Category Archives: VMWare

VMWare

UPDATED: VMSA-2014-0006.10 – VMware product updates address OpenSSL security vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2014-0006.10
Synopsis:    VMware product updates address OpenSSL
             security vulnerabilities
Issue date:  2014-06-10
Updated on:  2014-09-09
CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and
             CVE-2014-3470
- -----------------------------------------------------------------------

1. Summary

   VMware product updates address OpenSSL security vulnerabilities.

2. Relevant Releases

   Big Data Extensions prior to 2.0.0

   ESXi 5.5 without patch ESXi550-201406401-SG
   ESXi 5.1 without patch ESXi510-201406401-SG
   ESXi 5.0 without patch ESXi500-201407401-SG

   Workstation 10.x prior to 10.0.3
   Workstation 9.x prior to 9.0.4

   Player 6.x prior to 6.0.3
   Player 5.x prior to 5.0.4

   Fusion 6.x prior to 6.0.4
   Fusion 5.x prior to 5.0.5

   Horizon Mirage Edge Gateway prior to 4.4.3

   Horizon View prior to 5.3.2
   Horizon View 5.3 Feature Pack X prior to Feature Pack 3

   Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm-
                                                1.5.0.0-1876270.
                                                x86_64.rpm

   Horizon Workspace Server 1.8.x without patch horizon-nginx-rpm-
                                                1.8.2.1820-1876338.
                                                x86_64.rpm

   Horizon View Clients prior to 3.0

   vCD 5.5.x prior to 5.5.1.2
   vCD 5.1.x prior to 5.1.3.1

   vCenter prior to 5.5u1b
   vCenter prior to 5.1 U2a
   vCenter prior to 5.0U3a

   vCenter Support Assistant prior to 5.5.1.1

   vCloud Automation Center prior to 6.0.1.2

   vCenter Configuration Manager prior to 5.7.2

   vCenter Converter Standalone prior to 5.5.2
   Converter Standalone prior to 5.1.1

   Usage Manager prior to 3.3

   vCenter Operations Manager prior to 5.8.2
   vCenter Operations Manager prior to 5.7.3

   vCenter Chargeback Manager 2.6 prior to 2.6.0.1

   vCloud Networking and Security prior to 5.5.2.1
   vCloud Networking and Security prior to 5.1.4.1

   vSphere PowerCLI 5.x

   vCSA prior to 5.5u1b
   vCSA prior to 5.1u2a
   vCSA prior to 5.0u3a

   OVF Tool prior to 5.3.2

   Update Manager prior to 5.5u1b

   ITBM Standard  prior to 1.1

   VDDK prior to 5.5.2
   VDDK prior to 5.1.3
   VDDK prior to 5.0.4

   NSX for Multi-Hypervisor 4.1.x prior to 4.1.3
   NSX for Multi-Hypervisor 4.0.x prior to 4.0.4
   NVP 3.0.x prior to 3.2.3
   NSX 6.0.x for vSphere prior to 6.0.5

   vFabric Web Server 5.x
   Pivotal Web Server prior to 5.4.1

   vCenter Site Recovery Manager prior to 5.5.1.1
   vCenter Site Recovery Manager  prior to 5.1.2.1
   vCenter Site Recovery Manager  prior to 5.0.3.2

   vSphere Replication prior to 5.8
   vSphere Replication prior to 5.5.1.1

   vSphere SDK for Perl prior to 5.5 Update 2

3. Problem Description

   a. OpenSSL update for multiple products.

      OpenSSL libraries have been updated in multiple products to
      versions 0.9.8za and 1.0.1h in order to resolve multiple security
      issues.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2014-0224, CVE-2014-0198,
      CVE-2010-5298, CVE-2014-3470, CVE-2014-0221 and CVE-2014-0195 to
      these issues. The most important of these issues is
      CVE-2014-0224.

      CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 are considered to
      be of moderate severity. Exploitation is highly unlikely or is
      mitigated due to the application configuration.

      CVE-2014-0221 and CVE-2014-0195, which are listed in the OpenSSL
      Security Advisory (see Reference section below), do not affect
      any VMware products.

      CVE-2014-0224 may lead to a Man-in-the-Middle attack if a server
      is running a vulnerable version of OpenSSL 1.0.1 and clients are
      running a vulnerable version of OpenSSL 0.9.8 or 1.0.1. Updating
      the server will mitigate this issue for both the server and all
      affected clients.

