-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0003.5 Synopsis: VMware product updates address critical information disclosure issue in JRE. Issue date: 2015-04-02 Updated on: 2015-04-23 CVE number: CVE-2014-6593, for other CVEs see JRE reference - ------------------------------------------------------------------------ 1. Summary VMware product updates address critical information disclosure issue in JRE. 2. Relevant Releases Horizon View 6.x or 5.x Horizon Workspace Portal Server 2.1 or 2.0 Horizon DaaS Platform 6.1.4 or 5.4.5 vCloud Connector 2.7 vCloud Usage Meter 3.3 vCenter Site Recovery Manager prior to 5.5.1.5 vCenter Server 6.0 and 5.5 vRealize Operations Manager 6.0 vCenter Operations Manager 5.8.x or 5.7.x vRealize Application Services 6.2 or 6.1 vCloud Application Director 6.0 vRealize Automation 6.2 or 6.1 vCloud Automation Center 6.0.1 vSphere Replication prior to 5.8.0.2, 5.6.0.3 or 5.5.1.5 vRealize Automation 6.2.x or 6.1.x vRealize Code Stream 1.1 or 1.0 vFabric Postgres 9.3.6.0, 9.2.10.0 or 9.1.15.0 vRealize Hyperic 5.8.x, 5.7.x or 5.0.x vSphere AppHA Prior to 1.1.x vCenter Chargeback Manager 2.7 or 2.6 vRealize Business Adv/Ent 8.1 or 8.0 vRealize Business Standard prior to 1.1.x or 1.0.x NSX for Multi-Hypervisor prior to 4.2.4 vCloud Director prior to 5.5.3 vCloud Director Service Providers prior to 5.6.4.1 vRealize Configuration Manager 5.7.x or 5.6.x vRealize Infrastructure 5.8 or 5.7 vRealize Orchestrator 6.0 or 5.5 vRealize Log Insight 2.5, 2.0, 1.5 or 1.0 vSphere Update Manager 6.0 or 5.5 3. Problem Description a. Oracle JRE Update Oracle JRE is updated in VMware products to address a critical security issue that existed in earlier releases of Oracle JRE. VMware products running JRE 1.7 Update 75 or newer and JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593, as documented in the Oracle Java SE Critical Patch Update Advisory of January 2015. This advisory also includes the other security issues that are addressed in JRE 1.7 Update 75 and JRE 1.6 Update 91. The References section provides a link to the JRE advisory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-6593 to this issue. This issue is also known as "SKIP" or "SKIP-TLS". Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch** ============= ======= ======= ================= Horizon View 6.x any 6.1 Horizon View 5.x any 5.3.4 Horizon Workspace Portal 2.1 ,2.0 any 2.1.1 Server Horizon DaaS Platform 6.1 any 6.1.4 Horizon DaaS Platform 6.0 any patch pending Horizon DaaS Platform 5.4 any 5.4.5 vCloud Networking and Security 5.5 any patch pending* vCloud Connector 2.7 any 2.7.1* vCloud Usage Meter 3.3 any 3.3.3* vCenter Site Recovery Manager 5.5.x any 5.5.1.5*** vCenter Site Recovery Manager 5.1.x any patch pending*** vCenter Site Recovery Manager 5.0.x any patch pending*** vCenter Server 6.0 any 6.0.0a vCenter Server 5.5 any Update 2e vCenter Server 5.1 any patch pending vCenter Server 5.0 any patch pending vRealize Operations Manager 6.0 any KB2111898 vCenter Operations Manager 5.8.x any KB2111172 vCenter Operations Manager 5.7.x any KB2111172 vCenter Support Assistant 5.5.1.x any patch pending vRealize Application Services 6.2 any KB2111981 vRealize Application Services 6.1 any KB2111981 vCloud Application Director 6.0 any KB2111981 vCloud Application Director 5.2 any KB2111981 vRealize Automation 6.2 any KB2111658 vRealize Automation 6.1 any KB2111658 vCloud Automation Center 6.0.1 any KB2111658 vRealize Code Stream 1.1 any KB2111658 vRealize Code Stream 1.0 any KB2111658 vPostgres 9.3.x any 9.3.6.0 vPostgres 9.2.x any 9.2.10.0 vPostgres 9.1.x any 9.1.15.0 vSphere Replication 5.8.1 any patch pending vSphere Replication 5.8.0 any 5.8.0.2 vSphere Replication 5.6.0 any 5.6.0.3 vSphere Replication 5.5.0 any 5.5.1.5 vSphere Replication 5.1 any patch pending vSphere Storage Appliance 5.x any patch pending* vRealize Hyperic 5.8 any KB2111337 vRealize Hyperic 5.7 any KB2111337 vRealize Hyperic 5.0 any KB2111337 vSphere AppHA 1.1 any KB2111336 vSphere Big Data Extensions 2.1 any patch pending* vSphere Big Data Extensions 2.0 any patch pending* vSphere Data Protection 6.0 any patch pending* vSphere Data Protection 5.8 any patch pending* vSphere Data Protection 5.5 any patch pending* vSphere Data Protection 5.1 any patch pending* vCenter Chargeback Manager 2.7 any KB2112011* vCenter Chargeback Manager 2.6 any KB2113178* vRealize Business Adv/Ent 8.1 any KB2112258* vRealize Business Adv/Ent 8.0 any KB2112258* vRealize Business Standard 6.0 any KB2111802 vRealize Business Standard 1.1 any KB2111802 vRealize Business Standard 1.0 any KB2111802 NSX for vSphere 6.1 any patch pending* NSX for Multi-Hypervisor 4.2 any 4.2.4* vCloud Director 5.5.x any 5.5.3* vCloud Director For 5.6.4 any 5.6.4.1* Service Providers vCenter Application Discovery 7.0 any patch pending* Manager vRealize Configuration Manager 5.7.x any KB2111670 vRealize Configuration Manager 5.6 any KB2111670 vRealize Infrastructure 5.8 any 5.8.4 Navigator vRealize Infrastructure 5.7 any KB2111334* Navigator vRealize Orchestrator 6.0 any KB2112028* vRealize Orchestrator 5.5 any KB2112028* vRealize Orchestrator 5.2 any patch pending* vRealize Orchestrator 5.1 any patch pending* vShield 5.5 any patch pending* vRealize Log Insight 2.5 any KB2113235* vRealize Log Insight 2.0 any KB2113235* vRealize Log Insight 1.5 any KB2113235* vRealize Log Insight 1.0 any KB2113235* vSphere Management Assistant 5.x any patch pending vSphere Update Manager 6.0 any 6.0.0a* vSphere Update Manager 5.5 any Update 2e* vSphere Update Manager 5.1 any patch pending* vSphere Update Manager 5.0 any patch pending* * The severity of critical is lowered to important for this product as is not considered Internet facing ** Knowledge Base (KB) articles provides details of the patches and how to install them. *** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not include JRE but they include the vSphere Replication appliance which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include JRE nor the vSphere Replication appliance. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. Horizon View 6.1, 5.3.4: ======================== Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productI d=492 https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&pro ductId=396 VMware Workspace Portal 2.1.1 ============================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=5 01&rPId=7586 Documentation: https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.h tml Horizon DaaS Platform 6.1.4 =========================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN &productId=405&rPId=6527 Horizon DaaS Platform 5.4.5 =========================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM- 540&productId=398&rPId=5214 vCloud Connector 2.7.1 ====================== Downloads and Documentation: http://www.vmware.com/support/hybridcloud/doc/hybridcloud_271_rel_notes.htm l vCloud Usage Meter 3.3.3 ======================== Downloads: https://my.vmware.com/en/group/vmware/get-download?downloadGroup=UMSV333 vCenter Site Recovery Manager 5.5.1.5 ====================================== Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=SRM5515&productId=35 7&rPId=7774 Documentation: https://www.vmware.com/support/srm/srm-releasenotes-5-5-1.html vCenter Server 6.0, 5.5 ======================= Downloads and Documentation: https://www.vmware.com/go/download-vsphere vRealize Operations Manager 6.0.1 ================================= Downloads and Documentation: http://kb.vmware.com/kb/2111898 vRealize Application Services 6.2, 6.1 ====================================== Downloads and Documentation: http://kb.vmware.com/kb/2111981 NSX for Multi-Hypervisor 4.2.4 ============================== Downloads and Documentation: https://my.vmware.com/web/vmware/info/slug/networking_security/vmware_nsx/4 _x vCloud Application Director 6.0 ====================================== Downloads and Documentation: http://kb.vmware.com/kb/2111981 vCloud Director for Service Providers 5.6.4.1 ============================================= Downloads and Documentation: https://www.vmware.com/support/pubs/vcd_sp_pubs.html vCenter Operations Manager 5.8.5, 5.7.4 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111172 vCloud Automation Center 6.0.1.2 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111685 vSphere Replication 5.8.0.2, 5.6.0.3, 5.5.1.5 ============================================= Downloads: https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5515 Documentation: http://kb.vmware.com/kb/2112025 http://kb.vmware.com/kb/2112022 vRealize Automation 6.2.1, 6.1.1 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111658 vRealize Code Stream 1.1, 1.0 ============================= Downloads and Documentation: http://kb.vmware.com/kb/2111685 vFabric Postgres ================ Downloads https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_936&productId =373&rPId=7787 https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_92_10&product Id=325&rPId=7788 https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_91_15&product Id=274&rPId=7789 vRealize Hyperic 5.8.4, 5.7.2, 5.0.3 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/KB2111337 vSphere AppHA 1.1.1 =================== Downloads and Documentation: http://kb.vmware.com/kb/2111336 vCenter Chargeback Manager 2.7 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2112011 vCenter Chargeback Manager 2.6 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2113178 vRealize Business Adv/Ent 8.1, 8.0 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2112258 vRealize Business Standard 6.0, 1.1 , 1.0 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111802 vRealize Configuration Manager 5.7.3 =================================== Downloads and Documentation: http://kb.vmware.com/kb/2111670 vRealize Infrastructure Navigator 5.8.4 ======================================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=47 6 vRealize Infrastructure Navigator 5.7 ===================================== Downloads and Documentation: http://kb.vmware.com/kb/2111334 vRealize Orchestrator 6.0, 5.5 ===================================== Downloads and Documentation: http://kb.vmware.com/kb/2112028 vSphere Update Manager 6.0, 5.5 =============================== Downloads and Documentation: https://www.vmware.com/go/download-vsphere 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593 JRE Oracle Java SE Critical Patch Update Advisory of January 2015 http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html - ------------------------------------------------------------------------ 6. Change log 2015-04-02 VMSA-2015-0003 Initial security advisory in conjunction with the release of VMware Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5; vCenter Operations Manager 5.7.4; vCloud Automation Center 6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0; vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1; vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches released on 2015-04-02. 