Category Archives: VMWare

VMWare

UPDATE : VMSA-2015-0003.5 – VMware product updates address critical information disclosure issue in JRE.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2015-0003.5
Synopsis:    VMware product updates address critical information 
             disclosure issue in JRE.
Issue date:  2015-04-02
Updated on:  2015-04-23
CVE number:  CVE-2014-6593, for other CVEs see JRE reference 

- ------------------------------------------------------------------------

1. Summary

   VMware product updates address critical information disclosure 
   issue in JRE.
 
2. Relevant Releases

   Horizon View 6.x or 5.x
   Horizon Workspace Portal Server 2.1 or 2.0
   Horizon DaaS Platform 6.1.4 or 5.4.5
   vCloud Connector 2.7
   vCloud Usage Meter 3.3
   vCenter Site Recovery Manager prior to 5.5.1.5
   vCenter Server 6.0 and 5.5
   vRealize Operations Manager 6.0
   vCenter Operations Manager 5.8.x or 5.7.x
   vRealize Application Services 6.2 or 6.1
   vCloud Application Director 6.0
   vRealize Automation 6.2 or 6.1
   vCloud Automation Center 6.0.1
   vSphere Replication prior to 5.8.0.2, 5.6.0.3 or 5.5.1.5
   vRealize Automation 6.2.x or 6.1.x
   vRealize Code Stream 1.1 or 1.0
   vFabric Postgres 9.3.6.0, 9.2.10.0 or 9.1.15.0
   vRealize Hyperic 5.8.x, 5.7.x or 5.0.x
   vSphere AppHA Prior to 1.1.x
   vCenter Chargeback Manager 2.7 or 2.6
   vRealize Business Adv/Ent 8.1 or 8.0
   vRealize Business Standard prior to 1.1.x or 1.0.x
   NSX for Multi-Hypervisor  prior to 4.2.4  
   vCloud Director prior to 5.5.3
   vCloud Director Service Providers prior to 5.6.4.1
   vRealize Configuration Manager 5.7.x or 5.6.x
   vRealize Infrastructure 5.8 or 5.7
   vRealize Orchestrator 6.0 or 5.5
   vRealize Log Insight 2.5, 2.0, 1.5 or 1.0
   vSphere Update Manager 6.0 or 5.5

3. Problem Description 

   a. Oracle JRE Update

      Oracle JRE is updated in VMware products to address a 
      critical security issue that existed in earlier releases of
      Oracle JRE. 

      VMware products running JRE 1.7 Update 75 or newer and 
      JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593,
      as documented in the Oracle Java SE Critical Patch Update 
      Advisory of January 2015. 

      This advisory also includes the other security issues that 
      are addressed  in JRE 1.7 Update 75 and JRE 1.6 Update 91. The 
      References section provides a link to the JRE advisory.


      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2014-6593 to this issue.  This 
      issue is also known as "SKIP" or "SKIP-TLS". 

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is 
      available.

      VMware                         Product    Running   Replace with/
      Product                        Version    on        Apply Patch**
      =============                  =======    =======   =================
      Horizon View                   6.x        any       6.1
      Horizon View                   5.x        any       5.3.4
      Horizon Workspace Portal       2.1 ,2.0   any       2.1.1
      Server 

      Horizon DaaS Platform          6.1        any       6.1.4
      Horizon DaaS Platform          6.0        any       patch pending
      Horizon DaaS Platform          5.4        any       5.4.5

      vCloud Networking and Security 5.5        any       patch pending*
      vCloud Connector               2.7        any       2.7.1*
      vCloud Usage Meter             3.3        any       3.3.3* 

      vCenter Site Recovery Manager  5.5.x      any       5.5.1.5***
      vCenter Site Recovery Manager  5.1.x      any       patch pending***
      vCenter Site Recovery Manager  5.0.x      any       patch pending***

      vCenter Server                 6.0        any       6.0.0a
      vCenter Server                 5.5        any       Update 2e
      vCenter Server                 5.1        any       patch pending
      vCenter Server                 5.0        any       patch pending

      vRealize Operations Manager    6.0        any       KB2111898
      vCenter Operations Manager     5.8.x      any       KB2111172
      vCenter Operations Manager     5.7.x      any       KB2111172

      vCenter Support Assistant      5.5.1.x    any       patch pending
   
      vRealize Application Services  6.2        any       KB2111981
      vRealize Application Services  6.1        any       KB2111981
      vCloud Application Director    6.0        any       KB2111981
      vCloud Application Director    5.2        any       KB2111981

      vRealize Automation            6.2        any       KB2111658
      vRealize Automation            6.1        any       KB2111658
      vCloud Automation Center       6.0.1      any       KB2111658
      vRealize Code Stream           1.1        any       KB2111658
      vRealize Code Stream           1.0        any       KB2111658

      vPostgres                      9.3.x      any       9.3.6.0
      vPostgres                      9.2.x      any       9.2.10.0
      vPostgres                      9.1.x      any       9.1.15.0

      vSphere Replication            5.8.1      any       patch pending
      vSphere Replication            5.8.0      any       5.8.0.2
      vSphere Replication            5.6.0      any       5.6.0.3
      vSphere Replication            5.5.0      any       5.5.1.5
      vSphere Replication            5.1        any       patch pending

      vSphere Storage Appliance      5.x        any       patch pending*
 
      vRealize Hyperic               5.8        any       KB2111337
      vRealize Hyperic               5.7        any       KB2111337
      vRealize Hyperic               5.0        any       KB2111337

      vSphere AppHA                  1.1        any       KB2111336
      vSphere Big Data Extensions    2.1        any       patch pending*
      vSphere Big Data Extensions    2.0        any       patch pending*

      vSphere Data Protection        6.0        any       patch pending*
      vSphere Data Protection        5.8        any       patch pending*
      vSphere Data Protection        5.5        any       patch pending*
      vSphere Data Protection        5.1        any       patch pending*

      vCenter Chargeback Manager     2.7        any       KB2112011*
      vCenter Chargeback Manager     2.6        any       KB2113178*

      vRealize Business Adv/Ent      8.1        any       KB2112258*
      vRealize Business Adv/Ent      8.0        any       KB2112258*

      vRealize Business Standard     6.0        any       KB2111802
      vRealize Business Standard     1.1        any       KB2111802
      vRealize Business Standard     1.0        any       KB2111802

      NSX for vSphere                6.1        any       patch pending*
      NSX for Multi-Hypervisor       4.2        any       4.2.4*
      vCloud Director                5.5.x      any       5.5.3*
      
      vCloud Director For            5.6.4      any       5.6.4.1*
      Service Providers   

      vCenter Application Discovery  7.0        any       patch pending*
      Manager

      vRealize Configuration Manager 5.7.x      any       KB2111670
      vRealize Configuration Manager 5.6        any       KB2111670

      vRealize Infrastructure        5.8        any       5.8.4
      Navigator  

      vRealize Infrastructure        5.7        any       KB2111334*
      Navigator              

      vRealize Orchestrator          6.0        any       KB2112028*
      vRealize Orchestrator          5.5        any       KB2112028*
      vRealize Orchestrator          5.2        any       patch pending*
      vRealize Orchestrator          5.1        any       patch pending*

      vShield                        5.5        any       patch pending*

      vRealize Log Insight           2.5        any       KB2113235*
      vRealize Log Insight           2.0        any       KB2113235*
      vRealize Log Insight           1.5        any       KB2113235*
      vRealize Log Insight           1.0        any       KB2113235*

      vSphere Management Assistant   5.x        any       patch pending 

      vSphere Update Manager         6.0        any       6.0.0a*
      vSphere Update Manager         5.5        any       Update 2e*
      vSphere Update Manager         5.1        any       patch pending*
      vSphere Update Manager         5.0        any       patch pending*

      *   The severity of critical is lowered to important for this product
          as is not considered Internet facing

      **  Knowledge Base (KB) articles provides details of the patches and
          how to install them. 
 
      *** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not 
          include JRE but they include the vSphere Replication appliance 
          which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include 
          JRE nor the vSphere Replication appliance.
 
4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file. 
   Horizon View 6.1, 5.3.4:
   ========================
   Downloads: 
  
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productI
d=492
  
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&pro
ductId=396

   VMware Workspace Portal 2.1.1
   =============================
   Download:
  
https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=5
01&rPId=7586
   Documentation:
  
https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.h
tml

   Horizon DaaS Platform 6.1.4
   ===========================
   Download:
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN
&productId=405&rPId=6527

   Horizon DaaS Platform 5.4.5
   ===========================
   Download:
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM-
540&productId=398&rPId=5214

   vCloud Connector 2.7.1
   ======================
   Downloads and Documentation: 
  
http://www.vmware.com/support/hybridcloud/doc/hybridcloud_271_rel_notes.htm
l

   vCloud Usage Meter 3.3.3
   ========================
   Downloads:
https://my.vmware.com/en/group/vmware/get-download?downloadGroup=UMSV333

   vCenter Site Recovery Manager 5.5.1.5
   ======================================
   Downloads:
  
https://my.vmware.com/web/vmware/details?downloadGroup=SRM5515&productId=35
7&rPId=7774   

   Documentation:
   https://www.vmware.com/support/srm/srm-releasenotes-5-5-1.html 

   vCenter Server 6.0, 5.5
   =======================
   Downloads and Documentation: 
   https://www.vmware.com/go/download-vsphere 

   vRealize Operations Manager 6.0.1
   =================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111898

   vRealize Application Services 6.2, 6.1
   ======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111981

   NSX for Multi-Hypervisor 4.2.4
   ==============================
   Downloads and Documentation:
https://my.vmware.com/web/vmware/info/slug/networking_security/vmware_nsx/4
_x

   vCloud Application Director 6.0
   ======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111981

   vCloud Director for Service Providers 5.6.4.1
   =============================================
   Downloads and Documentation:
https://www.vmware.com/support/pubs/vcd_sp_pubs.html

   vCenter Operations Manager 5.8.5, 5.7.4
   =======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111172

   vCloud Automation Center 6.0.1.2
   ================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111685

   vSphere Replication 5.8.0.2, 5.6.0.3, 5.5.1.5
   =============================================
   Downloads:
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802   
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5515
   
   Documentation: 
   http://kb.vmware.com/kb/2112025
   http://kb.vmware.com/kb/2112022 

   vRealize Automation 6.2.1, 6.1.1
   ================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111658

   vRealize Code Stream 1.1, 1.0
   =============================
   Downloads and Documentation: http://kb.vmware.com/kb/2111685

   vFabric Postgres
   ================
   Downloads
  
https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_936&productId
=373&rPId=7787
  
https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_92_10&product
Id=325&rPId=7788
  
https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_91_15&product
Id=274&rPId=7789

   vRealize Hyperic 5.8.4, 5.7.2, 5.0.3
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/KB2111337

   vSphere AppHA 1.1.1
   ===================
   Downloads and Documentation: http://kb.vmware.com/kb/2111336

   vCenter Chargeback Manager 2.7
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2112011

   vCenter Chargeback Manager 2.6
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2113178

   vRealize Business Adv/Ent 8.1, 8.0
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2112258

   vRealize Business Standard 6.0, 1.1 , 1.0
   =======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111802

   vRealize Configuration Manager 5.7.3
   ===================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111670

   vRealize Infrastructure Navigator 5.8.4
   =======================================
   Download:
  
https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=47
6
 
   vRealize Infrastructure Navigator 5.7
   =====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111334

   vRealize Orchestrator 6.0, 5.5
   =====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2112028

   vSphere Update Manager 6.0, 5.5
   ===============================
   Downloads and Documentation: 
   https://www.vmware.com/go/download-vsphere 

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593

   JRE 
   Oracle Java SE Critical Patch Update Advisory of January 2015
 
  
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

- ------------------------------------------------------------------------

6. Change log

   2015-04-02 VMSA-2015-0003
   Initial security advisory in conjunction with the release of VMware
   Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5;
   vCenter Operations Manager 5.7.4; vCloud Automation Center
   6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize 
   Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0;
   vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1;
   vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration 
   Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches 
   released on 2015-04-02.

