 5.1 ESXi Not affected
ESXi 5.0 ESXi Not affected
Table 2 - Products that are shipped as a virtual appliance.
=============================================================
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= ================
VMware virtual All Linux See VMware KB article 2144032
appliances
4. Solution
ESXi
----
Downloads:
https://www.vmware.com/patchmgr/findPatch.portal
Documentation:
http://kb.vmware.com/kb/2144357
VMware virtual appliances
-------------------------
Refer to VMware KB article 2144032
5. References
VMware Knowledge Base article 2144032
http://kb.vmware.com/kb/2144032
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547
- ------------------------------------------------------------------------
6. Change Log
2016-02-22 VMSA-2016-0002
Initial security advisory in conjunction with the release of ESXi 5.5
patches and patches for virtual appliances as documented in VMware
Knowledge Base article 2144032 on 2016-02-22.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2016 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFWyqbRDEcm8Vbi9kMRApWCAKD5aKX1nnGmUFGf/W1s7gahnVlxMgCfTn62
Rye/77G4Gie9ib5Yk3yJpUc=
=dv8x
-----END PGP SIGNATURE-----
UPDATE: VMSA-2015-0007.3 – VMware vCenter and ESXi updates address critical security issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2015-0007.3
Synopsis: VMware vCenter and ESXi updates address critical security
issues
Issue date: 2015-10-01
Updated on: 2016-02-12
CVE number: CVE-2015-5177 CVE-2015-2342 CVE-2015-1047
- ------------------------------------------------------------------------
1. Summary
VMware vCenter and ESXi updates address critical security issues.
NOTE: See section 3.b for a critical update on an incomplete fix
for the JMX RMI issue.
2. Relevant Releases
VMware ESXi 5.5 without patch ESXi550-201509101-SG
VMware ESXi 5.1 without patch ESXi510-201510101-SG
VMware ESXi 5.0 without patch ESXi500-201510101-SG
VMware vCenter Server 6.0 prior to version 6.0.0b
VMware vCenter Server 5.5 prior to version 5.5 update 3
VMware vCenter Server 5.1 prior to version 5.1 update u3b
VMware vCenter Server 5.0 prior to version 5.0 update u3e
3. Problem Description
a. VMWare ESXi OpenSLP Remote Code Execution
VMware ESXi contains a double free flaw in OpenSLP's
SLPDProcessMessage() function. Exploitation of this issue may
allow an unauthenticated attacker to remotely execute code on
the ESXi host.
VMware would like to thank Qinghao Tang of QIHU 360 for reporting
this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2015-5177 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
ESXi 6.0 ESXi not affected
ESXi 5.5 ESXi ESXi550-201509101-SG*
ESXi 5.1 ESXi ESXi510-201510101-SG
ESXi 5.0 ESXi ESXi500-201510101-SG
* Customers who have installed the complete set of ESXi 5.5 U3
Bulletins, please review VMware KB 2133118. KB 2133118 documents
a known non-security issue and provides a solution.
b. VMware vCenter Server JMX RMI Remote Code Execution
VMware vCenter Server contains a remotely accessible JMX RMI
service that is not securely configured. An unauthenticated remote
attacker who is able to connect to the service may be able to use
it to execute arbitrary code on the vCenter Server. A local attacker
may be able to elevate their privileges on vCenter Server.
vCenter Server Appliance (vCSA) 5.1, 5.5 and 6.0 has remote access
to the JMX RMI service (port 9875) blocked by default.
VMware would like to thank Doug McLeod of 7 Elements Ltd and an
anonymous researcher working through HP's Zero Day Initiative for
reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2015-2342 to this issue.
CRITICAL UPDATE
VMSA-2015-0007.2 and earlier versions of this advisory documented
that CVE-2015-2342 was addressed in vCenter Server 5.0 U3e,
5.1 U3b, and 5.5 U3. Subsequently, it was found that the fix for
CVE-2015-2342 in vCenter Server 5.0 U3e, 5.1 U3b, and
5.5 U3/U3a/U3b running on Windows was incomplete and did not
address the issue.
In order to address the issue on these versions of vCenter Server
Windows, an additional patch must be installed. This additional
patch is available from VMware Knowledge Base (KB) article
2144428.
In case the Windows Firewall is enabled on the system that has
vCenter Server Windows installed, remote exploitation of
CVE-2015-2342 is not possible. Even if the Windows Firewall is
enabled, users are advised to install the additional patch in
order to remove the local privilege elevation.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= ===============
VMware vCenter Server 6.0 Any 6.0.0b and above
VMware vCenter Server 5.5 Windows 5.5 U3/U3a/U3b + KB*
VMware vCenter Server 5.5 Linux 5.5 U3 and above
VMware vCenter Server 5.1 Windows 5.1 U3b + KB*
VMware vCenter Server 5.1 Linux 5.1 U3b
VMware vCenter Server 5.0 Windows 5.0 U3e + KB*
VMware vCenter Server 5.0 Linux 5.0 U3e
* An additional patch provided in VMware KB article 2144428 must be
installed on vCenter Server Windows 5.0 U3e, 5.1 U3b, 5.5 U3,
5.5 U3a, and 5.5 U3b in order to remediate CVE-2015-2342.
c. VMware vCenter Server vpxd denial-of-service vulnerability
VMware vCenter Server does not properly sanitize long heartbeat
messages. Exploitation of this issue may allow an unauthenticated
attacker to create a denial-of-service condition in the vpxd
service.