2015-04-09 VMSA-2015-0003.1 Updated Security advisory in conjunction with the release of VMware Horizon DaaS Platform 6.1.4, 5.4.5; vRealize Operations Manager 6.0; vRealize Application Services 6.2; vRealize Application Services 6.1; vCloud Application Director 6.0; vCenter Chargeback Manager 2.7, 2.6; vCloud Director For Service Providers 5.6.4.1; vRealize Log Insight 2.5, 2.0, 1.5, 1.0 Patches released on 2015-04-09. 2015-04-13 VMSA-2015-0003.2 Updated Security advisory in conjunction with the release of vRealize Business Adv/Ent 8.1, 8.0 Patches released on 2015-04-13. 2015-04-16 VMSA-2015-0003.3 Updated Security advisory in conjunction with the release of vCloud Connector 2.7.1; vCloud Usage Meter 3.3.3; vCenter Server 6.0, 5.5; vSphere Update Manager 6.0, 5.5 patches released on 2015-04-16. 2015-04-17 VMSA-2015-0003.4 Updated Security advisory in conjunction with the release of vCenter Site Recovery Manager 5.5.1.5 patches released on 2015-04-16. 2015-04-23 VMSA-2015-0003.5 Updated Security advisory in conjunction with the release of NSX for Multi-Hypervisor 4.2.4 and vFabric Postgres 9.3.6.0, 9.2.10.0 or 9.1.15.0 patches released on 2015-04-23. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFVObOnDEcm8Vbi9kMRAr1HAJ9udQwus+7YTSzrgGXBrKrdU6YifgCfSdpn epARCURCPOcBjEgKuZB9BB0= =RfXq -----END PGP SIGNATURE-----
Category Archives: VMWare
VMWare
UPDATE : VMSA-2015-0003.4 – VMware product updates address critical information disclosure issue in JRE.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0003.4 Synopsis: VMware product updates address critical information disclosure issue in JRE. Issue date: 2015-04-02 Updated on: 2015-04-17 CVE number: CVE-2014-6593, for other CVEs see JRE reference - ------------------------------------------------------------------------ 1. Summary VMware product updates address critical information disclosure issue in JRE. 2. Relevant Releases Horizon View 6.x or 5.x Horizon Workspace Portal Server 2.1 or 2.0 Horizon DaaS Platform 6.1.4 or 5.4.5 vCloud Connector 2.7 vCloud Usage Meter 3.3 vCenter Site Recovery Manager prior to 5.5.1.5 vCenter Server 6.0 and 5.5 vRealize Operations Manager 6.0 vCenter Operations Manager 5.8.x or 5.7.x vRealize Application Services 6.2 or 6.1 vCloud Application Director 6.0 vRealize Automation 6.2 or 6.1 vCloud Automation Center 6.0.1 vSphere Replication prior to 5.8.0.2 or 5.6.0.3 vRealize Automation 6.2.x or 6.1.x vRealize Code Stream 1.1 or 1.0 vRealize Hyperic 5.8.x, 5.7.x or 5.0.x vSphere AppHA Prior to 1.1.x vCenter Chargeback Manager 2.7 or 2.6 vRealize Business Adv/Ent 8.1 or 8.0 vRealize Business Standard prior to 1.1.x or 1.0.x NSX for Multi-Hypervisor prior to 4.2.4 vCloud Director prior to 5.5.3 vCloud Director Service Providers prior to 5.6.4.1 vRealize Configuration Manager 5.7.x or 5.6.x vRealize Infrastructure 5.8 or 5.7 vRealize Log Insight 2.5, 2.0, 1.5 or 1.0 vSphere Update Manager 6.0 or 5.5 3. Problem Description a. Oracle JRE Update Oracle JRE is updated in VMware products to address a critical security issue that existed in earlier releases of Oracle JRE. VMware products running JRE 1.7 Update 75 or newer and JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593, as documented in the Oracle Java SE Critical Patch Update Advisory of January 2015. This advisory also includes the other security issues that are addressed in JRE 1.7 Update 75 and JRE 1.6 Update 91. The References section provides a link to the JRE advisory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-6593 to this issue. This issue is also known as "SKIP" or "SKIP-TLS". Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch** ============= ======= ======= ================= Horizon View 6.x any 6.1 Horizon View 5.x any 5.3.4 Horizon Workspace Portal 2.1 ,2.0 any 2.1.1 Server Horizon DaaS Platform 6.1 any 6.1.4 Horizon DaaS Platform 6.0 any patch pending Horizon DaaS Platform 5.4 any 5.4.5 vCloud Networking and Security 5.5 any patch pending* vCloud Connector 2.7 any 2.7.1* vCloud Usage Meter 3.3 any 3.3.3* vCenter Site Recovery Manager 5.5.x any 5.5.1.5*** vCenter Site Recovery Manager 5.1.x any patch pending*** vCenter Site Recovery Manager 5.0.x any patch pending*** vCenter Server 6.0 any 6.0.0a vCenter Server 5.5 any Update 2e vCenter Server 5.1 any patch pending vCenter Server 5.0 any patch pending vRealize Operations Manager 6.0 any KB2112028 vCenter Operations Manager 5.8.x any KB2111172 vCenter Operations Manager 5.7.x any KB2111172 vCenter Support Assistant 5.5.1.x any patch pending vRealize Application Services 6.2 any KB2111981 vRealize Application Services 6.1 any KB2111981 vCloud Application Director 6.0 any KB2111981 vCloud Application Director 5.2 any KB2111981 vRealize Automation 6.2 any KB2111658 vRealize Automation 6.1 any KB2111658 vCloud Automation Center 6.0.1 any KB2111658 vRealize Code Stream 1.1 any KB2111658 vRealize Code Stream 1.0 any KB2111658 vPostgres 9.3.x any patch pending vPostgres 9.2.x any patch pending vPostgres 9.1.x any patch pending vSphere Replication 5.8.1 any patch pending vSphere Replication 5.8.0 any 5.8.0.2 vSphere Replication 5.6.0 any 5.6.0.3 vSphere Replication 5.1 any patch pending vSphere Storage Appliance 5.x any patch pending* vRealize Hyperic 5.8 any KB2111337 vRealize Hyperic 5.7 any KB2111337 vRealize Hyperic 5.0 any KB2111337 vSphere AppHA 1.1 any KB2111336 vSphere Big Data Extensions 2.1 any patch pending* vSphere Big Data Extensions 2.0 any patch pending* vSphere Data Protection 6.0 any patch pending* vSphere Data Protection 5.8 any patch pending* vSphere Data Protection 5.5 any patch pending* vSphere Data Protection 5.1 any patch pending* vCenter Chargeback Manager 2.7 any KB2112011* vCenter Chargeback Manager 2.6 any KB2113178* vRealize Business Adv/Ent 8.1 any KB2112258* vRealize Business Adv/Ent 8.0 any KB2112258* vRealize Business Standard 6.0 any KB2111802 vRealize Business Standard 1.1 any KB2111802 vRealize Business Standard 1.0 any KB2111802 NSX for vSphere 6.1 any patch pending* NSX for Multi-Hypervisor 4.2 any 4.2.4* vCloud Director 5.5.x any 5.5.3* vCloud Director For 5.6.4 any 5.6.4.1* Service Providers vCenter Application Discovery 7.0 any patch pending* Manager vRealize Configuration Manager 5.7.x any KB2111670 vRealize Configuration Manager 5.6 any KB2111670 vRealize Infrastructure 5.8 any 5.8.4 Navigator vRealize Infrastructure 5.7 any KB2111334* Navigator vRealize Orchestrator 6.0 any patch pending* vRealize Orchestrator 5.2 any patch pending* vRealize Orchestrator 5.1 any patch pending* vShield 5.5 any patch pending* vRealize Log Insight 2.5 any KB2113235* vRealize Log Insight 2.0 any KB2113235* vRealize Log Insight 1.5 any KB2113235* vRealize Log Insight 1.0 any KB2113235* vSphere Management Assistant 5.x any patch pending vSphere Update Manager 6.0 any 6.0.0a* vSphere Update Manager 5.5 any Update 2e* vSphere Update Manager 5.1 any patch pending* vSphere Update Manager 5.0 any patch pending* * The severity of critical is lowered to important for this product as is not considered Internet facing ** Knowledge Base (KB) articles provides details of the patches and how to install them. *** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not include JRE but they include the vSphere Replication appliance which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include JRE nor the vSphere Replication appliance. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. Horizon View 6.1, 5.3.4: ======================== Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productI d=492 https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&pro ductId=396 VMware Workspace Portal 2.1.1 ============================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=5 01&rPId=7586 Documentation: https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.h tml Horizon DaaS Platform 6.1.4 =========================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN &productId=405&rPId=6527 Horizon DaaS Platform 5.4.5 =========================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM- 540&productId=398&rPId=5214 vCloud Connector 2.7.1 ====================== Downloads and Documentation: http://www.vmware.com/support/hybridcloud/doc/hybridcloud_271_rel_notes.htm l vCloud Usage Meter 3.3.3 ======================== Downloads: https://my.vmware.com/en/group/vmware/get-download?downloadGroup=UMSV333 vCenter Site Recovery Manager 5.5.1.5 ====================================== Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=SRM5515&productId=35 7&rPId=7774 Documentation: https://www.vmware.com/support/srm/srm-releasenotes-5-5-1.html vCenter Server 6.0, 5.5 ======================= Downloads and Documentation: https://www.vmware.com/go/download-vsphere vRealize Operations Manager 6.0.1 ================================= Downloads and Documentation: http://kb.vmware.com/kb/2112028 vRealize Application Services 6.2, 6.1 ====================================== Downloads and Documentation: http://kb.vmware.com/kb/2111981 vCloud Application Director 6.0 ====================================== Downloads and Documentation: http://kb.vmware.com/kb/2111981 vCloud Director for Service Providers 5.6.4.1 ============================================= Downloads and Documentation: https://www.vmware.com/support/pubs/vcd_sp_pubs.html vCenter Operations Manager 6.0, 5.8.5, 5.7.4 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111172 vCloud Automation Center 6.0.1.2 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111685 vSphere Replication 5.8.0.2, 5.6.0.3 ==================================== Downloads: https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603 Documentation: http://kb.vmware.com/kb/2112025 http://kb.vmware.com/kb/2112022 vRealize Automation 6.2.1, 6.1.1 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111658 vRealize Code Stream 1.1, 1.0 ============================= Downloads and Documentation: http://kb.vmware.com/kb/2111685 vRealize Hyperic 5.8.4, 5.7.2, 5.0.3 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/KB2111337 vSphere AppHA 1.1.1 =================== Downloads and Documentation: http://kb.vmware.com/kb/2111336 vCenter Chargeback Manager 2.7 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2112011 vCenter Chargeback Manager 2.6 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2113178 vRealize Business Adv/Ent 8.1, 8.0 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2112258 vRealize Business Standard 6.0, 1.1 , 1.0 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111802 vRealize Configuration Manager 5.7.3 =================================== Downloads and Documentation: http://kb.vmware.com/kb/2111670 vRealize Infrastructure Navigator 5.8.4 ======================================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=47 6 vRealize Infrastructure Navigator 5.7 ===================================== Downloads and Documentation: http://kb.vmware.com/kb/2111334 vSphere Update Manager 6.0, 5.5 =============================== Downloads and Documentation: https://www.vmware.com/go/download-vsphere 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593 JRE Oracle Java SE Critical Patch Update Advisory of January 2015 http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html - ------------------------------------------------------------------------ 6. Change log 2015-04-02 VMSA-2015-0003 Initial security advisory in conjunction with the release of VMware Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5; vCenter Operations Manager 5.7.4; vCloud Automation Center 6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0; vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1; vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches released on 2015-04-02. 2015-04-09 VMSA-2015-0003.1 Updated Security advisory in conjunction with the release of VMware Horizon DaaS Platform 6.1.4, 5.4.5; vRealize Operations Manager 6.0; vRealize Application Services 6.2; vRealize Application Services 6.1; vCloud Application Director 6.0; vCenter Chargeback Manager 2.7, 2.6; vCloud Director For Service Providers 5.6.4.1; vRealize Log Insight 2.5, 2.0, 1.5, 1.0 Patches released on 2015-04-09. 2015-04-13 VMSA-2015-0003.2 Updated Security advisory in conjunction with the release of vRealize Business Adv/Ent 8.1, 8.0 Patches released on 2015-04-13. 2015-04-16 VMSA-2015-0003.3 Updated Security advisory in conjunction with the release of vCloud Connector 2.7.1; vCloud Usage Meter 3.3.3; vCenter Server 6.0, 5.5; vSphere Update Manager 6.0, 5.5 patches released on 2015-04-16. 2015-04-17 VMSA-2015-0003.4 Updated Security advisory in conjunction with the release of vCenter Site Recovery Manager 5.5.1.5 patches released on 2015-04-16. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFVMTloDEcm8Vbi9kMRAiWqAJ98wvHOIm7HBnnGqXA5WZ9GIFdSTACZAa5i oXl9cykDdoiQXiDgplPQMJ4= =Wacd -----END PGP SIGNATURE-----
UPDATE : VMSA-2015-0003.3 – VMware product updates address critical information disclosure issue in JRE.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0003.3 Synopsis: VMware product updates address critical information disclosure issue in JRE. Issue date: 2015-04-02 Updated on: 2015-04-16 CVE number: CVE-2014-6593, for other CVEs see JRE reference - ------------------------------------------------------------------------ 1. Summary VMware product updates address critical information disclosure issue in JRE. 2. Relevant Releases Horizon View 6.x or 5.x Horizon Workspace Portal Server 2.1 or 2.0 Horizon DaaS Platform 6.1.4 or 5.4.5 vCloud Connector 2.7 vCloud Usage Meter 3.3 vCenter Server 6.0 and 5.5 vRealize Operations Manager 6.0 vCenter Operations Manager 5.8.x or 5.7.x vRealize Application Services 6.2 or 6.1 vCloud Application Director 6.0 vRealize Automation 6.2 or 6.1 vCloud Automation Center 6.0.1 vSphere Replication prior to 5.8.0.2 or 5.6.0.3 vRealize Automation 6.2.x or 6.1.x vRealize Code Stream 1.1 or 1.0 vRealize Hyperic 5.8.x, 5.7.x or 5.0.x vSphere AppHA Prior to 1.1.x vCenter Chargeback Manager 2.7 or 2.6 vRealize Business Adv/Ent 8.1 or 8.0 vRealize Business Standard prior to 1.1.x or 1.0.x NSX for Multi-Hypervisor prior to 4.2.4 vCloud Director prior to 5.5.3 vCloud Director Service Providers prior to 5.6.4.1 vRealize Configuration Manager 5.7.x or 5.6.x vRealize Infrastructure 5.8 or 5.7 vRealize Log Insight 2.5, 2.0, 1.5 or 1.0 vSphere Update Manager 6.0 or 5.5 3. Problem Description a. Oracle JRE Update Oracle JRE is updated in VMware products to address a critical security issue that existed in earlier releases of Oracle JRE. VMware products running JRE 1.7 Update 75 or newer and JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593, as documented in the Oracle Java SE Critical Patch Update Advisory of January 2015. This advisory also includes the other security issues that are addressed in JRE 1.7 Update 75 and JRE 1.6 Update 91. The References section provides a link to the JRE advisory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-6593 to this issue. This issue is also known as "SKIP" or "SKIP-TLS". Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch** ============= ======= ======= ================= Horizon View 6.x any 6.1 Horizon View 5.x any 5.3.4 Horizon Workspace Portal 2.1 ,2.0 any 2.1.1 Server Horizon DaaS Platform 6.1 any 6.1.4 Horizon DaaS Platform 6.0 any patch pending Horizon DaaS Platform 5.4 any 5.4.5 vCloud Networking and Security 5.5 any patch pending* vCloud Connector 2.7 any 2.7.1* vCloud Usage Meter 3.3 any 3.3.3* vCenter Site Recovery Manager 5.5.x any patch pending*** vCenter Site Recovery Manager 5.1.x any patch pending*** vCenter Site Recovery Manager 5.0.x any patch pending*** vCenter Server 6.0 any 6.0.0a vCenter Server 5.5 any Update 2e vCenter Server 5.1 any patch pending vCenter Server 5.0 any patch pending vRealize Operations Manager 6.0 any KB2112028 vCenter Operations Manager 5.8.x any KB2111172 vCenter Operations Manager 5.7.x any KB2111172 vCenter Support Assistant 5.5.1.x any patch pending vRealize Application Services 6.2 any KB2111981 vRealize Application Services 6.1 any KB2111981 vCloud Application Director 6.0 any KB2111981 vCloud Application Director 5.2 any KB2111981 vRealize Automation 6.2 any KB2111658 vRealize Automation 6.1 any KB2111658 vCloud Automation Center 6.0.1 any KB2111658 vRealize Code Stream 1.1 any KB2111658 vRealize Code Stream 1.0 any KB2111658 vPostgres 9.3.x any patch pending vPostgres 9.2.x any patch pending vPostgres 9.1.x any patch pending vSphere Replication 5.8.1 any patch pending vSphere Replication 5.8.0 any 5.8.0.2 vSphere Replication 5.6.0 any 5.6.0.3 vSphere Replication 5.1 any patch pending vSphere Storage Appliance 5.x any patch pending* vRealize Hyperic 5.8 any KB2111337 vRealize Hyperic 5.7 any KB2111337 vRealize Hyperic 5.0 any KB2111337 vSphere AppHA 1.1 any KB2111336 vSphere Big Data Extensions 2.1 any patch pending* vSphere Big Data Extensions 2.0 any patch pending* vSphere Data Protection 6.0 any patch pending* vSphere Data Protection 5.8 any patch pending* vSphere Data Protection 5.5 any patch pending* vSphere Data Protection 5.1 any patch pending* vCenter Chargeback Manager 2.7 any KB2112011* vCenter Chargeback Manager 2.6 any KB2113178* vRealize Business Adv/Ent 8.1 any KB2112258* vRealize Business Adv/Ent 8.0 any KB2112258* vRealize Business Standard 6.0 any KB2111802 vRealize Business Standard 1.1 any KB2111802 vRealize Business Standard 1.0 any KB2111802 NSX for vSphere 6.1 any patch pending* NSX for Multi-Hypervisor 4.2 any 4.2.4* vCloud Director 5.5.x any 5.5.3* vCloud Director For 5.6.4 any 5.6.4.1* Service Providers vCenter Application Discovery 7.0 any patch pending* Manager vRealize Configuration Manager 5.7.x any KB2111670 vRealize Configuration Manager 5.6 any KB2111670 vRealize Infrastructure 5.8 any 5.8.4 Navigator vRealize Infrastructure 5.7 any KB2111334* Navigator vRealize Orchestrator 6.0 any patch pending* vRealize Orchestrator 5.2 any patch pending* vRealize Orchestrator 5.1 any patch pending* vShield 5.5 any patch pending* vRealize Log Insight 2.5 any KB2113235* vRealize Log Insight 2.0 any KB2113235* vRealize Log Insight 1.5 any KB2113235* vRealize Log Insight 1.0 any KB2113235* vSphere Management Assistant 5.x any patch pending vSphere Update Manager 6.0 any 6.0.0a* vSphere Update Manager 5.5 any Update 2e* vSphere Update Manager 5.1 any patch pending* vSphere Update Manager 5.0 any patch pending* * The severity of critical is lowered to important for this product as is not considered Internet facing ** Knowledge Base (KB) articles provides details of the patches and how to install them. *** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not include JRE but they include the vSphere Replication appliance which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include JRE nor the vSphere Replication appliance. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. Horizon View 6.1, 5.3.4: ======================== Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productI d=492 https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&pro ductId=396 VMware Workspace Portal 2.1.1 ============================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=5 01&rPId=7586 Documentation: https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.h tml Horizon DaaS Platform 6.1.4 =========================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN &productId=405&rPId=6527 Horizon DaaS Platform 5.4.5 =========================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM- 540&productId=398&rPId=5214 vCloud Connector 2.7.1 ====================== Downloads and Documentation: http://www.vmware.com/support/hybridcloud/doc/hybridcloud_271_rel_notes.htm l vCloud Usage Meter 3.3.3 ======================== Downloads: https://my.vmware.com/en/group/vmware/get-download?downloadGroup=UMSV333 vCenter Server 6.0, 5.5 ======================= Downloads and Documentation: https://www.vmware.com/go/download-vsphere vRealize Operations Manager 6.0.1 ================================= Downloads and Documentation: http://kb.vmware.com/kb/2112028 vRealize Application Services 6.2, 6.1 ====================================== Downloads and Documentation: http://kb.vmware.com/kb/2111981 vCloud Application Director 6.0 ====================================== Downloads and Documentation: http://kb.vmware.com/kb/2111981 vCloud Director for Service Providers 5.6.4.1 ============================================= Downloads and Documentation: https://www.vmware.com/support/pubs/vcd_sp_pubs.html vCenter Operations Manager 6.0, 5.8.5, 5.7.4 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111172 