   2015-04-09 VMSA-2015-0003.1
   Updated Security advisory in conjunction with the release of VMware
   Horizon DaaS Platform 6.1.4, 5.4.5; vRealize Operations Manager 6.0; 
   vRealize Application Services 6.2; vRealize Application Services 6.1;
   vCloud Application Director 6.0; vCenter Chargeback Manager 2.7, 2.6;
   vCloud Director For Service Providers 5.6.4.1;
   vRealize Log Insight 2.5, 2.0, 1.5, 1.0 Patches 
   released on 2015-04-09.

   2015-04-13 VMSA-2015-0003.2
   Updated Security advisory in conjunction with the release of
   vRealize Business Adv/Ent 8.1, 8.0 Patches released 
   on 2015-04-13.

   2015-04-16 VMSA-2015-0003.3
   Updated Security advisory in conjunction with the release of
   vCloud Connector 2.7.1; vCloud Usage Meter 3.3.3; 
   vCenter Server 6.0, 5.5; vSphere Update Manager 6.0, 5.5 patches 
   released on 2015-04-16.

   2015-04-17 VMSA-2015-0003.4
   Updated Security advisory in conjunction with the release of
   vCenter Site Recovery Manager 5.5.1.5 patches released on 2015-04-16.

   2015-04-23 VMSA-2015-0003.5
   Updated Security advisory in conjunction with the release of
   NSX for Multi-Hypervisor 4.2.4 and vFabric Postgres 9.3.6.0, 
   9.2.10.0 or 9.1.15.0 patches released on 2015-04-23.
- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2015 VMware Inc.  All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFVObOnDEcm8Vbi9kMRAr1HAJ9udQwus+7YTSzrgGXBrKrdU6YifgCfSdpn
epARCURCPOcBjEgKuZB9BB0=
=RfXq
-----END PGP SIGNATURE-----

UPDATE : VMSA-2015-0003.4 – VMware product updates address critical information disclosure issue in JRE.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2015-0003.4
Synopsis:    VMware product updates address critical information 
             disclosure issue in JRE.
Issue date:  2015-04-02
Updated on:  2015-04-17
CVE number:  CVE-2014-6593, for other CVEs see JRE reference 

- ------------------------------------------------------------------------

1. Summary

   VMware product updates address critical information disclosure 
   issue in JRE.
 
2. Relevant Releases

   Horizon View 6.x or 5.x
   Horizon Workspace Portal Server 2.1 or 2.0
   Horizon DaaS Platform 6.1.4 or 5.4.5
   vCloud Connector 2.7
   vCloud Usage Meter 3.3
   vCenter Site Recovery Manager prior to 5.5.1.5
   vCenter Server 6.0 and 5.5
   vRealize Operations Manager 6.0
   vCenter Operations Manager 5.8.x or 5.7.x
   vRealize Application Services 6.2 or 6.1
   vCloud Application Director 6.0
   vRealize Automation 6.2 or 6.1
   vCloud Automation Center 6.0.1
   vSphere Replication prior to 5.8.0.2 or 5.6.0.3
   vRealize Automation 6.2.x or 6.1.x
   vRealize Code Stream 1.1 or 1.0
   vRealize Hyperic 5.8.x, 5.7.x or 5.0.x
   vSphere AppHA Prior to 1.1.x
   vCenter Chargeback Manager 2.7 or 2.6
   vRealize Business Adv/Ent 8.1 or 8.0
   vRealize Business Standard prior to 1.1.x or 1.0.x
   NSX for Multi-Hypervisor  prior to 4.2.4  
   vCloud Director prior to 5.5.3
   vCloud Director Service Providers prior to 5.6.4.1
   vRealize Configuration Manager 5.7.x or 5.6.x
   vRealize Infrastructure 5.8 or 5.7
   vRealize Log Insight 2.5, 2.0, 1.5 or 1.0
   vSphere Update Manager 6.0 or 5.5

3. Problem Description 

   a. Oracle JRE Update

      Oracle JRE is updated in VMware products to address a 
      critical security issue that existed in earlier releases of
      Oracle JRE. 

      VMware products running JRE 1.7 Update 75 or newer and 
      JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593,
      as documented in the Oracle Java SE Critical Patch Update 
      Advisory of January 2015. 

      This advisory also includes the other security issues that 
      are addressed  in JRE 1.7 Update 75 and JRE 1.6 Update 91. The 
      References section provides a link to the JRE advisory.


      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2014-6593 to this issue.  This 
      issue is also known as "SKIP" or "SKIP-TLS". 

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is 
      available.

      VMware                         Product    Running   Replace with/
      Product                        Version    on        Apply Patch**
      =============                  =======    =======   =================
      Horizon View                   6.x        any       6.1
      Horizon View                   5.x        any       5.3.4
      Horizon Workspace Portal       2.1 ,2.0   any       2.1.1
      Server 

      Horizon DaaS Platform          6.1        any       6.1.4
      Horizon DaaS Platform          6.0        any       patch pending
      Horizon DaaS Platform          5.4        any       5.4.5

      vCloud Networking and Security 5.5        any       patch pending*
      vCloud Connector               2.7        any       2.7.1*
      vCloud Usage Meter             3.3        any       3.3.3* 

      vCenter Site Recovery Manager  5.5.x      any       5.5.1.5***
      vCenter Site Recovery Manager  5.1.x      any       patch pending***
      vCenter Site Recovery Manager  5.0.x      any       patch pending***

      vCenter Server                 6.0        any       6.0.0a
      vCenter Server                 5.5        any       Update 2e
      vCenter Server                 5.1        any       patch pending
      vCenter Server                 5.0        any       patch pending

      vRealize Operations Manager    6.0        any       KB2112028
      vCenter Operations Manager     5.8.x      any       KB2111172
      vCenter Operations Manager     5.7.x      any       KB2111172

      vCenter Support Assistant      5.5.1.x    any       patch pending
   
      vRealize Application Services  6.2        any       KB2111981
      vRealize Application Services  6.1        any       KB2111981
      vCloud Application Director    6.0        any       KB2111981
      vCloud Application Director    5.2        any       KB2111981

      vRealize Automation            6.2        any       KB2111658
      vRealize Automation            6.1        any       KB2111658
      vCloud Automation Center       6.0.1      any       KB2111658
      vRealize Code Stream           1.1        any       KB2111658
      vRealize Code Stream           1.0        any       KB2111658

      vPostgres                      9.3.x      any       patch pending
      vPostgres                      9.2.x      any       patch pending
      vPostgres                      9.1.x      any       patch pending

      vSphere Replication            5.8.1      any       patch pending
      vSphere Replication            5.8.0      any       5.8.0.2
      vSphere Replication            5.6.0      any       5.6.0.3
      vSphere Replication            5.1        any       patch pending

      vSphere Storage Appliance      5.x        any       patch pending*
 
      vRealize Hyperic               5.8        any       KB2111337
      vRealize Hyperic               5.7        any       KB2111337
      vRealize Hyperic               5.0        any       KB2111337

      vSphere AppHA                  1.1        any       KB2111336
      vSphere Big Data Extensions    2.1        any       patch pending*
      vSphere Big Data Extensions    2.0        any       patch pending*

      vSphere Data Protection        6.0        any       patch pending*
      vSphere Data Protection        5.8        any       patch pending*
      vSphere Data Protection        5.5        any       patch pending*
      vSphere Data Protection        5.1        any       patch pending*

      vCenter Chargeback Manager     2.7        any       KB2112011*
      vCenter Chargeback Manager     2.6        any       KB2113178*

      vRealize Business Adv/Ent      8.1        any       KB2112258*
      vRealize Business Adv/Ent      8.0        any       KB2112258*

      vRealize Business Standard     6.0        any       KB2111802
      vRealize Business Standard     1.1        any       KB2111802
      vRealize Business Standard     1.0        any       KB2111802

      NSX for vSphere                6.1        any       patch pending*
      NSX for Multi-Hypervisor       4.2        any       4.2.4*
      vCloud Director                5.5.x      any       5.5.3*
      
      vCloud Director For            5.6.4      any       5.6.4.1*
      Service Providers   

      vCenter Application Discovery  7.0        any       patch pending*
      Manager

      vRealize Configuration Manager 5.7.x      any       KB2111670
      vRealize Configuration Manager 5.6        any       KB2111670

      vRealize Infrastructure        5.8        any       5.8.4
      Navigator  

      vRealize Infrastructure        5.7        any       KB2111334*
      Navigator              

      vRealize Orchestrator          6.0        any       patch pending*
      vRealize Orchestrator          5.2        any       patch pending*
      vRealize Orchestrator          5.1        any       patch pending*

      vShield                        5.5        any       patch pending*

      vRealize Log Insight           2.5        any       KB2113235*
      vRealize Log Insight           2.0        any       KB2113235*
      vRealize Log Insight           1.5        any       KB2113235*
      vRealize Log Insight           1.0        any       KB2113235*

      vSphere Management Assistant   5.x        any       patch pending 

      vSphere Update Manager         6.0        any       6.0.0a*
      vSphere Update Manager         5.5        any       Update 2e*
      vSphere Update Manager         5.1        any       patch pending*
      vSphere Update Manager         5.0        any       patch pending*

      *   The severity of critical is lowered to important for this product
          as is not considered Internet facing

      **  Knowledge Base (KB) articles provides details of the patches and
          how to install them. 
 
      *** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not 
          include JRE but they include the vSphere Replication appliance 
          which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include 
          JRE nor the vSphere Replication appliance.
 
4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file. 
   Horizon View 6.1, 5.3.4:
   ========================
   Downloads: 
  
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productI
d=492
  
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&pro
ductId=396

   VMware Workspace Portal 2.1.1
   =============================
   Download:
  
https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=5
01&rPId=7586
   Documentation:
  
https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.h
tml

   Horizon DaaS Platform 6.1.4
   ===========================
   Download:
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN
&productId=405&rPId=6527

   Horizon DaaS Platform 5.4.5
   ===========================
   Download:
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM-
540&productId=398&rPId=5214

   vCloud Connector 2.7.1
   ======================
   Downloads and Documentation: 
  
http://www.vmware.com/support/hybridcloud/doc/hybridcloud_271_rel_notes.htm
l

   vCloud Usage Meter 3.3.3
   ========================
   Downloads:
https://my.vmware.com/en/group/vmware/get-download?downloadGroup=UMSV333

   vCenter Site Recovery Manager 5.5.1.5
   ======================================
   Downloads:
  
https://my.vmware.com/web/vmware/details?downloadGroup=SRM5515&productId=35
7&rPId=7774   

   Documentation:
   https://www.vmware.com/support/srm/srm-releasenotes-5-5-1.html 

   vCenter Server 6.0, 5.5
   =======================
   Downloads and Documentation: 
   https://www.vmware.com/go/download-vsphere 

   vRealize Operations Manager 6.0.1
   =================================
   Downloads and Documentation: http://kb.vmware.com/kb/2112028

   vRealize Application Services 6.2, 6.1
   ======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111981

   vCloud Application Director 6.0
   ======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111981

   vCloud Director for Service Providers 5.6.4.1
   =============================================
   Downloads and Documentation:
https://www.vmware.com/support/pubs/vcd_sp_pubs.html

   vCenter Operations Manager 6.0, 5.8.5, 5.7.4
   =======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111172

   vCloud Automation Center 6.0.1.2
   ================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111685

   vSphere Replication 5.8.0.2, 5.6.0.3
   ====================================
   Downloads:
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802   
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603
   
   Documentation: 
   http://kb.vmware.com/kb/2112025
   http://kb.vmware.com/kb/2112022 

   vRealize Automation 6.2.1, 6.1.1
   ================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111658

   vRealize Code Stream 1.1, 1.0
   =============================
   Downloads and Documentation: http://kb.vmware.com/kb/2111685

   vRealize Hyperic 5.8.4, 5.7.2, 5.0.3
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/KB2111337

   vSphere AppHA 1.1.1
   ===================
   Downloads and Documentation: http://kb.vmware.com/kb/2111336

   vCenter Chargeback Manager 2.7
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2112011

   vCenter Chargeback Manager 2.6
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2113178

   vRealize Business Adv/Ent 8.1, 8.0
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2112258

   vRealize Business Standard 6.0, 1.1 , 1.0
   =======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111802

   vRealize Configuration Manager 5.7.3
   ===================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111670

   vRealize Infrastructure Navigator 5.8.4
   =======================================
   Download:
  
https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=47
6
 
   vRealize Infrastructure Navigator 5.7
   =====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111334

   vSphere Update Manager 6.0, 5.5
   ===============================
   Downloads and Documentation: 
   https://www.vmware.com/go/download-vsphere 

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593

   JRE 
   Oracle Java SE Critical Patch Update Advisory of January 2015
 
  
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

- ------------------------------------------------------------------------

6. Change log

   2015-04-02 VMSA-2015-0003
   Initial security advisory in conjunction with the release of VMware
   Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5;
   vCenter Operations Manager 5.7.4; vCloud Automation Center
   6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize 
   Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0;
   vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1;
   vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration 
   Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches 
   released on 2015-04-02.