      CVE-2014-0224 may affect products differently depending on
      whether the product is acting as a client or a server and of
      which version of OpenSSL the product is using. For readability
      the affected products have been split into 3 tables below,
      based on the different client-server configurations and
      deployment scenarios.

      MITIGATIONS

      Clients that communicate with a patched or non-vulnerable server
      are not vulnerable to CVE-2014-0224. Applying these patches to
      affected servers will mitigate the affected clients (See Table 1
      below).

      Clients that communicate over untrusted networks such as public
      Wi-Fi and communicate to a server running a vulnerable version of
      OpenSSL 1.0.1. can be mitigated by using a secure network such as
      VPN (see Table 2 below).

      Clients and servers that are deployed on an isolated network are
      less exposed to CVE-2014-0224 (see Table 3 below). The affected
      products are typically deployed to communicate over the
      management network.

      RECOMMENDATIONS

      VMware recommends customers evaluate and deploy patches for
      affected Servers in Table 1 below as these patches become
      available. Patching these servers will remove the ability to
      exploit the vulnerability described in CVE-2014-0224 on both
      clients and servers.

      VMware recommends customers consider
      applying patches to products listed in Table 2 & 3 as required.

      Column 4 of the following tables lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      Table 1
      =======
      Affected servers running a vulnerable version of OpenSSL 1.0.1.

      VMware                          Product  Running  Replace with/
      Product                         Version  on       Apply Patch
      ==============                  =======  =======  =============
      ESXi                            5.5      ESXi     ESXi550-
                                                        201406401-SG

      Big Data Extensions             1.1               2.0.0

      vCenter Chargeback Manager      2.6               2.6.0.1

      Horizon Workspace Server        1.5.x             horizon-nginx-
                                                        rpm-1.5.0.0-
                                                        1876270.
                                                        x86_64.rpm
      Horizon Workspace Server        1.8.x             horizon-nginx-
                                                        rpm-1.8.2.1820-
                                                        1876338.
                                                        x86_64.rpm

      Horizon Mirage Edge Gateway     4.4.x             4.4.3

      Horizon View                    5.x               5.3.2

      Horizon View Feature Pack       5.x               5.3 FP3

      NSX for Multi-Hypervisor        4.1.2             4.1.3
      NSX for Multi-Hypervisor        4.0.3             4.0.4
      NSX for vSphere                 6.0.4             6.0.5
      NVP                             3.2.2             3.2.3

      vCloud Networking and Security  5.5.2             5.5.2.1
      vCloud Networking and Security  5.1.4             5.1.4.1

      Pivotal Web Server              5.4               5.4.1
      vFabric Web Server              5.x               Pivotal Web
                                                        Server 5.4.1

      Table 2
      ========
      Affected clients running a vulnerable version of OpenSSL 0.9.8
      or 1.0.1 and communicating over an untrusted network.

      VMware                          Product  Running  Replace with/
      Product                         Version  on       Apply Patch
      ==============                  =======  =======  =============
      vCSA                            5.5               5.5u1b
      vCSA                            5.1               5.1u2a
      vCSA                            5.0               5.0u3a

      ESXi                            5.1      ESXi     ESXi510-
                                                        201406401-SG
      ESXi                            5.0      ESXi     ESXi500-
                                                        201407401-SG

      Workstation                     10.x     any      10.0.3
      Workstation                     9.x      any      9.0.4
      Fusion                          6.x      OSX      6.0.4
      Fusion                          5.x      OSX      5.0.5
      Player                          6.x      any      6.0.3
      Player                          5.x      any      5.0.4

      vCenter Chargeback Manager      2.5.x             2.6.0.1

      Horizon Workspace Client        1.x      OSX      1.8.2
      Horizon Workspace Client        1.x      Windows  1.8.2

      Horizon View Client             2.x      Android  3.0
      Horizon View Client             2.x      iOS      3.0
      Horizon View Client             2.x      OSX      3.0
      Horizon View Client             2.x      Windows  3.0
      Horizon View Client             2.x      WinStore 3.0