vCloud Automation Center 6.0.1.2 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111685 vSphere Replication 5.8.0.2, 5.6.0.3 ==================================== Downloads: https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603 Documentation: http://kb.vmware.com/kb/2112025 http://kb.vmware.com/kb/2112022 vRealize Automation 6.2.1, 6.1.1 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111658 vRealize Code Stream 1.1, 1.0 ============================= Downloads and Documentation: http://kb.vmware.com/kb/2111685 vRealize Hyperic 5.8.4, 5.7.2, 5.0.3 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/KB2111337 vSphere AppHA 1.1.1 =================== Downloads and Documentation: http://kb.vmware.com/kb/2111336 vCenter Chargeback Manager 2.7 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2112011 vCenter Chargeback Manager 2.6 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2113178 vRealize Business Adv/Ent 8.1, 8.0 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2112258 vRealize Business Standard 6.0, 1.1 , 1.0 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111802 vRealize Configuration Manager 5.7.3 =================================== Downloads and Documentation: http://kb.vmware.com/kb/2111670 vRealize Infrastructure Navigator 5.8.4 ======================================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=47 6 vRealize Infrastructure Navigator 5.7 ===================================== Downloads and Documentation: http://kb.vmware.com/kb/2111334 vSphere Update Manager 6.0, 5.5 =============================== Downloads and Documentation: https://www.vmware.com/go/download-vsphere 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593 JRE Oracle Java SE Critical Patch Update Advisory of January 2015 http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html - ------------------------------------------------------------------------ 6. Change log 2015-04-02 VMSA-2015-0003 Initial security advisory in conjunction with the release of VMware Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5; vCenter Operations Manager 5.7.4; vCloud Automation Center 6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0; vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1; vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches released on 2015-04-02. 2015-04-09 VMSA-2015-0003.1 Updated Security advisory in conjunction with the release of VMware Horizon DaaS Platform 6.1.4, 5.4.5; vRealize Operations Manager 6.0; vRealize Application Services 6.2; vRealize Application Services 6.1; vCloud Application Director 6.0; vCenter Chargeback Manager 2.7, 2.6; vCloud Director For Service Providers 5.6.4.1; vRealize Log Insight 2.5, 2.0, 1.5, 1.0 Patches released on 2015-04-09. 2015-04-13 VMSA-2015-0003.2 Updated Security advisory in conjunction with the release of vRealize Business Adv/Ent 8.1, 8.0 Patches released on 2015-04-13. 2015-04-16 VMSA-2015-0003.3 Updated Security advisory in conjunction with the release of vCloud Connector 2.7.1; vCloud Usage Meter 3.3.3; vCenter Server 6.0, 5.5; vSphere Update Manager 6.0, 5.5 patches released on 2015-04-16. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFVMH60DEcm8Vbi9kMRAnvzAJ99bwjrMsOLltGDjRbEPYqPWfs4VQCfV8E7 h//De9PAIowPY1K6fQ3pFHs= =ShdE -----END PGP SIGNATURE-----
UPDATE : VMSA-2015-0003.2 – VMware product updates address critical information disclosure issue in JRE.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0003.2 Synopsis: VMware product updates address critical information disclosure issue in JRE. Issue date: 2015-04-02 Updated on: 2015-04-13 CVE number: CVE-2014-6593, for other CVEs see JRE reference - ------------------------------------------------------------------------ 1. Summary VMware product updates address critical information disclosure issue in JRE. 2. Relevant Releases Horizon View 6.x or 5.x Horizon Workspace Portal Server 2.1 or 2.0 Horizon DaaS Platform 6.1.4 or 5.4.5 vRealize Operations Manager 6.0 vCenter Operations Manager 5.8.x or 5.7.x vRealize Application Services 6.2 or 6.1 vCloud Application Director 6.0 vRealize Automation 6.2 or 6.1 vCloud Automation Center 6.0.1 vSphere Replication prior to 5.8.0.2 or 5.6.0.3 vRealize Automation 6.2.x or 6.1.x vRealize Code Stream 1.1 or 1.0 vRealize Hyperic 5.8.x, 5.7.x or 5.0.x vSphere AppHA Prior to 1.1.x vCenter Chargeback Manager 2.7 or 2.6 vRealize Business Adv/Ent 8.1 or 8.0 vRealize Business Standard prior to 1.1.x or 1.0.x NSX for Multi-Hypervisor prior to 4.2.4 vCloud Director prior to 5.5.3 vCloud Director Service Providers prior to 5.6.4.1 vRealize Configuration Manager 5.7.x or 5.6.x vRealize Infrastructure 5.8 or 5.7 vRealize Log Insight 2.5, 2.0, 1.5 or 1.0 3. Problem Description a. Oracle JRE Update Oracle JRE is updated in VMware products to address a critical security issue that existed in earlier releases of Oracle JRE. VMware products running JRE 1.7 Update 75 or newer and JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593, as documented in the Oracle Java SE Critical Patch Update Advisory of January 2015. This advisory also includes the other security issues that are addressed in JRE 1.7 Update 75 and JRE 1.6 Update 91. The References section provides a link to the JRE advisory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-6593 to this issue. This issue is also known as "SKIP" or "SKIP-TLS". Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch** ============= ======= ======= ================= Horizon View 6.x any 6.1 Horizon View 5.x any 5.3.4 Horizon Workspace Portal 2.1 ,2.0 any 2.1.1 Server Horizon DaaS Platform 6.1 any 6.1.4 Horizon DaaS Platform 6.0 any patch pending Horizon DaaS Platform 5.4 any 5.4.5 vCloud Networking and Security 5.5 any patch pending* vCloud Connector 2.7 any patch pending* vCloud Usage Meter 3.3 any patch pending* vCenter Site Recovery Manager 5.5.x any patch pending*** vCenter Site Recovery Manager 5.1.x any patch pending*** vCenter Site Recovery Manager 5.0.x any patch pending*** vCenter Server 6.0 any patch pending vCenter Server 5.5 any patch pending vCenter Server 5.1 any patch pending vCenter Server 5.0 any patch pending vRealize Operations Manager 6.0 any KB2112028 vCenter Operations Manager 5.8.x any KB2111172 vCenter Operations Manager 5.7.x any KB2111172 vCenter Support Assistant 5.5.1.x any patch pending vRealize Application Services 6.2 any KB2111981 vRealize Application Services 6.1 any KB2111981 vCloud Application Director 6.0 any KB2111981 vCloud Application Director 5.2 any KB2111981 vRealize Automation 6.2 any KB2111658 vRealize Automation 6.1 any KB2111658 vCloud Automation Center 6.0.1 any KB2111658 vRealize Code Stream 1.1 any KB2111658 vRealize Code Stream 1.0 any KB2111658 vPostgres 9.3.x any patch pending vPostgres 9.2.x any patch pending vPostgres 9.1.x any patch pending vSphere Replication 5.8.1 any patch pending vSphere Replication 5.8.0 any 5.8.0.2 vSphere Replication 5.6.0 any 5.6.0.3 vSphere Replication 5.1 any patch pending vSphere Storage Appliance 5.x any patch pending* vRealize Hyperic 5.8 any KB2111337 vRealize Hyperic 5.7 any KB2111337 vRealize Hyperic 5.0 any KB2111337 vSphere AppHA 1.1 any KB2111336 vSphere Big Data Extensions 2.1 any patch pending* vSphere Big Data Extensions 2.0 any patch pending* vSphere Data Protection 6.0 any patch pending* vSphere Data Protection 5.8 any patch pending* vSphere Data Protection 5.5 any patch pending* vSphere Data Protection 5.1 any patch pending* vCenter Chargeback Manager 2.7 any KB2112011* vCenter Chargeback Manager 2.6 any KB2113178* vRealize Business Adv/Ent 8.1 any KB2112258* vRealize Business Adv/Ent 8.0 any KB2112258* vRealize Business Standard 6.0 any KB2111802 vRealize Business Standard 1.1 any KB2111802 vRealize Business Standard 1.0 any KB2111802 NSX for vSphere 6.1 any patch pending* NSX for Multi-Hypervisor 4.2 any 4.2.4* vCloud Director 5.5.x any 5.5.3* vCloud Director For 5.6.4 any 5.6.4.1* Service Providers vCenter Application Discovery 7.0 any patch pending* Manager vRealize Configuration Manager 5.7.x any KB2111670 vRealize Configuration Manager 5.6 any KB2111670 vRealize Infrastructure 5.8 any 5.8.4 Navigator vRealize Infrastructure 5.7 any KB2111334* Navigator vRealize Orchestrator 6.0 any patch pending* vRealize Orchestrator 5.2 any patch pending* vRealize Orchestrator 5.1 any patch pending* vShield 5.5 any patch pending* vRealize Log Insight 2.5 any KB2113235* vRealize Log Insight 2.0 any KB2113235* vRealize Log Insight 1.5 any KB2113235* vRealize Log Insight 1.0 any KB2113235* vSphere Management Assistant 5.x any patch pending vSphere Update Manager 6.0 any patch pending* vSphere Update Manager 5.5 any patch pending* vSphere Update Manager 5.1 any patch pending* vSphere Update Manager 5.0 any patch pending* * The severity of critical is lowered to important for this product as is not considered Internet facing ** Knowledge Base (KB) articles provides details of the patches and how to install them. *** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not include JRE but they include the vSphere Replication appliance which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include JRE nor the vSphere Replication appliance. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. Horizon View 6.1, 5.3.4: ======================== Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productI d=492 https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&pro ductId=396 VMware Workspace Portal 2.1.1 ============================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=5 01&rPId=7586 Documentation: https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.h tml Horizon DaaS Platform 6.1.4 =========================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN &productId=405&rPId=6527 Horizon DaaS Platform 5.4.5 =========================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM- 540&productId=398&rPId=5214 vRealize Operations Manager 6.0.1 ================================= Downloads and Documentation: http://kb.vmware.com/kb/2112028 vRealize Application Services 6.2, 6.1 ====================================== Downloads and Documentation: http://kb.vmware.com/kb/2111981 vCloud Application Director 6.0 ====================================== Downloads and Documentation: http://kb.vmware.com/kb/2111981 vCloud Director for Service Providers 5.6.4.1 ============================================= Downloads and Documentation: https://www.vmware.com/support/pubs/vcd_sp_pubs.html vCenter Operations Manager 6.0, 5.8.5, 5.7.4 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111172 vCloud Automation Center 6.0.1.2 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111685 vSphere Replication 5.8.0.2, 5.6.0.3 ==================================== Downloads: https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603 Documentation: http://kb.vmware.com/kb/2112025 http://kb.vmware.com/kb/2112022 vRealize Automation 6.2.1, 6.1.1 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111658 vRealize Code Stream 1.1, 1.0 ============================= Downloads and Documentation: http://kb.vmware.com/kb/2111685 vRealize Hyperic 5.8.4, 5.7.2, 5.0.3 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/KB2111337 vSphere AppHA 1.1.1 =================== Downloads and Documentation: http://kb.vmware.com/kb/2111336 vCenter Chargeback Manager 2.7 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2112011 vCenter Chargeback Manager 2.6 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2113178 vRealize Business Adv/Ent 8.1, 8.0 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2112258 vRealize Business Standard 6.0, 1.1 , 1.0 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111802 vRealize Configuration Manager 5.7.3 =================================== Downloads and Documentation: http://kb.vmware.com/kb/2111670 vRealize Infrastructure Navigator 5.8.4 ======================================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=47 6 vRealize Infrastructure Navigator 5.7 ===================================== Downloads and Documentation: http://kb.vmware.com/kb/2111334 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593 JRE Oracle Java SE Critical Patch Update Advisory of January 2015 http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html - ------------------------------------------------------------------------ 6. Change log 2015-04-02 VMSA-2015-0003 Initial security advisory in conjunction with the release of VMware Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5; vCenter Operations Manager 5.7.4; vCloud Automation Center 6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0; vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1; vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches released on 2015-04-02. 2015-04-09 VMSA-2015-0003.1 Updated Security advisory in conjunction with the release of VMware Horizon DaaS Platform 6.1.4, 5.4.5; vRealize Operations Manager 6.0; vRealize Application Services 6.2; vRealize Application Services 6.1; vCloud Application Director 6.0; vCenter Chargeback Manager 2.7, 2.6; vCloud Director For Service Providers 5.6.4.1; vRealize Log Insight 2.5, 2.0, 1.5, 1.0 Patches released on 2015-04-09. 2015-04-13 VMSA-2015-0003.2 Updated Security advisory in conjunction with the release of vRealize Business Adv/Ent 8.1, 8.0 Patches released on 2015-04-13. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFVLBMgDEcm8Vbi9kMRAvaaAKDrax6e77WldoyNU0b+OEym+b1tfgCfamxh gjaTHulE0WVOGNNLpjHZ4jk= =L8TV -----END PGP SIGNATURE-----
UPDATE : VMSA-2015-0003.1 – VMware product updates address critical information disclosure issue in JRE.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0003.1 Synopsis: VMware product updates address critical information disclosure issue in JRE. Issue date: 2015-04-02 Updated on: 2015-04-09 CVE number: CVE-2014-6593, for other CVEs see JRE reference - ------------------------------------------------------------------------ 1. Summary VMware product updates address critical information disclosure issue in JRE. 2. Relevant Releases Horizon View 6.x or 5.x Horizon Workspace Portal Server 2.1 or 2.0 Horizon DaaS Platform 6.1.4 or 5.4.5 vRealize Operations Manager 6.0 vCenter Operations Manager 5.8.x or 5.7.x vRealize Application Services 6.2 or 6.1 vCloud Application Director 6.0 vRealize Automation 6.2 or 6.1 vCloud Automation Center 6.0.1 vSphere Replication prior to 5.8.0.2 or 5.6.0.3 vRealize Automation 6.2.x or 6.1.x vRealize Code Stream 1.1 or 1.0 vRealize Hyperic 5.8.x, 5.7.x or 5.0.x vSphere AppHA Prior to 1.1.x vCenter Chargeback Manager 2.7 or 2.6 vRealize Business Standard prior to 1.1.x or 1.0.x NSX for Multi-Hypervisor prior to 4.2.4 vCloud Director prior to 5.5.3 vCloud Director Service Providers prior to 5.6.4.1 vRealize Configuration Manager 5.7.x or 5.6.x vRealize Infrastructure 5.8 or 5.7 vRealize Log Insight 2.5, 2.0, 1.5 or 1.0 3. Problem Description a. Oracle JRE Update Oracle JRE is updated in VMware products to address a critical security issue that existed in earlier releases of Oracle JRE. VMware products running JRE 1.7 Update 75 or newer and JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593, as documented in the Oracle Java SE Critical Patch Update Advisory of January 2015. This advisory also includes the other security issues that are addressed in JRE 1.7 Update 75 and JRE 1.6 Update 91. The References section provides a link to the JRE advisory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-6593 to this issue. This issue is also known as "SKIP" or "SKIP-TLS". Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch** ============= ======= ======= ================= Horizon View 6.x any 6.1 Horizon View 5.x any 5.3.4 Horizon Workspace Portal 2.1 ,2.0 any 2.1.1 Server Horizon DaaS Platform 6.1 any 6.1.4 Horizon DaaS Platform 6.0 any patch pending Horizon DaaS Platform 5.4 any 5.4.5 vCloud Networking and Security 5.5 any patch pending* vCloud Connector 2.7 any patch pending* vCloud Usage Meter 3.3 any patch pending* vCenter Site Recovery Manager 5.5.x any patch pending*** vCenter Site Recovery Manager 5.1.x any patch pending*** vCenter Site Recovery Manager 5.0.x any patch pending*** vCenter Server 6.0 any patch pending vCenter Server 5.5 any patch pending vCenter Server 5.1 any patch pending vCenter Server 5.0 any patch pending vRealize Operations Manager 6.0 any KB2112028 vCenter Operations Manager 5.8.x any KB2111172 vCenter Operations Manager 5.7.x any KB2111172 vCenter Support Assistant 5.5.1.x any patch pending vRealize Application Services 6.2 any KB2111981 vRealize Application Services 6.1 any KB2111981 vCloud Application Director 6.0 any KB2111981 vCloud Application Director 5.2 any KB2111981 vRealize Automation 6.2 any KB2111658 vRealize Automation 6.1 any KB2111658 vCloud Automation Center 6.0.1 any KB2111658 vRealize Code Stream 1.1 any KB2111658 vRealize Code Stream 1.0 any KB2111658 vPostgres 9.3.x any patch pending vPostgres 9.2.x any patch pending vPostgres 9.1.x any patch pending vSphere Replication 5.8.1 any patch pending vSphere Replication 5.8.0 any 5.8.0.2 vSphere Replication 5.6.0 any 5.6.0.3 vSphere Replication 5.1 any patch pending vSphere Storage Appliance 5.x any patch pending* vRealize Hyperic 5.8 any KB2111337 vRealize Hyperic 5.7 any KB2111337 vRealize Hyperic 5.0 any KB2111337 vSphere AppHA 1.1 any KB2111336 vSphere Big Data Extensions 2.1 any patch pending* vSphere Big Data Extensions 2.0 any patch pending* vSphere Data Protection 6.0 any patch pending* vSphere Data Protection 5.8 any patch pending* vSphere Data Protection 5.5 any patch pending* vSphere Data Protection 5.1 any patch pending* vCenter Chargeback Manager 2.7 any KB2112011* vCenter Chargeback Manager 2.6 any KB2113178* vRealize Business Adv/Ent 8.1 any patch pending* vRealize Business Adv/Ent 8.0 any patch pending* vRealize Business Standard 6.0 any KB2111802 vRealize Business Standard 1.1 any KB2111802 vRealize Business Standard 1.0 any KB2111802 NSX for vSphere 6.1 any patch pending* NSX for Multi-Hypervisor 4.2 any 4.2.4* vCloud Director 5.5.x any 5.5.3* vCloud Director For 5.6.4 any 5.6.4.1* Service Providers vCenter Application Discovery 7.0 any patch pending* Manager vRealize Configuration Manager 5.7.x any KB2111670 vRealize Configuration Manager 5.6 any KB2111670 vRealize Infrastructure 5.8 any 5.8.4 Navigator vRealize Infrastructure 5.7 any KB2111334* Navigator vRealize Orchestrator 6.0 any patch pending* vRealize Orchestrator 5.2 any patch pending* vRealize Orchestrator 5.1 any patch pending* vShield 5.5 any patch pending* vRealize Log Insight 2.5 any KB2113235* vRealize Log Insight 2.0 any KB2113235* vRealize Log Insight 1.5 any KB2113235* vRealize Log Insight 1.0 any KB2113235* vSphere Management Assistant 5.x any patch pending vSphere Update Manager 6.0 any patch pending* vSphere Update Manager 5.5 any patch pending* vSphere Update Manager 5.1 any patch pending* vSphere Update Manager 5.0 any patch pending* * The severity of critical is lowered to important for this product as is not considered Internet facing ** Knowledge Base (KB) articles provides details of the patches and how to install them. *** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not include JRE but they include the vSphere Replication appliance which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include JRE nor the vSphere Replication appliance. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. Horizon View 6.1, 5.3.4: ======================== Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productI d=492 https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&pro ductId=396 VMware Workspace Portal 2.1.1 ============================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=5 01&rPId=7586 Documentation: https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.h tml Horizon DaaS Platform 6.1.4 =========================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN &productId=405&rPId=6527 Horizon DaaS Platform 5.4.5 =========================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM- 540&productId=398&rPId=5214 vRealize Operations Manager 6.0.1 ================================= Downloads and Documentation: http://kb.vmware.com/kb/2112028 vRealize Application Services 6.2, 6.1 ====================================== Downloads and Documentation: http://kb.vmware.com/kb/2111981 vCloud Application Director 6.0 ====================================== Downloads and Documentation: http://kb.vmware.com/kb/2111981 vCloud Director for Service Providers 5.6.4.1 ============================================= Downloads and Documentation: https://www.vmware.com/support/pubs/vcd_sp_pubs.html vCenter Operations Manager 6.0, 5.8.5, 5.7.4 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111172 vCloud Automation Center 6.0.1.2 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111685 vSphere Replication 5.8.0.2, 5.6.0.3 ==================================== Downloads: https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603 Documentation: http://kb.vmware.com/kb/2112025 http://kb.vmware.com/kb/2112022 