   2015-04-09 VMSA-2015-0003.1
   Updated Security advisory in conjunction with the release of VMware
   Horizon DaaS Platform 6.1.4, 5.4.5; vRealize Operations Manager 6.0; 
   vRealize Application Services 6.2; vRealize Application Services 6.1;
   vCloud Application Director 6.0; vCenter Chargeback Manager 2.7, 2.6;
   vCloud Director For Service Providers 5.6.4.1;
   vRealize Log Insight 2.5, 2.0, 1.5, 1.0 Patches 
   released on 2015-04-09.

   2015-04-13 VMSA-2015-0003.2
   Updated Security advisory in conjunction with the release of
   vRealize Business Adv/Ent 8.1, 8.0 Patches released 
   on 2015-04-13.

   2015-04-16 VMSA-2015-0003.3
   Updated Security advisory in conjunction with the release of
   vCloud Connector 2.7.1; vCloud Usage Meter 3.3.3; 
   vCenter Server 6.0, 5.5; vSphere Update Manager 6.0, 5.5 patches 
   released on 2015-04-16.

   2015-04-17 VMSA-2015-0003.4
   Updated Security advisory in conjunction with the release of
   vCenter Site Recovery Manager 5.5.1.5 patches released on 2015-04-16.
- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2015 VMware Inc.  All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFVMTloDEcm8Vbi9kMRAiWqAJ98wvHOIm7HBnnGqXA5WZ9GIFdSTACZAa5i
oXl9cykDdoiQXiDgplPQMJ4=
=Wacd
-----END PGP SIGNATURE-----

UPDATE : VMSA-2015-0003.3 – VMware product updates address critical information disclosure issue in JRE.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2015-0003.3
Synopsis:    VMware product updates address critical information 
             disclosure issue in JRE.
Issue date:  2015-04-02
Updated on:  2015-04-16
CVE number:  CVE-2014-6593, for other CVEs see JRE reference 

- ------------------------------------------------------------------------

1. Summary

   VMware product updates address critical information disclosure 
   issue in JRE.
 
2. Relevant Releases

   Horizon View 6.x or 5.x
   Horizon Workspace Portal Server 2.1 or 2.0
   Horizon DaaS Platform 6.1.4 or 5.4.5
   vCloud Connector 2.7
   vCloud Usage Meter 3.3
   vCenter Server 6.0 and 5.5
   vRealize Operations Manager 6.0
   vCenter Operations Manager 5.8.x or 5.7.x
   vRealize Application Services 6.2 or 6.1
   vCloud Application Director 6.0
   vRealize Automation 6.2 or 6.1
   vCloud Automation Center 6.0.1
   vSphere Replication prior to 5.8.0.2 or 5.6.0.3
   vRealize Automation 6.2.x or 6.1.x
   vRealize Code Stream 1.1 or 1.0
   vRealize Hyperic 5.8.x, 5.7.x or 5.0.x
   vSphere AppHA Prior to 1.1.x
   vCenter Chargeback Manager 2.7 or 2.6
   vRealize Business Adv/Ent 8.1 or 8.0
   vRealize Business Standard prior to 1.1.x or 1.0.x
   NSX for Multi-Hypervisor  prior to 4.2.4  
   vCloud Director prior to 5.5.3
   vCloud Director Service Providers prior to 5.6.4.1
   vRealize Configuration Manager 5.7.x or 5.6.x
   vRealize Infrastructure 5.8 or 5.7
   vRealize Log Insight 2.5, 2.0, 1.5 or 1.0
   vSphere Update Manager 6.0 or 5.5

3. Problem Description 

   a. Oracle JRE Update

      Oracle JRE is updated in VMware products to address a 
      critical security issue that existed in earlier releases of
      Oracle JRE. 

      VMware products running JRE 1.7 Update 75 or newer and 
      JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593,
      as documented in the Oracle Java SE Critical Patch Update 
      Advisory of January 2015. 

      This advisory also includes the other security issues that 
      are addressed  in JRE 1.7 Update 75 and JRE 1.6 Update 91. The 
      References section provides a link to the JRE advisory.


      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2014-6593 to this issue.  This 
      issue is also known as "SKIP" or "SKIP-TLS". 

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is 
      available.

      VMware                         Product    Running   Replace with/
      Product                        Version    on        Apply Patch**
      =============                  =======    =======   =================
      Horizon View                   6.x        any       6.1
      Horizon View                   5.x        any       5.3.4
      Horizon Workspace Portal       2.1 ,2.0   any       2.1.1
      Server 

      Horizon DaaS Platform          6.1        any       6.1.4
      Horizon DaaS Platform          6.0        any       patch pending
      Horizon DaaS Platform          5.4        any       5.4.5

      vCloud Networking and Security 5.5        any       patch pending*
      vCloud Connector               2.7        any       2.7.1*
      vCloud Usage Meter             3.3        any       3.3.3* 

      vCenter Site Recovery Manager  5.5.x      any       patch pending***
      vCenter Site Recovery Manager  5.1.x      any       patch pending***
      vCenter Site Recovery Manager  5.0.x      any       patch pending***

      vCenter Server                 6.0        any       6.0.0a
      vCenter Server                 5.5        any       Update 2e
      vCenter Server                 5.1        any       patch pending
      vCenter Server                 5.0        any       patch pending

      vRealize Operations Manager    6.0        any       KB2112028
      vCenter Operations Manager     5.8.x      any       KB2111172
      vCenter Operations Manager     5.7.x      any       KB2111172

      vCenter Support Assistant      5.5.1.x    any       patch pending
   
      vRealize Application Services  6.2        any       KB2111981
      vRealize Application Services  6.1        any       KB2111981
      vCloud Application Director    6.0        any       KB2111981
      vCloud Application Director    5.2        any       KB2111981

      vRealize Automation            6.2        any       KB2111658
      vRealize Automation            6.1        any       KB2111658
      vCloud Automation Center       6.0.1      any       KB2111658
      vRealize Code Stream           1.1        any       KB2111658
      vRealize Code Stream           1.0        any       KB2111658

      vPostgres                      9.3.x      any       patch pending
      vPostgres                      9.2.x      any       patch pending
      vPostgres                      9.1.x      any       patch pending

      vSphere Replication            5.8.1      any       patch pending
      vSphere Replication            5.8.0      any       5.8.0.2
      vSphere Replication            5.6.0      any       5.6.0.3
      vSphere Replication            5.1        any       patch pending

      vSphere Storage Appliance      5.x        any       patch pending*
 
      vRealize Hyperic               5.8        any       KB2111337
      vRealize Hyperic               5.7        any       KB2111337
      vRealize Hyperic               5.0        any       KB2111337

      vSphere AppHA                  1.1        any       KB2111336
      vSphere Big Data Extensions    2.1        any       patch pending*
      vSphere Big Data Extensions    2.0        any       patch pending*

      vSphere Data Protection        6.0        any       patch pending*
      vSphere Data Protection        5.8        any       patch pending*
      vSphere Data Protection        5.5        any       patch pending*
      vSphere Data Protection        5.1        any       patch pending*

      vCenter Chargeback Manager     2.7        any       KB2112011*
      vCenter Chargeback Manager     2.6        any       KB2113178*

      vRealize Business Adv/Ent      8.1        any       KB2112258*
      vRealize Business Adv/Ent      8.0        any       KB2112258*

      vRealize Business Standard     6.0        any       KB2111802
      vRealize Business Standard     1.1        any       KB2111802
      vRealize Business Standard     1.0        any       KB2111802

      NSX for vSphere                6.1        any       patch pending*
      NSX for Multi-Hypervisor       4.2        any       4.2.4*
      vCloud Director                5.5.x      any       5.5.3*
      
      vCloud Director For            5.6.4      any       5.6.4.1*
      Service Providers   

      vCenter Application Discovery  7.0        any       patch pending*
      Manager

      vRealize Configuration Manager 5.7.x      any       KB2111670
      vRealize Configuration Manager 5.6        any       KB2111670

      vRealize Infrastructure        5.8        any       5.8.4
      Navigator  

      vRealize Infrastructure        5.7        any       KB2111334*
      Navigator              

      vRealize Orchestrator          6.0        any       patch pending*
      vRealize Orchestrator          5.2        any       patch pending*
      vRealize Orchestrator          5.1        any       patch pending*

      vShield                        5.5        any       patch pending*

      vRealize Log Insight           2.5        any       KB2113235*
      vRealize Log Insight           2.0        any       KB2113235*
      vRealize Log Insight           1.5        any       KB2113235*
      vRealize Log Insight           1.0        any       KB2113235*

      vSphere Management Assistant   5.x        any       patch pending 

      vSphere Update Manager         6.0        any       6.0.0a*
      vSphere Update Manager         5.5        any       Update 2e*
      vSphere Update Manager         5.1        any       patch pending*
      vSphere Update Manager         5.0        any       patch pending*

      *   The severity of critical is lowered to important for this product
          as is not considered Internet facing

      **  Knowledge Base (KB) articles provides details of the patches and
          how to install them. 
 
      *** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not 
          include JRE but they include the vSphere Replication appliance 
          which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include 
          JRE nor the vSphere Replication appliance.
 
4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file. 
   Horizon View 6.1, 5.3.4:
   ========================
   Downloads: 
  
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productI
d=492
  
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&pro
ductId=396

   VMware Workspace Portal 2.1.1
   =============================
   Download:
  
https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=5
01&rPId=7586
   Documentation:
  
https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.h
tml

   Horizon DaaS Platform 6.1.4
   ===========================
   Download:
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN
&productId=405&rPId=6527

   Horizon DaaS Platform 5.4.5
   ===========================
   Download:
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM-
540&productId=398&rPId=5214

   vCloud Connector 2.7.1
   ======================
   Downloads and Documentation: 
  
http://www.vmware.com/support/hybridcloud/doc/hybridcloud_271_rel_notes.htm
l

   vCloud Usage Meter 3.3.3
   ========================
   Downloads:
https://my.vmware.com/en/group/vmware/get-download?downloadGroup=UMSV333

   vCenter Server 6.0, 5.5
   =======================
   Downloads and Documentation: 
   https://www.vmware.com/go/download-vsphere 

   vRealize Operations Manager 6.0.1
   =================================
   Downloads and Documentation: http://kb.vmware.com/kb/2112028

   vRealize Application Services 6.2, 6.1
   ======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111981

   vCloud Application Director 6.0
   ======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111981

   vCloud Director for Service Providers 5.6.4.1
   =============================================
   Downloads and Documentation:
https://www.vmware.com/support/pubs/vcd_sp_pubs.html

   vCenter Operations Manager 6.0, 5.8.5, 5.7.4
   =======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111172

   vCloud Automation Center 6.0.1.2
   ================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111685

   vSphere Replication 5.8.0.2, 5.6.0.3
   ====================================
   Downloads:
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802   
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603
   
   Documentation: 
   http://kb.vmware.com/kb/2112025
   http://kb.vmware.com/kb/2112022 

   vRealize Automation 6.2.1, 6.1.1
   ================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111658

   vRealize Code Stream 1.1, 1.0
   =============================
   Downloads and Documentation: http://kb.vmware.com/kb/2111685

   vRealize Hyperic 5.8.4, 5.7.2, 5.0.3
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/KB2111337

   vSphere AppHA 1.1.1
   ===================
   Downloads and Documentation: http://kb.vmware.com/kb/2111336

   vCenter Chargeback Manager 2.7
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2112011

   vCenter Chargeback Manager 2.6
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2113178

   vRealize Business Adv/Ent 8.1, 8.0
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2112258

   vRealize Business Standard 6.0, 1.1 , 1.0
   =======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111802

   vRealize Configuration Manager 5.7.3
   ===================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111670

   vRealize Infrastructure Navigator 5.8.4
   =======================================
   Download:
  
https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=47
6
 
   vRealize Infrastructure Navigator 5.7
   =====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111334

   vSphere Update Manager 6.0, 5.5
   ===============================
   Downloads and Documentation: 
   https://www.vmware.com/go/download-vsphere 

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593

   JRE 
   Oracle Java SE Critical Patch Update Advisory of January 2015
 
  
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

- ------------------------------------------------------------------------

6. Change log

   2015-04-02 VMSA-2015-0003
   Initial security advisory in conjunction with the release of VMware
   Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5;
   vCenter Operations Manager 5.7.4; vCloud Automation Center
   6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize 
   Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0;
   vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1;
   vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration 
   Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches 
   released on 2015-04-02.