      OVF Tool                        3.5.1             3.5.2
      OVF Tool                        3.0.1             3.5.2

      vCenter Operations Manager      5.8.x             5.8.2
      vCenter Operations Manager      5.7.x             5.7.3

      vCenter Support Assistant       5.5.1             5.5.1.1

      vCD                             5.5.1.x           5.5.1.2
      vCD                             5.1.x             5.1.3.1

      vCenter Site Recovery Manager   5.5.x             5.5.1.1
      vCenter Site Recovery Manager   5.1.x             5.1.2.1
      vCenter Site Recovery Manager   5.0.3.x           5.0.3.2

      vSphere Client                  5.5       Windows 5.5u1b
      vSphere Client                  5.1       Windows 5.1u2a
      vSphere Client                  5.0       Windows 5.0u3a

      Table 3
      =======
      The following table lists all affected clients running a
      vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating
      over a trusted or isolated network.

      VMware                          Product  Running  Replace with/
      Product                         Version  on       Apply Patch
      ==============                  =======  =======  =============
      vCenter Server                  5.5      any      5.5u1b
      vCenter Server                  5.1      any      5.1u2a
      vCenter Server                  5.0      any      5.0u3a

      Update Manager                  5.5      Windows  5.5u1b

      vCenter Configuration
      Manager (VCM)                   5.6               5.7.2


      ITBM Standard                   1.0.1             1.1
      ITBM Standard                   1.0               1.1

      Studio                          2.6.0.0           patch pending

      Usage Meter                     3.3               3.3.1

      vCenter Converter Standalone    5.5               5.5.2
      vCenter Converter Standalone    5.1               5.1.1

      vCloud Automation Center        6.0.x             6.0.1.2

      VIX API                         1.12              patch pending

      vMA (Management Assistant)      5.5.01            patch pending

      vSphere PowerCLI                5.x               See VMware
                                                        KB 2082132

      vSphere Data Protection         5.5.6             patch pending
      vSphere Data Protection         5.1.11            patch pending

      vSphere Replication             5.5.1             5.5.1.1
      vSphere Replication             5.6               5.8

      vSphere SDK for Perl            5.5               5.5 Update 2

      VDDK                            5.5.x             5.5.2
      VDDK                            5.1.x             5.1.3
      VDDK                            5.0.x             5.0.4

   4. Solution

   Big Data Extensions 2.0.0
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-bde

   ESXi 5.5, 5.1 and 5.0
   ----------------------------
   Download:
   https://www.vmware.com/patchmgr/findPatch.portal

   Horizon Mirage Edge Gateway 4.4.3
   ---------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-horizon-mirage

   vCD 5.5.1.2
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download/vcloud-director

   vCenter Server 5.5u1b, 5.1u2a, 5.0u3a
   ------------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   vCSA 5.5u1b, 5.1u2a and 5.0u3a
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   Update Manager 5.5u1b
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   VDDK 5.x
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/support/developer/vddk

   vCenter Configuration Manager (VCM) 5
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download_vcm

   vCenter Operations Manager 5.8 and 5.7.3
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere-ops-mgr

   OVF Tool 3.5.2
   --------------
   Download:
   https://www.vmware.com/support/developer/ovf/

   vCenter Converter Standalone 5.5.2
   -----------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-converter

   Horizon View 5
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/downloadview

   Horizon View 5.3 Feature Pack 3
   -----------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/downloadview

   Horizon Workspace Server 1.5 and 1.8.x
   ----------------------------
   Release Notes and download:
   http://kb.vmware.com/kb/2082181

   Workstation
   ----------------------
   https://www.vmware.com/go/downloadworkstation

   Fusion
   ------------------
   https://www.vmware.com/go/downloadfusion

   VMware Player
   ------------------
   https://www.vmware.com/go/downloadplayer

   vCenter Server 5.1 Update 2a
   ----------------------------------------------------
   Download link:

https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_1

   vCenter Server 5.0 Update 3a
   ----------------------------------------------------
   Download link:

https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_0

   vCloud Networking and Security 5.5.2.1
   ------------------------------------
   Download

https://my.vmware.com/web/vmware/details?downloadGroup=VCNS552_GA&productId
=353&rPId=5255

   vCloud Networking and Security 5.1.4.1
   ------------------------------------
   Download:

https://my.vmware.com/web/vmware/details?downloadGroup=VCNS514_GA&productId
=285&rPId=5131