VMware would like to thank the Google Security Team for reporting
this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2015-1047 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= ==============
VMware vCenter Server 6.0 Any not affected
VMware vCenter Server 5.5 Any 5.5u2
VMware vCenter Server 5.1 Any 5.1u3
VMware vCenter Server 5.0 Any 5.0u3e
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
ESXi
--------------------------------
Downloads:
https://www.vmware.com/patchmgr/findPatch.portal
Documentation:
http://kb.vmware.com/kb/2110247
http://kb.vmware.com/kb/2114875
http://kb.vmware.com/kb/2120209
vCenter Server
--------------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5177
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2342
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1047
VMware Knowledge Base articles
http://kb.vmware.com/kb/2133118
http://kb.vmware.com/kb/2144428
- ------------------------------------------------------------------------
6. Change log
2015-10-01 VMSA-2015-0007
Initial security advisory in conjunction with ESXi 5.0, 5.1 patches
and VMware vCenter Server 5.1 u3b, 5.0 u3e on 2015-10-01.
2015-10-06 VMSA-2015-0007.1
Updated security advisory in conjunction with the release of ESXi 5.5
U3a on 2015-10-06. Added a note to section 3.a to alert customers to
a non-security issue in ESXi 5.5 U3 that is addressed in ESXi 5.5 U3a.
2015-10-20 VMSA-2015-0007.2
Updated security advisory to reflect that CVE-2015-2342 is fixed in
an earlier vCenter Server version (6.0.0b) than originally reported
(6.0 U1) and that the port required to exploit the vulnerability is
blocked in the appliance versions of the software (5.1 and above).
2016-02-12 VMSA-2015-0007.3
Updated security advisory to add that an additional patch is required
on vCenter Server 5.0 U3e, 5.1 U3b and 5.5 U3/U3a/U3b running on
Windows to remediate CVE-2015-2342.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2015 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFWvTQqDEcm8Vbi9kMRAkhBAKCSCqHSSP82LIsaC+beM5r+Q6ejDQCdHnWP
DUtRKtmwr/O4WJNXCeir0rU=
=zEcD
-----END PGP SIGNATURE-----
UPDATE VMSA-2015-0009.1 VMware product updates address a critical deserialization vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2015-0009.1
Synopsis: VMware product updates address a critical deserialization
vulnerability
Issue date: 2015-12-18
Updated on: 2016-01-29
CVE number: CVE-2015-6934
- ------------------------------------------------------------------------
1. Summary
VMware product updates address a critical deserialization
vulnerability
2. Relevant Releases
vRealize Orchestrator 6.x
vCenter Orchestrator 5.x
3. Problem Description
a. Deserialization vulnerability
A deserialization vulnerability involving Apache Commons-collections
and a specially constructed chain of classes exists. Successful
exploitation could result in remote code execution, with the
permissions of the application using the Commons-collections library.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2015-6934 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
===================== ======= ======= =================
vRealize Orchestrator 7.0 Any Not Affected
vRealize Orchestrator 6.x Any See KB2141244
vCenter Orchestrator 5.x Any See KB2141244
vRealize Operations 6.x Windows 6.2 *
vCenter Operations 5.x Windows Patch Pending *
vCenter Application 7.x Any Patch Pending *
Discovery Manager (vADM)
* Exploitation of the issue on vRealize Operations, vCenter
Operations, and vCenter Application Discovery Manager is limited to
local privilege escalation.
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
vRealize Orchestrator 6.x and
vCenter Orchestrator 5.x
Downloads and Documentation:
http://kb.vmware.com/kb/2141244
vRealize Operations 6.x
Release Notes
http://pubs.vmware.com/Release_Notes/en/vrops/62/vrops-62-release-notes.htm
l
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6934
- ------------------------------------------------------------------------
6. Change log
2015-12-18 VMSA-2015-0009
Initial security advisory in conjunction with the release of vRealize
Orchestrator 6.x and vCenter Orchestrator 5.x patches on 2015-12-18.
2016-01-29 VMSA-2015-0009.1
Updated security advisory in conjunction with the release of vRealize
Operations 6.2 on 2016-01-28. Added a note below the table in
section 3.a that exploitation of this issue in vCenter Application
Discovery Manager is limited to local privilege escalation.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2015 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFWrAG7DEcm8Vbi9kMRAtUyAKDqGd2Fz3bzBP5GgS3VG1pXQhbDhgCg+8YK
pyrJ72cxfEW0TguF2XCNGLQ=
=+MxM
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org
http://lists.vmware.com/mailman/listinfo/security-announce