   2015-04-09 VMSA-2015-0003.1
   Updated Security advisory in conjunction with the release of VMware
   Horizon DaaS Platform 6.1.4, 5.4.5; vRealize Operations Manager 6.0; 
   vRealize Application Services 6.2; vRealize Application Services 6.1;
   vCloud Application Director 6.0; vCenter Chargeback Manager 2.7, 2.6;
   vCloud Director For Service Providers 5.6.4.1;
   vRealize Log Insight 2.5, 2.0, 1.5, 1.0 Patches 
   released on 2015-04-09.

   2015-04-13 VMSA-2015-0003.2
   Updated Security advisory in conjunction with the release of
   vRealize Business Adv/Ent 8.1, 8.0 Patches released 
   on 2015-04-13.

   2015-04-16 VMSA-2015-0003.3
   Updated Security advisory in conjunction with the release of
   vCloud Connector 2.7.1; vCloud Usage Meter 3.3.3; 
   vCenter Server 6.0, 5.5; vSphere Update Manager 6.0, 5.5 patches 
   released on 2015-04-16.
- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2015 VMware Inc.  All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFVMH60DEcm8Vbi9kMRAnvzAJ99bwjrMsOLltGDjRbEPYqPWfs4VQCfV8E7
h//De9PAIowPY1K6fQ3pFHs=
=ShdE
-----END PGP SIGNATURE-----

UPDATE : VMSA-2015-0003.2 – VMware product updates address critical information disclosure issue in JRE.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2015-0003.2
Synopsis:    VMware product updates address critical information 
             disclosure issue in JRE.
Issue date:  2015-04-02
Updated on:  2015-04-13
CVE number:  CVE-2014-6593, for other CVEs see JRE reference 

- ------------------------------------------------------------------------

1. Summary

   VMware product updates address critical information disclosure 
   issue in JRE.
 
2. Relevant Releases

   Horizon View 6.x or 5.x
   Horizon Workspace Portal Server 2.1 or 2.0
   Horizon DaaS Platform 6.1.4 or 5.4.5
   vRealize Operations Manager 6.0
   vCenter Operations Manager 5.8.x or 5.7.x
   vRealize Application Services 6.2 or 6.1
   vCloud Application Director 6.0
   vRealize Automation 6.2 or 6.1
   vCloud Automation Center 6.0.1
   vSphere Replication prior to 5.8.0.2 or 5.6.0.3
   vRealize Automation 6.2.x or 6.1.x
   vRealize Code Stream 1.1 or 1.0
   vRealize Hyperic 5.8.x, 5.7.x or 5.0.x
   vSphere AppHA Prior to 1.1.x
   vCenter Chargeback Manager 2.7 or 2.6
   vRealize Business Adv/Ent 8.1 or 8.0
   vRealize Business Standard prior to 1.1.x or 1.0.x
   NSX for Multi-Hypervisor  prior to 4.2.4  
   vCloud Director prior to 5.5.3
   vCloud Director Service Providers prior to 5.6.4.1
   vRealize Configuration Manager 5.7.x or 5.6.x
   vRealize Infrastructure 5.8 or 5.7
   vRealize Log Insight 2.5, 2.0, 1.5 or 1.0

3. Problem Description 

   a. Oracle JRE Update

      Oracle JRE is updated in VMware products to address a 
      critical security issue that existed in earlier releases of
      Oracle JRE. 

      VMware products running JRE 1.7 Update 75 or newer and 
      JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593,
      as documented in the Oracle Java SE Critical Patch Update 
      Advisory of January 2015. 

      This advisory also includes the other security issues that 
      are addressed  in JRE 1.7 Update 75 and JRE 1.6 Update 91. The 
      References section provides a link to the JRE advisory.


      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2014-6593 to this issue.  This 
      issue is also known as "SKIP" or "SKIP-TLS". 

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is 
      available.

      VMware                         Product    Running   Replace with/
      Product                        Version    on        Apply Patch**
      =============                  =======    =======   =================
      Horizon View                   6.x        any       6.1
      Horizon View                   5.x        any       5.3.4
      Horizon Workspace Portal       2.1 ,2.0   any       2.1.1
      Server 

      Horizon DaaS Platform          6.1        any       6.1.4
      Horizon DaaS Platform          6.0        any       patch pending
      Horizon DaaS Platform          5.4        any       5.4.5

      vCloud Networking and Security 5.5        any       patch pending*
      vCloud Connector               2.7        any       patch pending*
      vCloud Usage Meter             3.3        any       patch pending* 

      vCenter Site Recovery Manager  5.5.x      any       patch pending***
      vCenter Site Recovery Manager  5.1.x      any       patch pending***
      vCenter Site Recovery Manager  5.0.x      any       patch pending***

      vCenter Server                 6.0        any       patch pending
      vCenter Server                 5.5        any       patch pending
      vCenter Server                 5.1        any       patch pending
      vCenter Server                 5.0        any       patch pending

      vRealize Operations Manager    6.0        any       KB2112028
      vCenter Operations Manager     5.8.x      any       KB2111172
      vCenter Operations Manager     5.7.x      any       KB2111172

      vCenter Support Assistant      5.5.1.x    any       patch pending
   
      vRealize Application Services  6.2        any       KB2111981
      vRealize Application Services  6.1        any       KB2111981
      vCloud Application Director    6.0        any       KB2111981
      vCloud Application Director    5.2        any       KB2111981

      vRealize Automation            6.2        any       KB2111658
      vRealize Automation            6.1        any       KB2111658
      vCloud Automation Center       6.0.1      any       KB2111658
      vRealize Code Stream           1.1        any       KB2111658
      vRealize Code Stream           1.0        any       KB2111658

      vPostgres                      9.3.x      any       patch pending
      vPostgres                      9.2.x      any       patch pending
      vPostgres                      9.1.x      any       patch pending

      vSphere Replication            5.8.1      any       patch pending
      vSphere Replication            5.8.0      any       5.8.0.2
      vSphere Replication            5.6.0      any       5.6.0.3
      vSphere Replication            5.1        any       patch pending

      vSphere Storage Appliance      5.x        any       patch pending*
 
      vRealize Hyperic               5.8        any       KB2111337
      vRealize Hyperic               5.7        any       KB2111337
      vRealize Hyperic               5.0        any       KB2111337

      vSphere AppHA                  1.1        any       KB2111336
      vSphere Big Data Extensions    2.1        any       patch pending*
      vSphere Big Data Extensions    2.0        any       patch pending*

      vSphere Data Protection        6.0        any       patch pending*
      vSphere Data Protection        5.8        any       patch pending*
      vSphere Data Protection        5.5        any       patch pending*
      vSphere Data Protection        5.1        any       patch pending*

      vCenter Chargeback Manager     2.7        any       KB2112011*
      vCenter Chargeback Manager     2.6        any       KB2113178*

      vRealize Business Adv/Ent      8.1        any       KB2112258*
      vRealize Business Adv/Ent      8.0        any       KB2112258*

      vRealize Business Standard     6.0        any       KB2111802
      vRealize Business Standard     1.1        any       KB2111802
      vRealize Business Standard     1.0        any       KB2111802

      NSX for vSphere                6.1        any       patch pending*
      NSX for Multi-Hypervisor       4.2        any       4.2.4*
      vCloud Director                5.5.x      any       5.5.3*
      
      vCloud Director For            5.6.4      any       5.6.4.1*
      Service Providers   

      vCenter Application Discovery  7.0        any       patch pending*
      Manager

      vRealize Configuration Manager 5.7.x      any       KB2111670
      vRealize Configuration Manager 5.6        any       KB2111670

      vRealize Infrastructure        5.8        any       5.8.4
      Navigator  

      vRealize Infrastructure        5.7        any       KB2111334*
      Navigator              

      vRealize Orchestrator          6.0        any       patch pending*
      vRealize Orchestrator          5.2        any       patch pending*
      vRealize Orchestrator          5.1        any       patch pending*

      vShield                        5.5        any       patch pending*

      vRealize Log Insight           2.5        any       KB2113235*
      vRealize Log Insight           2.0        any       KB2113235*
      vRealize Log Insight           1.5        any       KB2113235*
      vRealize Log Insight           1.0        any       KB2113235*

      vSphere Management Assistant   5.x        any       patch pending 

      vSphere Update Manager         6.0        any       patch pending*
      vSphere Update Manager         5.5        any       patch pending*
      vSphere Update Manager         5.1        any       patch pending*
      vSphere Update Manager         5.0        any       patch pending*

      *   The severity of critical is lowered to important for this product
          as is not considered Internet facing

      **  Knowledge Base (KB) articles provides details of the patches and
          how to install them. 
 
      *** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not 
          include JRE but they include the vSphere Replication appliance 
          which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include 
          JRE nor the vSphere Replication appliance.
 
4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file. 
   Horizon View 6.1, 5.3.4:
   ========================
   Downloads: 
  
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productI
d=492
  
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&pro
ductId=396

   VMware Workspace Portal 2.1.1
   =============================
   Download:
  
https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=5
01&rPId=7586
   Documentation:
  
https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.h
tml

   Horizon DaaS Platform 6.1.4
   ===========================
   Download:
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN
&productId=405&rPId=6527

   Horizon DaaS Platform 5.4.5
   ===========================
   Download:
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM-
540&productId=398&rPId=5214

   vRealize Operations Manager 6.0.1
   =================================
   Downloads and Documentation: http://kb.vmware.com/kb/2112028

   vRealize Application Services 6.2, 6.1
   ======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111981

   vCloud Application Director 6.0
   ======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111981

   vCloud Director for Service Providers 5.6.4.1
   =============================================
   Downloads and Documentation:
https://www.vmware.com/support/pubs/vcd_sp_pubs.html

   vCenter Operations Manager 6.0, 5.8.5, 5.7.4
   =======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111172

   vCloud Automation Center 6.0.1.2
   ================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111685

   vSphere Replication 5.8.0.2, 5.6.0.3
   ====================================
   Downloads:
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802   
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603
   
   Documentation: 
   http://kb.vmware.com/kb/2112025
   http://kb.vmware.com/kb/2112022 

   vRealize Automation 6.2.1, 6.1.1
   ================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111658

   vRealize Code Stream 1.1, 1.0
   =============================
   Downloads and Documentation: http://kb.vmware.com/kb/2111685

   vRealize Hyperic 5.8.4, 5.7.2, 5.0.3
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/KB2111337

   vSphere AppHA 1.1.1
   ===================
   Downloads and Documentation: http://kb.vmware.com/kb/2111336

   vCenter Chargeback Manager 2.7
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2112011

   vCenter Chargeback Manager 2.6
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2113178

   vRealize Business Adv/Ent 8.1, 8.0
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2112258

   vRealize Business Standard 6.0, 1.1 , 1.0
   =======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111802

   vRealize Configuration Manager 5.7.3
   ===================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111670

   vRealize Infrastructure Navigator 5.8.4
   =======================================
   Download:
  
https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=47
6
 
   vRealize Infrastructure Navigator 5.7
   =====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111334

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593

   JRE 
   Oracle Java SE Critical Patch Update Advisory of January 2015
 
  
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

- ------------------------------------------------------------------------

6. Change log

   2015-04-02 VMSA-2015-0003
   Initial security advisory in conjunction with the release of VMware
   Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5;
   vCenter Operations Manager 5.7.4; vCloud Automation Center
   6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize 
   Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0;
   vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1;
   vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration 
   Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches 
   released on 2015-04-02.