vRealize Automation 6.2.1, 6.1.1 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111658 vRealize Code Stream 1.1, 1.0 ============================= Downloads and Documentation: http://kb.vmware.com/kb/2111685 vRealize Hyperic 5.8.4, 5.7.2, 5.0.3 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/KB2111337 vSphere AppHA 1.1.1 =================== Downloads and Documentation: http://kb.vmware.com/kb/2111336 vCenter Chargeback Manager 2.7 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2112011 vCenter Chargeback Manager 2.6 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2113178 vRealize Business Standard 6.0, 1.1 , 1.0 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111802 vRealize Configuration Manager 5.7.3 =================================== Downloads and Documentation: http://kb.vmware.com/kb/2111670 vRealize Infrastructure Navigator 5.8.4 ======================================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=47 6 vRealize Infrastructure Navigator 5.7 ===================================== Downloads and Documentation: http://kb.vmware.com/kb/2111334 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593 JRE Oracle Java SE Critical Patch Update Advisory of January 2015 http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html - ------------------------------------------------------------------------ 6. Change log 2015-04-02 VMSA-2015-0003 Initial security advisory in conjunction with the release of VMware Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5; vCenter Operations Manager 5.7.4; vCloud Automation Center 6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0; vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1; vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches released on 2015-04-02. 2015-04-09 VMSA-2015-0003.1 Initial security advisory in conjunction with the release of VMware Horizon DaaS Platform 6.1.4, 5.4.5; vRealize Operations Manager 6.0; vRealize Application Services 6.2; vRealize Application Services 6.1; vCloud Application Director 6.0; vCenter Chargeback Manager 2.7, 2.6; vCloud Director For Service Providers 5.6.4.1; vRealize Log Insight 2.5, 2.0, 1.5, 1.0 Patches released on 2015-04-09. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFVJvoJDEcm8Vbi9kMRAuK6AKCNUgtSbHFVZ3QovAUJZyYX68sxQgCeLWoD fO7UbDkp1+c7pNQ0y6ErD24= =Mn/A -----END PGP SIGNATURE-----
NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0003 Synopsis: VMware product updates address critical information disclosure issue in JRE. Issue date: 2015-04-02 Updated on: 2015-04-02 (Initial Advisory) CVE number: CVE-2014-6593, for other CVEs see JRE reference - ------------------------------------------------------------------------ 1. Summary VMware product updates address critical information disclosure issue in JRE. 2. Relevant Releases Horizon View 6.x or 5.x Horizon Workspace Portal Server 2.1 or 2.0 vCenter Operations Manager 5.8.x or 5.7.x vCloud Automation Center 6.0.1 vSphere Replication prior to 5.8.0.2 or 5.6.0.3 vRealize Automation 6.2.x or 6.1.x vRealize Code Stream 1.1 or 1.0 vRealize Hyperic 5.8.x, 5.7.x or 5.0.x vSphere AppHA Prior to 1.1.x vRealize Business Standard prior to 1.1.x or 1.0.x NSX for Multi-Hypervisor prior to 4.2.4 vRealize Configuration Manager 5.7.x or 5.6.x vRealize Infrastructure 5.8 or 5.7 3. Problem Description a. Oracle JRE Update Oracle JRE is updated in VMware products to address a critical security issue that existed in earlier releases of Oracle JRE. VMware products running JRE 1.7 Update 75 or newer and JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593, as documented in the Oracle Java SE Critical Patch Update Advisory of January 2015. This advisory also includes the other security issues that are addressed in JRE 1.7 Update 75 and JRE 1.6 Update 91. The References section provides a link to the JRE advisory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-6593 to this issue. This issue is also known as "SKIP" or "SKIP-TLS". Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch** ============= ======= ======= ================= Horizon View 6.x any 6.1 Horizon View 5.x any 5.3.4 Horizon Workspace Portal 2.1 ,2.0 any 2.1.1 Server Horizon DaaS Platform 6.1 any patch pending Horizon DaaS Platform 6.0 any patch pending Horizon DaaS Platform 5.4 any patch pending vCloud Networking and Security 5.5 any patch pending* vCloud Connector 2.7 any patch pending* vCloud Usage Meter 3.3 any patch pending* vCenter Site Recovery Manager 5.5.x any patch pending*** vCenter Site Recovery Manager 5.1.x any patch pending*** vCenter Site Recovery Manager 5.0.x any patch pending*** vCenter Server 6.0 any patch pending vCenter Server 5.5 any patch pending vCenter Server 5.1 any patch pending vCenter Server 5.0 any patch pending vRealize Operations Manager 6.0 any patch pending* vCenter Operations Manager 5.8.x any KB2111172 vCenter Operations Manager 5.7.x any KB2111172 vCenter Support Assistant 5.5.1.x any patch pending vRealize Application Services 6.2 any patch pending vRealize Application Services 6.1 any patch pending vCloud Application Director 6.0 any patch pending vCloud Application Director 5.2 any KB2111981 vRealize Automation 6.2 any KB2111658 vRealize Automation 6.1 any KB2111658 vCloud Automation Center 6.0.1 any KB2111658 vRealize Code Stream 1.1 any KB2111658 vRealize Code Stream 1.0 any KB2111658 vPostgres 9.3.x any patch pending vPostgres 9.2.x any patch pending vPostgres 9.1.x any patch pending vSphere Replication 5.8.1 any patch pending vSphere Replication 5.8.0 any 5.8.0.2 vSphere Replication 5.6.0 any 5.6.0.3 vSphere Replication 5.1 any patch pending vSphere Storage Appliance 5.x any patch pending* vRealize Hyperic 5.8 any KB2111337 vRealize Hyperic 5.7 any KB2111337 vRealize Hyperic 5.0 any KB2111337 vSphere AppHA 1.1 any KB2111336 vSphere Big Data Extensions 2.1 any patch pending* vSphere Big Data Extensions 2.0 any patch pending* vSphere Data Protection 6.0 any patch pending* vSphere Data Protection 5.8 any patch pending* vSphere Data Protection 5.5 any patch pending* vSphere Data Protection 5.1 any patch pending* vCenter Chargeback Manager 2.6 any patch pending* vRealize Business Adv/Ent 8.1 any patch pending* vRealize Business Adv/Ent 8.0 any patch pending* vRealize Business Standard 6.0 any KB2111802 vRealize Business Standard 1.1 any KB2111802 vRealize Business Standard 1.0 any KB2111802 NSX for vSphere 6.1 any patch pending* NSX for Multi-Hypervisor 4.2 any 4.2.4* vCloud Director 5.5.x any 5.5.3* vCloud Director For 5.6.4 any patch pending* Service Providers vCenter Application Discovery 7.0 any patch pending* Manager vRealize Configuration Manager 5.7.x any KB2111670 vRealize Configuration Manager 5.6 any KB2111670 vRealize Infrastructure 5.8 any 5.8.4 Navigator vRealize Infrastructure 5.7 any KB2111334* Navigator vRealize Orchestrator 6.0 any patch pending* vRealize Orchestrator 5.2 any patch pending* vRealize Orchestrator 5.1 any patch pending* vShield 5.5 any patch pending* vRealize Log Insight 2.5 any patch pending* vRealize Log Insight 2.0 any patch pending* vRealize Log Insight 1.5 any patch pending* vRealize Log Insight 1.0 any patch pending* vSphere Management Assistant 5.x any patch pending vSphere Update Manager 6.0 any patch pending* vSphere Update Manager 5.5 any patch pending* vSphere Update Manager 5.1 any patch pending* vSphere Update Manager 5.0 any patch pending* * The severity of critical is lowered to important for this product as is not considered Internet facing ** Knowledge Base (KB) articles provides details of the patches and how to install them. *** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not include JRE but they include the vSphere Replication appliance which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include JRE nor the vSphere Replication appliance. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. Horizon View 6.1, 5.3.4: ======================== Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productI d=492 https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&pro ductId=396 VMware Workspace Portal 2.1.1 ============================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=5 01&rPId=7586 Documentation: https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.h tml vCenter Operations Manager 6.0, 5.8.5, 5.7.4 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111172 vCloud Automation Center 6.0.1.2 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111685 vSphere Replication 5.8.0.2, 5.6.0.3 ==================================== Downloads: https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603 Documentation: http://kb.vmware.com/kb/2112025 vRealize Automation 6.2.1, 6.1.1 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111658 vRealize Code Stream 1.1, 1.0 ============================= Downloads and Documentation: http://kb.vmware.com/kb/2111685 vRealize Hyperic 5.8.4, 5.7.2, 5.0.3 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/KB2111337 vSphere AppHA 1.1.1 =================== Downloads and Documentation: http://kb.vmware.com/kb/2111336 vRealize Business Standard 6.0, 1.1 , 1.0 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111802 vRealize Configuration Manager 5.7.3 =================================== Downloads and Documentation: http://kb.vmware.com/kb/2111670 vRealize Infrastructure Navigator 5.8.4 ======================================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=47 6 vRealize Infrastructure Navigator 5.7 ===================================== Downloads and Documentation: http://kb.vmware.com/kb/2111334 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593 JRE Oracle Java SE Critical Patch Update Advisory of January 2015 http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html - ------------------------------------------------------------------------ 6. Change log 2015-04-02 VMSA-2015-0003 Initial security advisory in conjunction with the release of VMware Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5; vCenter Operations Manager 5.7.4; vCloud Automation Center 6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0; vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1; vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches released on 2015-04-02. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFVHbTYDEcm8Vbi9kMRAgAMAJ9igPcaR/mSbKzFzow0NzlqbsDEoACcCRUC 6hWCvRQfTGkvImCyRaL0VOY= =uZmC -----END PGP SIGNATURE-----
UPDATED VMSA-2015-0001.2 VMware vSphere Data Protection product update addresses a certificate validation vulnerability.