   2015-04-09 VMSA-2015-0003.1
   Updated Security advisory in conjunction with the release of VMware
   Horizon DaaS Platform 6.1.4, 5.4.5; vRealize Operations Manager 6.0; 
   vRealize Application Services 6.2; vRealize Application Services 6.1;
   vCloud Application Director 6.0; vCenter Chargeback Manager 2.7, 2.6;
   vCloud Director For Service Providers 5.6.4.1;
   vRealize Log Insight 2.5, 2.0, 1.5, 1.0 Patches 
   released on 2015-04-09.

   2015-04-13 VMSA-2015-0003.2
   Updated Security advisory in conjunction with the release of
   vRealize Business Adv/Ent 8.1, 8.0 Patches released 
   on 2015-04-13.
- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2015 VMware Inc.  All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFVLBMgDEcm8Vbi9kMRAvaaAKDrax6e77WldoyNU0b+OEym+b1tfgCfamxh
gjaTHulE0WVOGNNLpjHZ4jk=
=L8TV
-----END PGP SIGNATURE-----

UPDATE : VMSA-2015-0003.1 – VMware product updates address critical information disclosure issue in JRE.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2015-0003.1
Synopsis:    VMware product updates address critical information 
             disclosure issue in JRE.
Issue date:  2015-04-02
Updated on:  2015-04-09
CVE number:  CVE-2014-6593, for other CVEs see JRE reference 

- ------------------------------------------------------------------------

1. Summary

   VMware product updates address critical information disclosure 
   issue in JRE.
 
2. Relevant Releases

   Horizon View 6.x or 5.x
   Horizon Workspace Portal Server 2.1 or 2.0
   Horizon DaaS Platform 6.1.4 or 5.4.5
   vRealize Operations Manager 6.0
   vCenter Operations Manager 5.8.x or 5.7.x
   vRealize Application Services 6.2 or 6.1
   vCloud Application Director 6.0
   vRealize Automation 6.2 or 6.1
   vCloud Automation Center 6.0.1
   vSphere Replication prior to 5.8.0.2 or 5.6.0.3
   vRealize Automation 6.2.x or 6.1.x
   vRealize Code Stream 1.1 or 1.0
   vRealize Hyperic 5.8.x, 5.7.x or 5.0.x
   vSphere AppHA Prior to 1.1.x
   vCenter Chargeback Manager 2.7 or 2.6
   vRealize Business Standard prior to 1.1.x or 1.0.x
   NSX for Multi-Hypervisor  prior to 4.2.4  
   vCloud Director prior to 5.5.3
   vCloud Director Service Providers prior to 5.6.4.1
   vRealize Configuration Manager 5.7.x or 5.6.x
   vRealize Infrastructure 5.8 or 5.7
   vRealize Log Insight 2.5, 2.0, 1.5 or 1.0

3. Problem Description 

   a. Oracle JRE Update

      Oracle JRE is updated in VMware products to address a 
      critical security issue that existed in earlier releases of
      Oracle JRE. 

      VMware products running JRE 1.7 Update 75 or newer and 
      JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593,
      as documented in the Oracle Java SE Critical Patch Update 
      Advisory of January 2015. 

      This advisory also includes the other security issues that 
      are addressed  in JRE 1.7 Update 75 and JRE 1.6 Update 91. The 
      References section provides a link to the JRE advisory.


      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2014-6593 to this issue.  This 
      issue is also known as "SKIP" or "SKIP-TLS". 

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is 
      available.

      VMware                         Product    Running   Replace with/
      Product                        Version    on        Apply Patch**
      =============                  =======    =======   =================
      Horizon View                   6.x        any       6.1
      Horizon View                   5.x        any       5.3.4
      Horizon Workspace Portal       2.1 ,2.0   any       2.1.1
      Server 

      Horizon DaaS Platform          6.1        any       6.1.4
      Horizon DaaS Platform          6.0        any       patch pending
      Horizon DaaS Platform          5.4        any       5.4.5

      vCloud Networking and Security 5.5        any       patch pending*
      vCloud Connector               2.7        any       patch pending*
      vCloud Usage Meter             3.3        any       patch pending* 

      vCenter Site Recovery Manager  5.5.x      any       patch pending***
      vCenter Site Recovery Manager  5.1.x      any       patch pending***
      vCenter Site Recovery Manager  5.0.x      any       patch pending***

      vCenter Server                 6.0        any       patch pending
      vCenter Server                 5.5        any       patch pending
      vCenter Server                 5.1        any       patch pending
      vCenter Server                 5.0        any       patch pending

      vRealize Operations Manager    6.0        any       KB2112028
      vCenter Operations Manager     5.8.x      any       KB2111172
      vCenter Operations Manager     5.7.x      any       KB2111172

      vCenter Support Assistant      5.5.1.x    any       patch pending
   
      vRealize Application Services  6.2        any       KB2111981
      vRealize Application Services  6.1        any       KB2111981
      vCloud Application Director    6.0        any       KB2111981
      vCloud Application Director    5.2        any       KB2111981

      vRealize Automation            6.2        any       KB2111658
      vRealize Automation            6.1        any       KB2111658
      vCloud Automation Center       6.0.1      any       KB2111658
      vRealize Code Stream           1.1        any       KB2111658
      vRealize Code Stream           1.0        any       KB2111658

      vPostgres                      9.3.x      any       patch pending
      vPostgres                      9.2.x      any       patch pending
      vPostgres                      9.1.x      any       patch pending

      vSphere Replication            5.8.1      any       patch pending
      vSphere Replication            5.8.0      any       5.8.0.2
      vSphere Replication            5.6.0      any       5.6.0.3
      vSphere Replication            5.1        any       patch pending

      vSphere Storage Appliance      5.x        any       patch pending*
 
      vRealize Hyperic               5.8        any       KB2111337
      vRealize Hyperic               5.7        any       KB2111337
      vRealize Hyperic               5.0        any       KB2111337

      vSphere AppHA                  1.1        any       KB2111336
      vSphere Big Data Extensions    2.1        any       patch pending*
      vSphere Big Data Extensions    2.0        any       patch pending*

      vSphere Data Protection        6.0        any       patch pending*
      vSphere Data Protection        5.8        any       patch pending*
      vSphere Data Protection        5.5        any       patch pending*
      vSphere Data Protection        5.1        any       patch pending*

      vCenter Chargeback Manager     2.7        any       KB2112011*
      vCenter Chargeback Manager     2.6        any       KB2113178*

      vRealize Business Adv/Ent      8.1        any       patch pending*
      vRealize Business Adv/Ent      8.0        any       patch pending*

      vRealize Business Standard     6.0        any       KB2111802
      vRealize Business Standard     1.1        any       KB2111802
      vRealize Business Standard     1.0        any       KB2111802

      NSX for vSphere                6.1        any       patch pending*
      NSX for Multi-Hypervisor       4.2        any       4.2.4*
      vCloud Director                5.5.x      any       5.5.3*
      
      vCloud Director For            5.6.4      any       5.6.4.1*
      Service Providers   

      vCenter Application Discovery  7.0        any       patch pending*
      Manager

      vRealize Configuration Manager 5.7.x      any       KB2111670
      vRealize Configuration Manager 5.6        any       KB2111670

      vRealize Infrastructure        5.8        any       5.8.4
      Navigator  

      vRealize Infrastructure        5.7        any       KB2111334*
      Navigator              

      vRealize Orchestrator          6.0        any       patch pending*
      vRealize Orchestrator          5.2        any       patch pending*
      vRealize Orchestrator          5.1        any       patch pending*

      vShield                        5.5        any       patch pending*

      vRealize Log Insight           2.5        any       KB2113235*
      vRealize Log Insight           2.0        any       KB2113235*
      vRealize Log Insight           1.5        any       KB2113235*
      vRealize Log Insight           1.0        any       KB2113235*

      vSphere Management Assistant   5.x        any       patch pending 

      vSphere Update Manager         6.0        any       patch pending*
      vSphere Update Manager         5.5        any       patch pending*
      vSphere Update Manager         5.1        any       patch pending*
      vSphere Update Manager         5.0        any       patch pending*

      *   The severity of critical is lowered to important for this product
          as is not considered Internet facing

      **  Knowledge Base (KB) articles provides details of the patches and
          how to install them. 
 
      *** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not 
          include JRE but they include the vSphere Replication appliance 
          which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include 
          JRE nor the vSphere Replication appliance.
 
4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file. 
   Horizon View 6.1, 5.3.4:
   ========================
   Downloads: 
  
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productI
d=492
  
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&pro
ductId=396

   VMware Workspace Portal 2.1.1
   =============================
   Download:
  
https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=5
01&rPId=7586
   Documentation:
  
https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.h
tml

   Horizon DaaS Platform 6.1.4
   ===========================
   Download:
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN
&productId=405&rPId=6527

   Horizon DaaS Platform 5.4.5
   ===========================
   Download:
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM-
540&productId=398&rPId=5214

   vRealize Operations Manager 6.0.1
   =================================
   Downloads and Documentation: http://kb.vmware.com/kb/2112028

   vRealize Application Services 6.2, 6.1
   ======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111981

   vCloud Application Director 6.0
   ======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111981

   vCloud Director for Service Providers 5.6.4.1
   =============================================
   Downloads and Documentation:
https://www.vmware.com/support/pubs/vcd_sp_pubs.html

   vCenter Operations Manager 6.0, 5.8.5, 5.7.4
   =======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111172

   vCloud Automation Center 6.0.1.2
   ================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111685

   vSphere Replication 5.8.0.2, 5.6.0.3
   ====================================
   Downloads:
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802   
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603
   
   Documentation: 
   http://kb.vmware.com/kb/2112025
   http://kb.vmware.com/kb/2112022 

   vRealize Automation 6.2.1, 6.1.1
   ================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111658

   vRealize Code Stream 1.1, 1.0
   =============================
   Downloads and Documentation: http://kb.vmware.com/kb/2111685

   vRealize Hyperic 5.8.4, 5.7.2, 5.0.3
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/KB2111337

   vSphere AppHA 1.1.1
   ===================
   Downloads and Documentation: http://kb.vmware.com/kb/2111336

   vCenter Chargeback Manager 2.7
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2112011

   vCenter Chargeback Manager 2.6
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2113178

   vRealize Business Standard 6.0, 1.1 , 1.0
   =======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111802

   vRealize Configuration Manager 5.7.3
   ===================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111670

   vRealize Infrastructure Navigator 5.8.4
   =======================================
   Download:
  
https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=47
6
 
   vRealize Infrastructure Navigator 5.7
   =====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111334

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593

   JRE 
   Oracle Java SE Critical Patch Update Advisory of January 2015
 
  
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

- ------------------------------------------------------------------------

6. Change log

   2015-04-02 VMSA-2015-0003
   Initial security advisory in conjunction with the release of VMware
   Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5;
   vCenter Operations Manager 5.7.4; vCloud Automation Center
   6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize 
   Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0;
   vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1;
   vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration 
   Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches 
   released on 2015-04-02.

   2015-04-09 VMSA-2015-0003.1
   Initial security advisory in conjunction with the release of VMware
   Horizon DaaS Platform 6.1.4, 5.4.5; vRealize Operations Manager 6.0; 
   vRealize Application Services 6.2; vRealize Application Services 6.1;
   vCloud Application Director 6.0; vCenter Chargeback Manager 2.7, 2.6;
   vCloud Director For Service Providers 5.6.4.1;
   vRealize Log Insight 2.5, 2.0, 1.5, 1.0 Patches 
   released on 2015-04-09.
- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2015 VMware Inc.  All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFVJvoJDEcm8Vbi9kMRAuK6AKCNUgtSbHFVZ3QovAUJZyYX68sxQgCeLWoD
fO7UbDkp1+c7pNQ0y6ErD24=
=Mn/A
-----END PGP SIGNATURE-----

NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2015-0003
Synopsis:    VMware product updates address critical information 
             disclosure issue in JRE.
Issue date:  2015-04-02
Updated on:  2015-04-02 (Initial Advisory)
CVE number:  CVE-2014-6593, for other CVEs see JRE reference 

- ------------------------------------------------------------------------

1. Summary

   VMware product updates address critical information disclosure 
   issue in JRE.
 
2. Relevant Releases

   Horizon View 6.x or 5.x
   Horizon Workspace Portal Server  2.1 or 2.0
   vCenter Operations Manager 5.8.x or 5.7.x
   vCloud Automation Center 6.0.1
   vSphere Replication prior to 5.8.0.2 or 5.6.0.3
   vRealize Automation 6.2.x or 6.1.x
   vRealize Code Stream 1.1 or 1.0
   vRealize Hyperic 5.8.x, 5.7.x or 5.0.x
   vSphere AppHA Prior to 1.1.x
   vRealize Business Standard prior to 1.1.x or 1.0.x
   NSX for Multi-Hypervisor  prior to 4.2.4     
   vRealize Configuration Manager 5.7.x or 5.6.x
   vRealize Infrastructure 5.8 or 5.7

3. Problem Description 

   a. Oracle JRE Update

      Oracle JRE is updated in VMware products to address a 
      critical security issue that existed in earlier releases of
      Oracle JRE. 

      VMware products running JRE 1.7 Update 75 or newer and 
      JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593,
      as documented in the Oracle Java SE Critical Patch Update 
      Advisory of January 2015. 

      This advisory also includes the other security issues that 
      are addressed  in JRE 1.7 Update 75 and JRE 1.6 Update 91. The 
      References section provides a link to the JRE advisory.


      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2014-6593 to this issue.  This 
      issue is also known as "SKIP" or "SKIP-TLS". 

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is 
      available.

      VMware                         Product    Running   Replace with/
      Product                        Version    on        Apply Patch**
      =============                  =======    =======   =================
      Horizon View                   6.x        any       6.1
      Horizon View                   5.x        any       5.3.4
      Horizon Workspace Portal       2.1 ,2.0   any       2.1.1
      Server 

      Horizon DaaS Platform          6.1        any       patch pending
      Horizon DaaS Platform          6.0        any       patch pending
      Horizon DaaS Platform          5.4        any       patch pending

      vCloud Networking and Security 5.5        any       patch pending*
      vCloud Connector               2.7        any       patch pending*
      vCloud Usage Meter             3.3        any       patch pending* 

      vCenter Site Recovery Manager  5.5.x      any       patch pending***
      vCenter Site Recovery Manager  5.1.x      any       patch pending***
      vCenter Site Recovery Manager  5.0.x      any       patch pending***

      vCenter Server                 6.0        any       patch pending
      vCenter Server                 5.5        any       patch pending
      vCenter Server                 5.1        any       patch pending
      vCenter Server                 5.0        any       patch pending

      vRealize Operations Manager    6.0        any       patch pending*
      vCenter Operations Manager     5.8.x      any       KB2111172
      vCenter Operations Manager     5.7.x      any       KB2111172

      vCenter Support Assistant      5.5.1.x    any       patch pending
   
      vRealize Application Services  6.2        any       patch pending
      vRealize Application Services  6.1        any       patch pending
      vCloud Application Director    6.0        any       patch pending
      vCloud Application Director    5.2        any       KB2111981

      vRealize Automation            6.2        any       KB2111658
      vRealize Automation            6.1        any       KB2111658
      vCloud Automation Center       6.0.1      any       KB2111658
      vRealize Code Stream           1.1        any       KB2111658
      vRealize Code Stream           1.0        any       KB2111658

      vPostgres                      9.3.x      any       patch pending
      vPostgres                      9.2.x      any       patch pending
      vPostgres                      9.1.x      any       patch pending

      vSphere Replication            5.8.1      any       patch pending
      vSphere Replication            5.8.0      any       5.8.0.2
      vSphere Replication            5.6.0      any       5.6.0.3
      vSphere Replication            5.1        any       patch pending

      vSphere Storage Appliance      5.x        any       patch pending*
 
      vRealize Hyperic               5.8        any       KB2111337
      vRealize Hyperic               5.7        any       KB2111337
      vRealize Hyperic               5.0        any       KB2111337

      vSphere AppHA                  1.1        any       KB2111336
      vSphere Big Data Extensions    2.1        any       patch pending*
      vSphere Big Data Extensions    2.0        any       patch pending*

      vSphere Data Protection        6.0        any       patch pending*
      vSphere Data Protection        5.8        any       patch pending*
      vSphere Data Protection        5.5        any       patch pending*
      vSphere Data Protection        5.1        any       patch pending*

      vCenter Chargeback Manager     2.6        any       patch pending*

      vRealize Business Adv/Ent      8.1        any       patch pending*
      vRealize Business Adv/Ent      8.0        any       patch pending*

      vRealize Business Standard     6.0        any       KB2111802
      vRealize Business Standard     1.1        any       KB2111802
      vRealize Business Standard     1.0        any       KB2111802

      NSX for vSphere                6.1        any       patch pending*
      NSX for Multi-Hypervisor       4.2        any       4.2.4*
      vCloud Director                5.5.x      any       5.5.3*
      
      vCloud Director For            5.6.4      any       patch pending*
      Service Providers   

      vCenter Application Discovery  7.0        any       patch pending*
      Manager

      vRealize Configuration Manager 5.7.x      any       KB2111670
      vRealize Configuration Manager 5.6        any       KB2111670

      vRealize Infrastructure        5.8        any       5.8.4
      Navigator  

      vRealize Infrastructure        5.7        any       KB2111334*
      Navigator              

      vRealize Orchestrator          6.0        any       patch pending*
      vRealize Orchestrator          5.2        any       patch pending*
      vRealize Orchestrator          5.1        any       patch pending*

      vShield                        5.5        any       patch pending*

      vRealize Log Insight           2.5        any       patch pending*
      vRealize Log Insight           2.0        any       patch pending*
      vRealize Log Insight           1.5        any       patch pending*
      vRealize Log Insight           1.0        any       patch pending*

      vSphere Management Assistant   5.x        any       patch pending 

      vSphere Update Manager         6.0        any       patch pending*
      vSphere Update Manager         5.5        any       patch pending*
      vSphere Update Manager         5.1        any       patch pending*
      vSphere Update Manager         5.0        any       patch pending*

      *   The severity of critical is lowered to important for this product
          as is not considered Internet facing

      **  Knowledge Base (KB) articles provides details of the patches and
          how to install them. 
 
      *** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not 
          include JRE but they include the vSphere Replication appliance 
          which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include 
          JRE nor the vSphere Replication appliance.
 
4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file. 

   Horizon View 6.1, 5.3.4:
   ========================
   Downloads: 
  
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productI
d=492
  
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&pro
ductId=396

   VMware Workspace Portal 2.1.1
   =============================
   Download:
  
https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=5
01&rPId=7586
   Documentation:
  
https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.h
tml

   vCenter Operations Manager 6.0, 5.8.5, 5.7.4
   =======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111172

   vCloud Automation Center 6.0.1.2
   ================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111685

   vSphere Replication 5.8.0.2, 5.6.0.3
   ====================================
   Downloads:
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802   
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603
   
   Documentation: http://kb.vmware.com/kb/2112025

   vRealize Automation 6.2.1, 6.1.1
   ================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111658

   vRealize Code Stream 1.1, 1.0
   =============================
   Downloads and Documentation: http://kb.vmware.com/kb/2111685

   vRealize Hyperic 5.8.4, 5.7.2, 5.0.3
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/KB2111337

   vSphere AppHA 1.1.1
   ===================
   Downloads and Documentation: http://kb.vmware.com/kb/2111336

   vRealize Business Standard 6.0, 1.1 , 1.0
   =======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111802

   vRealize Configuration Manager 5.7.3
   ===================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111670

   vRealize Infrastructure Navigator 5.8.4
   =======================================
   Download:
  
https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=47
6
 
   vRealize Infrastructure Navigator 5.7
   =====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111334
 
5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593

   JRE 
   Oracle Java SE Critical Patch Update Advisory of January 2015
 
  
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

- ------------------------------------------------------------------------

6. Change log

   2015-04-02 VMSA-2015-0003
   Initial security advisory in conjunction with the release of VMware
   Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5;
   vCenter Operations Manager 5.7.4; vCloud Automation Center
   6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize 
   Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0;
   vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1;
   vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration 
   Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches 
   released on 2015-04-02.
  
- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2015 VMware Inc.  All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFVHbTYDEcm8Vbi9kMRAgAMAJ9igPcaR/mSbKzFzow0NzlqbsDEoACcCRUC
6hWCvRQfTGkvImCyRaL0VOY=
=uZmC
-----END PGP SIGNATURE-----

UPDATED VMSA-2015-0001.2 VMware vSphere Data Protection product update addresses a certificate validation vulnerability.

------------------------------------------------------------------------
                  VMware Security Advisory

Advisory ID: VMSA-2015-0001.2
Synopsis:    VMware vCenter Server, ESXi, Workstation, Player, and Fusion
            updates address security issues
Issue date:  2015-01-27
Updated on:  2015-03-26
CVE number:  CVE-2014-8370, CVE-2015-1043, CVE-2015-1044

            --- OPENSSL---
            CVE-2014-3513, CVE-2014-3567,CVE-2014-3566, CVE-2014-3568

            --- libxml2 ---
            CVE-2014-3660
------------------------------------------------------------------------

1. Summary

  VMware vCenter Server, ESXi, Workstation, Player and Fusion address
  several security issues.

2. Relevant Releases

  VMware Workstation 10.x prior to version 10.0.5

  VMware Player 6.x prior to version 6.0.5

  VMware Fusion 7.x prior to version 7.0.1
  VMware Fusion 6.x prior to version 6.0.5

  vCenter Server 5.5 prior to Update 2d

  ESXi 5.5 without patch ESXi550-201403102-SG, ESXi550-201501101-SG
  ESXi 5.1 without patch ESXi510-201404101-SG, ESXi510-201503101-SG
  ESXi 5.0 without patch ESXi500-201405101-SG, ESXi500-201502101-SG

3. Problem Description

  a. VMware ESXi, Workstation, Player, and Fusion host privilege
     escalation vulnerability

     VMware ESXi, Workstation, Player and Fusion contain an arbitrary
     file write issue. Exploitation this issue may allow for privilege
     escalation on the host.

     The vulnerability does not allow for privilege escalation from
     the guest Operating System to the host or vice-versa. This means
     that host memory can not be manipulated from the Guest Operating
     System.

     Mitigation

     For ESXi to be affected, permissions must have been added to ESXi
     (or a vCenter Server managing it) for a virtual machine
     administrator role or greater.

     VMware would like to thank Shanon Olsson for reporting this issue to
     us through JPCERT.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the identifier CVE-2014-8370 to this issue.

     Column 4 of the following table lists the action required to
     remediate the vulnerability in each release, if a solution is
     available.

     VMware         Product    Running   Replace with/
     Product        Version    on        Apply Patch
     =============  =======    =======   =================
     Workstation    11.x       any       not affected
     Workstation    10.x       any       10.0.5

     Player         7.x        any       not affected
     Player         6.x        any       6.0.5

     Fusion         7.x        any       not affected
     Fusion         6.x        any       6.0.5

     ESXi           5.5        ESXi      ESXi550-201403102-SG
     ESXi           5.1        ESXi      ESXi510-201404101-SG
     ESXi           5.0        ESXi      ESXi500-201405101-SG

  b. VMware Workstation, Player, and Fusion Denial of Service
     vulnerability

     VMware Workstation, Player, and Fusion contain an input
     validation issue in the Host Guest File System (HGFS).
     This issue may allow for a Denial of Service of the Guest
     Operating system.

     VMware would like to thank Peter Kamensky from Digital
     Security for reporting this issue to us.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the identifier CVE-2015-1043 to this issue.

     Column 4 of the following table lists the action required to
     remediate the vulnerability in each release, if a solution is
     available.

     VMware         Product    Running   Replace with/
     Product        Version    on        Apply Patch
     =============  =======    =======   =================
     Workstation    11.x       any       not affected
     Workstation    10.x       any       10.0.5

     Player         7.x        any       not affected
     Player         6.x        any       6.0.5

     Fusion         7.x        any       7.0.1
     Fusion         6.x        any       6.0.5

  c. VMware ESXi, Workstation, and Player Denial of Service
     vulnerability

     VMware ESXi, Workstation, and Player contain an input
     validation issue in VMware Authorization process (vmware-authd).
     This issue may allow for a Denial of Service of the host. On
     VMware ESXi and on Workstation running on Linux the Denial of
     Service would be partial.