------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0001.2 Synopsis: VMware vCenter Server, ESXi, Workstation, Player, and Fusion updates address security issues Issue date: 2015-01-27 Updated on: 2015-03-26 CVE number: CVE-2014-8370, CVE-2015-1043, CVE-2015-1044 --- OPENSSL--- CVE-2014-3513, CVE-2014-3567,CVE-2014-3566, CVE-2014-3568 --- libxml2 --- CVE-2014-3660 ------------------------------------------------------------------------ 1. Summary VMware vCenter Server, ESXi, Workstation, Player and Fusion address several security issues. 2. Relevant Releases VMware Workstation 10.x prior to version 10.0.5 VMware Player 6.x prior to version 6.0.5 VMware Fusion 7.x prior to version 7.0.1 VMware Fusion 6.x prior to version 6.0.5 vCenter Server 5.5 prior to Update 2d ESXi 5.5 without patch ESXi550-201403102-SG, ESXi550-201501101-SG ESXi 5.1 without patch ESXi510-201404101-SG, ESXi510-201503101-SG ESXi 5.0 without patch ESXi500-201405101-SG, ESXi500-201502101-SG 3. Problem Description a. VMware ESXi, Workstation, Player, and Fusion host privilege escalation vulnerability VMware ESXi, Workstation, Player and Fusion contain an arbitrary file write issue. Exploitation this issue may allow for privilege escalation on the host. The vulnerability does not allow for privilege escalation from the guest Operating System to the host or vice-versa. This means that host memory can not be manipulated from the Guest Operating System. Mitigation For ESXi to be affected, permissions must have been added to ESXi (or a vCenter Server managing it) for a virtual machine administrator role or greater. VMware would like to thank Shanon Olsson for reporting this issue to us through JPCERT. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-8370 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= Workstation 11.x any not affected Workstation 10.x any 10.0.5 Player 7.x any not affected Player 6.x any 6.0.5 Fusion 7.x any not affected Fusion 6.x any 6.0.5 ESXi 5.5 ESXi ESXi550-201403102-SG ESXi 5.1 ESXi ESXi510-201404101-SG ESXi 5.0 ESXi ESXi500-201405101-SG b. VMware Workstation, Player, and Fusion Denial of Service vulnerability VMware Workstation, Player, and Fusion contain an input validation issue in the Host Guest File System (HGFS). This issue may allow for a Denial of Service of the Guest Operating system. VMware would like to thank Peter Kamensky from Digital Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-1043 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= Workstation 11.x any not affected Workstation 10.x any 10.0.5 Player 7.x any not affected Player 6.x any 6.0.5 Fusion 7.x any 7.0.1 Fusion 6.x any 6.0.5 c. VMware ESXi, Workstation, and Player Denial of Service vulnerability VMware ESXi, Workstation, and Player contain an input validation issue in VMware Authorization process (vmware-authd). This issue may allow for a Denial of Service of the host. On VMware ESXi and on Workstation running on Linux the Denial of Service would be partial. VMware would like to thank Dmitry Yudin < at >ret5et for reporting this issue to us through HP's Zero Day Initiative. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-1044 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= Workstation 11.x any not affected Workstation 10.x any 10.0.5 Player 7.x any not affected Player 6.x any 6.0.5 Fusion 7.x any not affected Fusion 6.x any not affected ESXi 5.5 ESXi ESXi550-201501101-SG ESXi 5.1 ESXi ESXi510-201410101-SG ESXi 5.0 ESXi not affected d. Update to VMware vCenter Server and ESXi for OpenSSL 1.0.1 and 0.9.8 package The OpenSSL library is updated to version 1.0.1j or 0.9.8zc to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-3513, CVE-2014-3567, CVE-2014-3566 (ìPOODLEî) and CVE-2014-3568 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= vCenter Server 5.5 any Update 2d* vCenter Server 5.1 any patch pending vCenter Server 5.0 any patch pending ESXi 5.5 ESXi ESXi550-201501101-SG ESXi 5.1 ESXi ESXi510-201503101-SG ESXi 5.0 ESXi ESXi500-201502101-SG * The VMware vCenter 5.5 SSO component will be updated in a later release. e. Update to ESXi libxml2 package The libxml2 library is updated to version libxml2-2.7.6-17 to resolve a security issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-3660 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= ESXi 5.5 ESXi ESXi550-201501101-SG ESXi 5.1 ESXi ESXi510-201503101-SG ESXi 5.0 ESXi patch pending 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware Workstation 10.x -------------------------------- https://www.vmware.com/go/downloadworkstation VMware Player 6.x -------------------------------- https://www.vmware.com/go/downloadplayer VMware Fusion 7.x and 6.x -------------------------------- https://www.vmware.com/go/downloadplayer vCenter Server ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere ESXi 5.5 Update 2d ---------------------------- File: update-from-esxi5.5-5.5_update01.zip md5sum: 5773844efc7d8e43135de46801d6ea25 sha1sum: 6518355d260e81b562c66c5016781db9f077161f http://kb.vmware.com/kb/2065832 update-from-esxi5.5-5.5_update01 contains ESXi550-201403102-SG ESXi 5.5 ---------------------------- File: ESXi550-201501001.zip md5sum: b0f2edd9ad17d0bae5a11782aaef9304 sha1sum: 9cfcb1e2cf1bb845f0c96c5472d6b3a66f025dd1 http://kb.vmware.com/kb/2099265 ESXi550-201501001.zip contains ESXi550-201501101-SG ESXi 5.1 ---------------------------- File: ESXi510-201404001.zip md5sum: 9dc3c9538de4451244a2b62d247e52c4 sha1sum: 2e052145f1697a781148e9866438a47c9cbd7ea9 http://kb.vmware.com/kb/2070666 ESXi510-201404001 contains ESXi510-201404101-SG ESXi 5.1 ---------------------------- File: ESXi510-201503001.zip md5sum: 696360824ce098115f9fdba678391c3a sha1sum: 6b1ea36a2711665a670afc9ae37cdd616bb6da66 http://kb.vmware.com/kb/2099286 ESXi510-201503001 contains ESXi510-201503001-SG ESXi 5.0 ---------------------------- File: ESXi500-201405001.zip md5sum: 7cd1afc97f5f1e4b4132c90835f92e1d sha1sum: 4bd77eeb5d7fc65bbb6f25762b0fa74fbb9679d5 http://kb.vmware.com/kb/2075521 ESXi500-201405001 contains ESXi500-201405101-SG ESXi 5.0 ---------------------------- File: ESXi500-201502001.zip md5sum: 0e81d3c7702d6f08c1a5ebe743c8c42b sha1sum: 6f16a03f413c1af4db3e181c2ccd6aa01141035d http://kb.vmware.com/kb/2101910 ESXi500-201502001 contains ESXi500-201502101-SG 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8370 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1043 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1044 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3660 ------------------------------------------------------------------------ 6. Change log 2015-01-27 VMSA-2015-0001 Initial security advisory in conjunction with the release of VMware Workstation 10.0.5, VMware Player 6.0.5, vCenter Server 5.5 Update 2d and, ESXi 5.5 Patches released on 2015-01-27. 2015-02-26 VMSA-2015-0001.1 Updated security advisory in conjunction with the release of VMware ESXi 5.0 Patches released on 2015-02-26. 2015-03-26 VMSA-2015-0001.2 Updated security advisory in conjunction with the release of VMware ESXi 5.1 Patches released on 2015-03-26. ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. _______________________________________________ Security-announce mailing list Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org http://lists.vmware.com/mailman/listinfo/security-announce
UPDATED VMSA-2015-0001.1 VMware vCenter Server, ESXi, Workstation, Player, and Fusion updates address security issues
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0001.1 Synopsis: VMware vCenter Server, ESXi, Workstation, Player, and Fusion updates address security issues Issue date: 2015-01-27 Updated on: 2015-02-26 CVE number: CVE-2014-8370, CVE-2015-1043, CVE-2015-1044 --- OPENSSL--- CVE-2014-3513, CVE-2014-3567,CVE-2014-3566, CVE-2014-3568 --- libxml2 --- CVE-2014-3660 - ------------------------------------------------------------------------ 1. Summary VMware vCenter Server, ESXi, Workstation, Player and Fusion address several security issues. 2. Relevant Releases VMware Workstation 10.x prior to version 10.0.5 VMware Player 6.x prior to version 6.0.5 VMware Fusion 7.x prior to version 7.0.1 VMware Fusion 6.x prior to version 6.0.5 vCenter Server 5.5 prior to Update 2d ESXi 5.5 without patch ESXi550-201403102-SG, ESXi550-201501101-SG ESXi 5.1 without patch ESXi510-201404101-SG ESXi 5.0 without patch ESXi500-201405101-SG, ESXi500-201502101-SG 3. Problem Description a. VMware ESXi, Workstation, Player, and Fusion host privilege escalation vulnerability VMware ESXi, Workstation, Player and Fusion contain an arbitrary file write issue. Exploitation this issue may allow for privilege escalation on the host. The vulnerability does not allow for privilege escalation from the guest Operating System to the host or vice-versa. This means that host memory can not be manipulated from the Guest Operating System. Mitigation For ESXi to be affected, permissions must have been added to ESXi (or a vCenter Server managing it) for a virtual machine administrator role or greater. VMware would like to thank Shanon Olsson for reporting this issue to us through JPCERT. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-8370 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= Workstation 11.x any not affected Workstation 10.x any 10.0.5 Player 7.x any not affected Player 6.x any 6.0.5 Fusion 7.x any not affected Fusion 6.x any 6.0.5 ESXi 5.5 ESXi ESXi550-201403102-SG ESXi 5.1 ESXi ESXi510-201404101-SG ESXi 5.0 ESXi ESXi500-201405101-SG b. VMware Workstation, Player, and Fusion Denial of Service vulnerability VMware Workstation, Player, and Fusion contain an input validation issue in the Host Guest File System (HGFS). This issue may allow for a Denial of Service of the Guest Operating system. VMware would like to thank Peter Kamensky from Digital Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-1043 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= Workstation 11.x any not affected Workstation 10.x any 10.0.5 Player 7.x any not affected Player 6.x any 6.0.5 Fusion 7.x any 7.0.1 Fusion 6.x any 6.0.5 c. VMware ESXi, Workstation, and Player Denial of Service vulnerability VMware ESXi, Workstation, and Player contain an input validation issue in VMware Authorization process (vmware-authd). This issue may allow for a Denial of Service of the host. On VMware ESXi and on Workstation running on Linux the Denial of Service would be partial. VMware would like to thank Dmitry Yudin < at >ret5et for reporting this issue to us through HP's Zero Day Initiative. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-1044 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= Workstation 11.x any not affected Workstation 10.x any 10.0.5 Player 7.x any not affected Player 6.x any 6.0.5 Fusion 7.x any not affected Fusion 6.x any not affected ESXi 5.5 ESXi ESXi550-201501101-SG ESXi 5.1 ESXi ESXi510-201410101-SG ESXi 5.0 ESXi not affected d. Update to VMware vCenter Server and ESXi for OpenSSL 1.0.1 and 0.9.8 package The OpenSSL library is updated to version 1.0.1j or 0.9.8zc to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-3513, CVE-2014-3567, CVE-2014-3566 (“POODLE”) and CVE-2014-3568 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= vCenter Server 5.5 any Update 2d* vCenter Server 5.1 any patch pending vCenter Server 5.0 any patch pending ESXi 5.5 ESXi ESXi550-201501101-SG ESXi 5.1 ESXi patch pending ESXi 5.0 ESXi ESXi500-201502101-SG * The VMware vCenter 5.5 SSO component will be updated in a later release. e. Update to ESXi libxml2 package The libxml2 library is updated to version libxml2-2.7.6-17 to resolve a security issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-3660 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= ESXi 5.5 ESXi ESXi550-201501101-SG ESXi 5.1 ESXi patch pending ESXi 5.0 ESXi patch pending 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware Workstation 10.x -------------------------------- https://www.vmware.com/go/downloadworkstation VMware Player 6.x -------------------------------- https://www.vmware.com/go/downloadplayer VMware Fusion 7.x and 6.x -------------------------------- https://www.vmware.com/go/downloadplayer vCenter Server ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere ESXi 5.5 Update 2d ---------------------------- File: update-from-esxi5.5-5.5_update01.zip md5sum: 5773844efc7d8e43135de46801d6ea25 sha1sum: 6518355d260e81b562c66c5016781db9f077161f http://kb.vmware.com/kb/2065832 update-from-esxi5.5-5.5_update01 contains ESXi550-201403102-SG ESXi 5.5 ---------------------------- File: ESXi550-201501001.zip md5sum: b0f2edd9ad17d0bae5a11782aaef9304 sha1sum: 9cfcb1e2cf1bb845f0c96c5472d6b3a66f025dd1 http://kb.vmware.com/kb/2099265 ESXi550-201501001.zip contains ESXi550-201501101-SG ESXi 5.1 ---------------------------- File: ESXi510-201404001.zip md5sum: 9dc3c9538de4451244a2b62d247e52c4 sha1sum: 6b1ea36a2711665a670afc9ae37cdd616bb6da66 http://kb.vmware.com/kb/2070666 ESXi510-201404001 contains ESXi510-201404101-SG ESXi 5.0 ---------------------------- File: ESXi500-201405001.zip md5sum: 7cd1afc97f5f1e4b4132c90835f92e1d sha1sum: 4bd77eeb5d7fc65bbb6f25762b0fa74fbb9679d5 http://kb.vmware.com/kb/2075521 ESXi500-201405001 contains ESXi500-201405101-SG ESXi 5.0 ---------------------------- File: ESXi500-201502001.zip md5sum: 0e81d3c7702d6f08c1a5ebe743c8c42b sha1sum: 6f16a03f413c1af4db3e181c2ccd6aa01141035d http://kb.vmware.com/kb/2101910 ESXi500-201502001 contains ESXi500-201502101-SG 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8370 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1043 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1044 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3660 - ------------------------------------------------------------------------ 6. Change log 2015-01-27 VMSA-2015-0001 Initial security advisory in conjunction with the release of VMware Workstation 10.0.5, VMware Player 6.0.5, vCenter Server 5.5 Update 2d and, ESXi 5.5 Patches released on 2015-01-27. 2015-02-26 VMSA-2015-0001.1 Updated security advisory in conjunction with the release of VMware ESXi 5.0 Patches released on 2015-02-26. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iEYEARECAAYFAlTvZKoACgkQDEcm8Vbi9kPLdQCgkxPWLqgLx+H8FIA1rDh9PGJ7 WUgAoL2IPcyQ0FgDxTm4rLW+e/gKRzBq =h+C7 -----END PGP SIGNATURE----- _______________________________________________ Security-announce mailing list Security-announce< at >lists.vmware.com http://lists.vmware.com/mailman/listinfo/security-announce
NEW: VMSA-2015-0002 VMware vSphere Data Protection product update addresses a certificate validation vulnerability
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0002 Synopsis: VMware vSphere Data Protection product update addresses a certificate validation vulnerability. Issue date: 2015-01-29 Updated on: 2015-01-29 (Initial Advisory) CVE number: CVE-2014-4632 - ------------------------------------------------------------------------ 1. Summary VMware vSphere Data Protection product update addresses a certificate validation vulnerability. 2. Relevant releases VMware vSphere Data Protection 5.8 VMware vSphere Data Protection 5.5 prior to 5.5.9 VMware vSphere Data Protection 5.1 all versions 3. Problem Description a. VMware vSphere Data Protection certificate validation vulnerability VMware vSphere Data Protection (VDP) does not fully validate SSL certificates coming from vCenter Server. This issue may allow a Man-in-the-Middle attack that enables the attacker to perform unauthorized backup and restore operations. VMware would like to thank Thorsten Tüllmann of the Steinbuch Centre for Computing, KIT, Germany for reporting this issue to VMware and the EMC Product Security Response Center for working with us on the issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-4632 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= VDP 5.8 any 5.8.1 VDP 5.5 any 5.5.9 VDP 5.1 any no patch planned update to 5.5.9 or 5.8.1 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware vSphere Data Protection ---------- Downloads: 5.8.1: https://my.vmware.com/group/vmware/get-download?downloadGroup=VDP58_1 5.5.9: https://my.vmware.com/group/vmware/get-download?downloadGroup=VDP55_9 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4632 - ------------------------------------------------------------------------ 6. Change log 2015-01-29 VMSA-2015-0002 Initial security advisory for VDP 5.8.1 and 5.5.9 which were on released on 2015-01-29. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFUyruEDEcm8Vbi9kMRAjxUAKD+x2KVIAq6DftmWv1zIGNldH7q5QCgwLyV ZruDEwM5kdlMe0ddzVgR41w= =cT7H -----END PGP SIGNATURE-----
UPDATED: VMSA-2014-0012.1 – VMware vSphere product updates address security vulnerabilities
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2014-0012.1 Synopsis: VMware vSphere product updates address security vulnerabilities Issue date: 2014-12-04 Updated on: 2015-01-27 CVE number: CVE-2014-3797, CVE-2014-8371, CVE-2013-2877, CVE-2014-0191, CVE-2014-0015, CVE-2014-0138, CVE-2013-1752 and CVE-2013-4238 - ------------------------------------------------------------------------ 1. Summary VMware vSphere product updates address a Cross Site Scripting issue, a certificate validation issue and security vulnerabilities in third-party libraries. 2. Relevant releases VMware vCenter Server Appliance 5.1 Prior to Update 3 VMware vCenter Server 5.5 prior to Update 2 VMware vCenter Server 5.1 prior to Update 3 VMware vCenter Server 5.0 prior to Update 3c VMware ESXi 5.1 without patch ESXi510-201412101-SG VMware ESXi 5.5 VMware ESXi 5.0 3. Problem Description a. VMware vCSA cross-site scripting vulnerability VMware vCenter Server Appliance (vCSA) contains a vulnerability that may allow for Cross Site Scripting. Exploitation of this vulnerability in vCenter Server requires tricking a user to click on a malicious link or to open a malicious web page. VMware would like to thank Tanya Secker of Trustwave SpiderLabs for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-3797 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= vCSA 5.5 any Not Affected vCSA 5.1 any 5.1 Update 3 vCSA 5.0 any Not Affected b. vCenter Server certificate validation issue vCenter Server does not properly validate the presented certificate when establishing a connection to a CIM Server residing on an ESXi host. This may allow for a Man-in-the-middle attack against the CIM service. VMware would like to thank The Google Security Team for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-8371 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ============== vCenter Server 5.5 any 5.5 Update 2 vCenter Server 5.1 any 5.1 Update 3 vCenter Server 5.0 any 5.0 Update 3c c. Update to ESXi libxml2 package libxml2 is updated to address multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-2877 and CVE-2014-0191 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= ESXi 5.5 any see VMSA-2015-0001 ESXi 5.1 any ESXi510-201412101-SG ESXi 5.0 any see VMSA-2015-0001 d. Update to ESXi Curl package Curl is updated to address multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0015 and CVE-2014-0138 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= ESXi 5.5 any Patch Pending ESXi 5.1 any ESXi510-201412101-SG ESXi 5.0 any Patch Pending e. Update to ESXi Python package Python is updated to address multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-1752 and CVE-2013-4238 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= ESXi 5.5 any Patch Pending ESXi 5.1 any ESXi510-201412101-SG ESXi 5.0 any Patch Pending f. vCenter and Update Manager, Oracle JRE 1.6 Update 81 Oracle has documented the CVE identifiers that are addressed in JRE 1.6.0 update 81 in the Oracle Java SE Critical Patch Update Advisory of July 2014. The References section provides a link to this advisory. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= vCenter Server 5.5 any not applicable * vCenter Server 5.1 any 5.1 Update 3 vCenter Server 5.0 any patch pending vCenter Update Manager 5.5 any not applicable * vCenter Update Manager 5.1 any 5.1 Update 3 vCenter Update Manager 5.0 any patch pending * this product uses the Oracle JRE 1.7.0 family 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCSA 5.1 Update 3, vCenter Server 5.1 Update 3 and Update Manager 5.1 Update 3 ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere ESXi 5.1 ---------------------------- File: update-from-esxi5.1-5.1_update03.zip.zip md5sum: b3fd3549b59c6c59c04bfd09b08c6edf sha1sum: 02139101fe205894774caac02820f6ea8416fb8b http://kb.vmware.com/kb/2086288 update-from-esxi5.1-5.1_update03 contains ESXi510-201412101-SG 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3797 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8371 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2877 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0138 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1752 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4238 JRE Oracle Java SE Critical Patch Update Advisory of July 2014 http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html - ------------------------------------------------------------------------ 6. Change log 2014-12-04 VMSA-2014-0012 Initial security advisory in conjunction with the release of VMware vCSA 5.1 Update 3, vCenter Server 5.1 Update 3 and ESXi 5.1 Patches released on 2014-12-04. 2015-01-27 VMSA-2014-0012.1 Security advisory updated in conjunction with the release of VMware ESXi 5.5 Patches released on 2015-01-27. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFUxqHHDEcm8Vbi9kMRAoSaAKD0BgI72YbonTMBbjAp1UMsFE2eBQCaAoPT tg8/S+hjkMsW8AV18Kkj8Tw= =UwKa -----END PGP SIGNATURE-----