     VMware would like to thank Dmitry Yudin < at >ret5et for reporting
     this issue to us through HP's Zero Day Initiative.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the identifier CVE-2015-1044 to this issue.

     Column 4 of the following table lists the action required to
     remediate the vulnerability in each release, if a solution is
     available.

     VMware         Product    Running   Replace with/
     Product        Version    on        Apply Patch
     =============  =======    =======   =================
     Workstation    11.x       any       not affected
     Workstation    10.x       any       10.0.5

     Player         7.x        any       not affected
     Player         6.x        any       6.0.5

     Fusion         7.x        any       not affected
     Fusion         6.x        any       not affected

     ESXi           5.5        ESXi      ESXi550-201501101-SG
     ESXi           5.1        ESXi      ESXi510-201410101-SG
     ESXi           5.0        ESXi      not affected

  d. Update to VMware vCenter Server and ESXi for OpenSSL 1.0.1
     and 0.9.8 package

     The OpenSSL library is updated to version 1.0.1j or 0.9.8zc
     to resolve multiple security issues.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the names CVE-2014-3513, CVE-2014-3567,
     CVE-2014-3566 (ìPOODLEî) and CVE-2014-3568 to these issues.

     Column 4 of the following table lists the action required to
     remediate the vulnerability in each release, if a solution is
     available.

     VMware         Product    Running   Replace with/
     Product        Version    on        Apply Patch
     =============  =======    =======   =================
     vCenter Server 5.5        any       Update 2d*
     vCenter Server 5.1        any       patch pending
     vCenter Server 5.0        any       patch pending

     ESXi           5.5        ESXi      ESXi550-201501101-SG
     ESXi           5.1        ESXi      ESXi510-201503101-SG
     ESXi           5.0        ESXi      ESXi500-201502101-SG

     * The VMware vCenter 5.5 SSO component will be updated
       in a later release.

  e. Update to ESXi libxml2 package

     The libxml2 library is updated to version libxml2-2.7.6-17
     to resolve a security issue.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the name CVE-2014-3660 to this issue.

     Column 4 of the following table lists the action required to
     remediate the vulnerability in each release, if a solution is
     available.

     VMware         Product    Running   Replace with/
     Product        Version    on        Apply Patch
     =============  =======    =======   =================
     ESXi           5.5        ESXi      ESXi550-201501101-SG
     ESXi           5.1        ESXi      ESXi510-201503101-SG
     ESXi           5.0        ESXi      patch pending

4. Solution

  Please review the patch/release notes for your product and
  version and verify the checksum of your downloaded file.

  VMware Workstation 10.x
  --------------------------------
  https://www.vmware.com/go/downloadworkstation

  VMware Player 6.x
  --------------------------------
  https://www.vmware.com/go/downloadplayer

  VMware Fusion 7.x and 6.x
  --------------------------------
  https://www.vmware.com/go/downloadplayer

  vCenter Server
  ----------------------------
  Downloads and Documentation:
  https://www.vmware.com/go/download-vsphere

  ESXi 5.5 Update 2d
  ----------------------------
  File: update-from-esxi5.5-5.5_update01.zip
  md5sum: 5773844efc7d8e43135de46801d6ea25
  sha1sum: 6518355d260e81b562c66c5016781db9f077161f
  http://kb.vmware.com/kb/2065832
  update-from-esxi5.5-5.5_update01 contains ESXi550-201403102-SG

  ESXi 5.5
  ----------------------------
  File: ESXi550-201501001.zip
  md5sum: b0f2edd9ad17d0bae5a11782aaef9304
  sha1sum: 9cfcb1e2cf1bb845f0c96c5472d6b3a66f025dd1
  http://kb.vmware.com/kb/2099265
  ESXi550-201501001.zip contains ESXi550-201501101-SG

  ESXi 5.1
  ----------------------------
  File: ESXi510-201404001.zip
  md5sum: 9dc3c9538de4451244a2b62d247e52c4
  sha1sum: 2e052145f1697a781148e9866438a47c9cbd7ea9
  http://kb.vmware.com/kb/2070666
  ESXi510-201404001 contains ESXi510-201404101-SG


  ESXi 5.1
  ----------------------------
  File: ESXi510-201503001.zip
  md5sum: 696360824ce098115f9fdba678391c3a
  sha1sum: 6b1ea36a2711665a670afc9ae37cdd616bb6da66
  http://kb.vmware.com/kb/2099286
  ESXi510-201503001 contains ESXi510-201503001-SG


  ESXi 5.0
  ----------------------------
  File: ESXi500-201405001.zip
  md5sum: 7cd1afc97f5f1e4b4132c90835f92e1d
  sha1sum: 4bd77eeb5d7fc65bbb6f25762b0fa74fbb9679d5
  http://kb.vmware.com/kb/2075521
  ESXi500-201405001 contains  ESXi500-201405101-SG

  ESXi 5.0
  ----------------------------
  File: ESXi500-201502001.zip
  md5sum: 0e81d3c7702d6f08c1a5ebe743c8c42b
  sha1sum: 6f16a03f413c1af4db3e181c2ccd6aa01141035d
  http://kb.vmware.com/kb/2101910
  ESXi500-201502001 contains ESXi500-201502101-SG

5. References

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8370
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1043
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1044
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3660

------------------------------------------------------------------------

6. Change log

  2015-01-27 VMSA-2015-0001
  Initial security advisory in conjunction with the release of VMware
  Workstation 10.0.5, VMware Player 6.0.5, vCenter Server 5.5 Update 2d
  and, ESXi 5.5 Patches released on 2015-01-27.

  2015-02-26 VMSA-2015-0001.1
  Updated security advisory in conjunction with the release
  of VMware ESXi 5.0 Patches released on 2015-02-26.

  2015-03-26 VMSA-2015-0001.2
  Updated security advisory in conjunction with the release
  of VMware ESXi 5.1 Patches released on 2015-03-26.


------------------------------------------------------------------------

7. Contact

  E-mail list for product security notifications and announcements:
  http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

  This Security Advisory is posted to the following lists:

   security-announce at lists.vmware.com
   bugtraq at securityfocus.com
   fulldisclosure at seclists.org

  E-mail: security at vmware.com
  PGP key at: http://kb.vmware.com/kb/1055

  VMware Security Advisories
  http://www.vmware.com/security/advisories

  Consolidated list of VMware Security Advisories
  http://kb.vmware.com/kb/2078735

  VMware Security Response Policy
  https://www.vmware.com/support/policies/security_response.html

  VMware Lifecycle Support Phases
  https://www.vmware.com/support/policies/lifecycle.html

  Twitter
  https://twitter.com/VMwareSRC

  Copyright 2015 VMware Inc.  All rights reserved.


_______________________________________________
Security-announce mailing list
Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org
http://lists.vmware.com/mailman/listinfo/security-announce

UPDATED VMSA-2015-0001.1 VMware vCenter Server, ESXi, Workstation, Player, and Fusion updates address security issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2015-0001.1
Synopsis:    VMware vCenter Server, ESXi, Workstation, Player, and Fusion
             updates address security issues
Issue date:  2015-01-27
Updated on:  2015-02-26
CVE number:  CVE-2014-8370, CVE-2015-1043, CVE-2015-1044

             --- OPENSSL---
             CVE-2014-3513, CVE-2014-3567,CVE-2014-3566, CVE-2014-3568

             --- libxml2 ---
             CVE-2014-3660
- ------------------------------------------------------------------------

1. Summary

   VMware vCenter Server, ESXi, Workstation, Player and Fusion address
   several security issues.

2. Relevant Releases

   VMware Workstation 10.x prior to version 10.0.5

   VMware Player 6.x prior to version 6.0.5

   VMware Fusion 7.x prior to version 7.0.1
   VMware Fusion 6.x prior to version 6.0.5

   vCenter Server 5.5 prior to Update 2d

   ESXi 5.5 without patch ESXi550-201403102-SG, ESXi550-201501101-SG
   ESXi 5.1 without patch ESXi510-201404101-SG
   ESXi 5.0 without patch ESXi500-201405101-SG, ESXi500-201502101-SG

3. Problem Description

   a. VMware ESXi, Workstation, Player, and Fusion host privilege
      escalation vulnerability

      VMware ESXi, Workstation, Player and Fusion contain an arbitrary
      file write issue. Exploitation this issue may allow for privilege
      escalation on the host.

      The vulnerability does not allow for privilege escalation from
      the guest Operating System to the host or vice-versa. This means
      that host memory can not be manipulated from the Guest Operating
      System.

      Mitigation

      For ESXi to be affected, permissions must have been added to ESXi
      (or a vCenter Server managing it) for a virtual machine
      administrator role or greater.

      VMware would like to thank Shanon Olsson for reporting this issue to
      us through JPCERT.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2014-8370 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware         Product    Running   Replace with/
      Product        Version    on        Apply Patch
      =============  =======    =======   =================
      Workstation    11.x       any       not affected
      Workstation    10.x       any       10.0.5

      Player         7.x        any       not affected
      Player         6.x        any       6.0.5

      Fusion         7.x        any       not affected
      Fusion         6.x        any       6.0.5

      ESXi           5.5        ESXi      ESXi550-201403102-SG
      ESXi           5.1        ESXi      ESXi510-201404101-SG
      ESXi           5.0        ESXi      ESXi500-201405101-SG

   b. VMware Workstation, Player, and Fusion Denial of Service
      vulnerability

      VMware Workstation, Player, and Fusion contain an input
      validation issue in the Host Guest File System (HGFS).
      This issue may allow for a Denial of Service of the Guest
      Operating system.

      VMware would like to thank Peter Kamensky from Digital
      Security for reporting this issue to us.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2015-1043 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware         Product    Running   Replace with/
      Product        Version    on        Apply Patch
      =============  =======    =======   =================
      Workstation    11.x       any       not affected
      Workstation    10.x       any       10.0.5

      Player         7.x        any       not affected
      Player         6.x        any       6.0.5

      Fusion         7.x        any       7.0.1
      Fusion         6.x        any       6.0.5

   c. VMware ESXi, Workstation, and Player Denial of Service
      vulnerability

      VMware ESXi, Workstation, and Player contain an input
      validation issue in VMware Authorization process (vmware-authd).
      This issue may allow for a Denial of Service of the host. On
      VMware ESXi and on Workstation running on Linux the Denial of
      Service would be partial.

      VMware would like to thank Dmitry Yudin < at >ret5et for reporting
      this issue to us through HP's Zero Day Initiative.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2015-1044 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware         Product    Running   Replace with/
      Product        Version    on        Apply Patch
      =============  =======    =======   =================
      Workstation    11.x       any       not affected
      Workstation    10.x       any       10.0.5

      Player         7.x        any       not affected
      Player         6.x        any       6.0.5

      Fusion         7.x        any       not affected
      Fusion         6.x        any       not affected

      ESXi           5.5        ESXi      ESXi550-201501101-SG
      ESXi           5.1        ESXi      ESXi510-201410101-SG
      ESXi           5.0        ESXi      not affected

   d. Update to VMware vCenter Server and ESXi for OpenSSL 1.0.1
      and 0.9.8 package

      The OpenSSL library is updated to version 1.0.1j or 0.9.8zc
      to resolve multiple security issues.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2014-3513, CVE-2014-3567,
      CVE-2014-3566 (“POODLE”) and CVE-2014-3568 to these issues.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware         Product    Running   Replace with/
      Product        Version    on        Apply Patch
      =============  =======    =======   =================
      vCenter Server 5.5        any       Update 2d*
      vCenter Server 5.1        any       patch pending
      vCenter Server 5.0        any       patch pending

      ESXi           5.5        ESXi      ESXi550-201501101-SG
      ESXi           5.1        ESXi      patch pending
      ESXi           5.0        ESXi      ESXi500-201502101-SG

      * The VMware vCenter 5.5 SSO component will be updated
        in a later release.

   e. Update to ESXi libxml2 package

      The libxml2 library is updated to version libxml2-2.7.6-17
      to resolve a security issue.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the name CVE-2014-3660 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware         Product    Running   Replace with/
      Product        Version    on        Apply Patch
      =============  =======    =======   =================
      ESXi           5.5        ESXi      ESXi550-201501101-SG
      ESXi           5.1        ESXi      patch pending
      ESXi           5.0        ESXi      patch pending

4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   VMware Workstation 10.x
   --------------------------------
   https://www.vmware.com/go/downloadworkstation

   VMware Player 6.x
   --------------------------------
   https://www.vmware.com/go/downloadplayer

   VMware Fusion 7.x and 6.x
   --------------------------------
   https://www.vmware.com/go/downloadplayer

   vCenter Server
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   ESXi 5.5 Update 2d
   ----------------------------
   File: update-from-esxi5.5-5.5_update01.zip
   md5sum: 5773844efc7d8e43135de46801d6ea25
   sha1sum: 6518355d260e81b562c66c5016781db9f077161f
   http://kb.vmware.com/kb/2065832
   update-from-esxi5.5-5.5_update01 contains ESXi550-201403102-SG

   ESXi 5.5
   ----------------------------
   File: ESXi550-201501001.zip
   md5sum: b0f2edd9ad17d0bae5a11782aaef9304
   sha1sum: 9cfcb1e2cf1bb845f0c96c5472d6b3a66f025dd1
   http://kb.vmware.com/kb/2099265
   ESXi550-201501001.zip contains ESXi550-201501101-SG

   ESXi 5.1
   ----------------------------
   File: ESXi510-201404001.zip
   md5sum: 9dc3c9538de4451244a2b62d247e52c4
   sha1sum: 6b1ea36a2711665a670afc9ae37cdd616bb6da66
   http://kb.vmware.com/kb/2070666
   ESXi510-201404001 contains ESXi510-201404101-SG

   ESXi 5.0
   ----------------------------
   File: ESXi500-201405001.zip
   md5sum: 7cd1afc97f5f1e4b4132c90835f92e1d
   sha1sum: 4bd77eeb5d7fc65bbb6f25762b0fa74fbb9679d5
   http://kb.vmware.com/kb/2075521
   ESXi500-201405001 contains  ESXi500-201405101-SG

   ESXi 5.0
   ----------------------------
   File: ESXi500-201502001.zip
   md5sum: 0e81d3c7702d6f08c1a5ebe743c8c42b
   sha1sum: 6f16a03f413c1af4db3e181c2ccd6aa01141035d
   http://kb.vmware.com/kb/2101910
   ESXi500-201502001 contains ESXi500-201502101-SG

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8370
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1043
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1044
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3660

- ------------------------------------------------------------------------

6. Change log

   2015-01-27 VMSA-2015-0001
   Initial security advisory in conjunction with the release of VMware
   Workstation 10.0.5, VMware Player 6.0.5, vCenter Server 5.5 Update 2d
   and, ESXi 5.5 Patches released on 2015-01-27.

   2015-02-26 VMSA-2015-0001.1
   Updated security advisory in conjunction with the release
   of VMware ESXi 5.0 Patches released on 2015-02-26.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2015 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iEYEARECAAYFAlTvZKoACgkQDEcm8Vbi9kPLdQCgkxPWLqgLx+H8FIA1rDh9PGJ7
WUgAoL2IPcyQ0FgDxTm4rLW+e/gKRzBq
=h+C7
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce< at >lists.vmware.com
http://lists.vmware.com/mailman/listinfo/security-announce

NEW: VMSA-2015-0002 VMware vSphere Data Protection product update addresses a certificate validation vulnerability



 -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2015-0002
Synopsis:    VMware vSphere Data Protection product update addresses a
             certificate validation vulnerability.
Issue date:  2015-01-29
Updated on:  2015-01-29 (Initial Advisory)
CVE number:  CVE-2014-4632

- ------------------------------------------------------------------------

1. Summary

    VMware vSphere Data Protection product update addresses a certificate
    validation vulnerability.

2. Relevant releases
   
   VMware vSphere Data Protection 5.8
   VMware vSphere Data Protection 5.5 prior to 5.5.9
   VMware vSphere Data Protection 5.1 all versions

3. Problem Description

   a. VMware vSphere Data Protection certificate validation vulnerability

   VMware vSphere Data Protection (VDP) does not fully validate SSL
   certificates coming from vCenter Server. This issue may allow a
   Man-in-the-Middle attack that enables the attacker to perform
   unauthorized backup and restore operations.

   VMware would like to thank Thorsten Tüllmann of the Steinbuch Centre
   for Computing, KIT, Germany for reporting this issue to VMware and
   the EMC Product Security Response Center for working with us on the
   issue.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the identifier CVE-2014-4632 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware         Product    Running Replace with/
      Product        Version    on            Apply Patch
      =============  =======    ======= =================
      VDP            5.8        any        5.8.1
      VDP            5.5        any        5.5.9
      VDP            5.1        any        no patch planned
                                           update to 5.5.9 or 5.8.1
 
4. Solution
   
   Please review the patch/release notes for your product and version
   and verify the checksum of your downloaded file.

   VMware vSphere Data Protection
   ----------
   Downloads:
   
   5.8.1:
   https://my.vmware.com/group/vmware/get-download?downloadGroup=VDP58_1

   5.5.9:
   https://my.vmware.com/group/vmware/get-download?downloadGroup=VDP55_9
 
 
5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4632

- ------------------------------------------------------------------------

6. Change log

   2015-01-29 VMSA-2015-0002
   Initial security advisory for VDP 5.8.1 and 5.5.9 which were on released
   on 2015-01-29.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2015 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFUyruEDEcm8Vbi9kMRAjxUAKD+x2KVIAq6DftmWv1zIGNldH7q5QCgwLyV
ZruDEwM5kdlMe0ddzVgR41w=
=cT7H
-----END PGP SIGNATURE-----

UPDATED: VMSA-2014-0012.1 – VMware vSphere product updates address security vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2014-0012.1
Synopsis:    VMware vSphere product updates address security 
             vulnerabilities
Issue date:  2014-12-04
Updated on:  2015-01-27
CVE number:  CVE-2014-3797, CVE-2014-8371, CVE-2013-2877, CVE-2014-0191, 
             CVE-2014-0015, CVE-2014-0138, CVE-2013-1752 and 
             CVE-2013-4238
- ------------------------------------------------------------------------

1. Summary

   VMware vSphere product updates address a Cross Site Scripting issue, 
   a certificate validation issue and security vulnerabilities in 
   third-party libraries.
 
2. Relevant releases

   VMware vCenter Server Appliance 5.1 Prior to Update 3 

   VMware vCenter Server 5.5 prior to Update 2
   VMware vCenter Server 5.1 prior to Update 3
   VMware vCenter Server 5.0 prior to Update 3c

   VMware ESXi 5.1 without patch ESXi510-201412101-SG
   VMware ESXi 5.5
   VMware ESXi 5.0

3. Problem Description 

   a. VMware vCSA cross-site scripting vulnerability

      VMware vCenter Server Appliance (vCSA) contains a vulnerability
      that may allow for Cross Site Scripting. Exploitation of this 
      vulnerability in vCenter Server requires tricking a user to click
      on a malicious link or to open a malicious web page. 

      VMware would like to thank Tanya Secker of Trustwave SpiderLabs for 
      reporting this issue to us. 

      The Common Vulnerabilities and Exposures project (cve.mitre.org) 
      has assigned the name CVE-2014-3797 to this issue. 

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is 
      available.

      VMware         Product    Running   Replace with/
      Product        Version    on        Apply Patch
      =============  =======    =======   =================
      vCSA           5.5        any       Not Affected
      vCSA           5.1        any       5.1 Update 3
      vCSA           5.0        any       Not Affected

   b. vCenter Server certificate validation issue

      vCenter Server does not properly validate the presented certificate 
      when establishing a connection to a CIM Server residing on an ESXi 
      host. This may allow for a Man-in-the-middle attack against the CIM 
      service.

      VMware would like to thank The Google Security Team for reporting 
      this issue to us.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2014-8371 to this issue. 

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is 
      available.

      VMware          Product   Running   Replace with/
      Product         Version   on        Apply Patch
      =============   =======   =======   ==============
      vCenter Server  5.5       any       5.5 Update 2
      vCenter Server  5.1       any       5.1 Update 3
      vCenter Server  5.0       any       5.0 Update 3c

  c. Update to ESXi libxml2 package

     libxml2 is updated to address multiple security issues. 

     The Common Vulnerabilities and Exposures project 
     (cve.mitre.org) has assigned the names CVE-2013-2877 and
     CVE-2014-0191 to these issues. 

     Column 4 of the following table lists the action required to
     remediate the vulnerability in each release, if a solution is 
     available.

     VMware         Product    Running   Replace with/
     Product        Version    on        Apply Patch
     =============  =======    =======   =================
     ESXi           5.5        any       see VMSA-2015-0001
     ESXi           5.1        any       ESXi510-201412101-SG
     ESXi           5.0        any       see VMSA-2015-0001

  d. Update to ESXi Curl package

     Curl is updated to address multiple security issues. 

     The Common Vulnerabilities and Exposures project 
     (cve.mitre.org) has assigned the names CVE-2014-0015 and 
     CVE-2014-0138 to these issues. 

     Column 4 of the following table lists the action required to
     remediate the vulnerability in each release, if a solution is 
     available.

     VMware         Product  Running   Replace with/
     Product        Version  on        Apply Patch
     =============  =======  =======   =================
     ESXi           5.5      any       Patch Pending
     ESXi           5.1      any       ESXi510-201412101-SG
     ESXi           5.0      any       Patch Pending

  e. Update to ESXi Python package

     Python is updated to address multiple security issues. 

     The Common Vulnerabilities and Exposures project 
     (cve.mitre.org) has assigned the names CVE-2013-1752 and 
     CVE-2013-4238 to these issues. 

     Column 4 of the following table lists the action required to
     remediate the vulnerability in each release, if a solution is 
     available.

     VMware         Product  Running   Replace with/
     Product        Version  on        Apply Patch
     =============  =======  =======   =================
     ESXi           5.5      any       Patch Pending
     ESXi           5.1      any       ESXi510-201412101-SG
     ESXi           5.0      any       Patch Pending

  f. vCenter and Update Manager, Oracle JRE 1.6 Update 81

     Oracle has documented the CVE identifiers that are addressed in 
     JRE 1.6.0 update 81 in the Oracle Java SE Critical Patch Update
     Advisory of July 2014. The References section provides a link to
     this advisory. 

     VMware                 Product  Running  Replace with/
     Product                Version  on       Apply Patch
     =============          =======  =======  =================
     vCenter Server         5.5      any      not applicable *
     vCenter Server         5.1      any      5.1 Update 3
     vCenter Server         5.0      any      patch pending
     vCenter Update Manager 5.5      any      not applicable *
     vCenter Update Manager 5.1      any      5.1 Update 3
     vCenter Update Manager 5.0      any      patch pending

     * this product uses the Oracle JRE 1.7.0 family

4. Solution

   Please review the patch/release notes for your product and version 
   and verify the checksum of your downloaded file. 
  
   vCSA 5.1 Update 3, vCenter Server 5.1 Update 3 and Update Manager 5.1
   Update 3
   ----------------------------
   Downloads and Documentation: 
   https://www.vmware.com/go/download-vsphere

   ESXi 5.1
   ----------------------------
   File: update-from-esxi5.1-5.1_update03.zip.zip
   md5sum: b3fd3549b59c6c59c04bfd09b08c6edf
   sha1sum: 02139101fe205894774caac02820f6ea8416fb8b
   http://kb.vmware.com/kb/2086288
   update-from-esxi5.1-5.1_update03 contains ESXi510-201412101-SG
   
5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3797
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8371
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2877
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0138
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1752
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4238

   JRE 
   Oracle Java SE Critical Patch Update Advisory of July 2014

  
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

- ------------------------------------------------------------------------

6. Change log

   2014-12-04 VMSA-2014-0012
   Initial security advisory in conjunction with the release of VMware
   vCSA 5.1 Update 3, vCenter Server 5.1 Update 3 and ESXi 5.1 Patches 
   released on 2014-12-04.

   2015-01-27 VMSA-2014-0012.1
   Security advisory updated in conjunction with the release of
   VMware ESXi 5.5 Patches released on 2015-01-27.


- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2015 VMware Inc.  All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFUxqHHDEcm8Vbi9kMRAoSaAKD0BgI72YbonTMBbjAp1UMsFE2eBQCaAoPT
tg8/S+hjkMsW8AV18Kkj8Tw=
=UwKa
-----END PGP SIGNATURE-----