   NSX for Multi-Hypervisor, NSX for vSphere and NVP
   -------------------------------------------------
   Remediation Instructions and Download, available under support:
   http://www.vmware.com/products/nsx

   vCD 5.5.1.2 and vCD 5.1.3.1
   ---------------------------
   Download link:
   https://www.vmware.com/go/download-vcd-ns

   VMware vCenter Chargeback Manager
   ---------------------------------
   Download link:
   https://www.vmware.com/go/download-chargeback

   Converter Standalone 5.1.1
   ---------------------------
   Download link:
   https://www.vmware.com/go/download-converter

   Usage Manager 3.3
   -----------------
   Downloads and Documentation:
   https://communities.vmware.com/community/vmtn/vcd/vcloud_usage_meter

   vCenter Support Assistant
   --------------------------
   Downloads:
   https://www.vmware.com/go/download-vsphere

   Pivotal Web Server 5.4.1
   ------------------------

https://my.vmware.com/web/vmware/details?downloadGroup=VF_530_PVTL_WSVR_541
&productId=335&rPId=6214

   vCloud Automation Center
   --------------------------
   Downloads:
   https://www.vmware.com/go/download-vcac

   vCenter Site Recovery Manager 5.5.1.1
   -------------------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2081861

   vCenter Site Recovery Manager 5.1.2.1
   -------------------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2081860

   vCenter Site Recovery Manager 5.0.3.2
   -------------------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2081859

   vSphere Replication 5.8
   -----------------------
   Download:

https://my.vmware.com/web/vmware/details?downloadGroup=SDKPERL552&productId
=353

   vSphere Replication 5.5.1.1
   ---------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2082666

   ITBM Standard 1.1
   -----------------
   Download:

https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-110&product
Id=384&rPId=6384

   Release Notes:

https://www.vmware.com/support/itbms/doc/itbm-standard-edition-11-release-n
otes.html

   vSphere SDK for Perl  5.5 Update 2
   ----------------------------------
   Download:

https://my.vmware.com/web/vmware/details?downloadGroup=VR580&productId=451&
rPId=6436

   Release Notes:

https://www.vmware.com/support/vsphere-replication/doc/vsphere-replication-
58-release-notes.html

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470

   https://www.openssl.org/news/secadv_20140605.txt
   http://www.gopivotal.com/security/cve-2014-0224

   VMware Knowledge Base Article 2082132
   http://kb.vmware.com/kb/2082132

- -----------------------------------------------------------------------

6. Change Log

   2014-06-10 VMSA-2014-0006
   Initial security advisory in conjunction with the release of
   ESXi 5.5 updates on 2014-06-10

   2014-06-12 VMSA-2014-0006.1
   Updated security advisory in conjunction with the release of
   Big Data Extensions 2.0.0, Horizon Mirage Edge Gateway 4.4.3,
   vCD 5.5.1.2, vCenter Server 5.5u1b, vCSA 5.5u1b, and Update
   Manager 5.5u1b on 2014-06-12

   2014-06-17 VMSA-2014-0006.2
   Updated security advisory in conjunction with the release of
   ESXi 5.1 updates, VDDK 5.5.2, 5.1.3, and 5.0.4 on 2014-06-17

   2014-06-24 VMSA-2014-0006.3
   Updated security advisory in conjunction with the release of
   Horizon View 5.3.2, Horizon View 5.3 Feature Pack 3,
   vCenter Configuration Manager 5.7.2, vCenter
   Converter Standalone 5.5.2, vCenter Operations
   Manager 5.8.2, OVF Tool 5.3.2 on 2014-06-24

   2014-07-01 VMSA-2014-0006.4
   Updated security advisory in conjunction with the release of
   ESX 5.0 patches, Workstation 10.0.3, Player 6.0.3, Fusion 6.0.4,
   Horizon Workspace Server 1.5.x and 1.8.x updates, vCD
   5.1.3.1, vCenter Server 5.1 update 2a and 5.0 update 3a,
   vCSA 5.1 update 2a and 5.0 update 3a, Converter Standalone 5.1.1,
   vCenter Chargeback Manager 2.6.0.1,
   vCloud Networking and Security 5.5.2.1 and 5.1.4.1,
   NSX for Multi-Hypervisor 4.1.3,
   NSX for Multi-Hypervisor 4.0.4, NVP 3.2.3 and
   NSX 6.0.5 for vSphere on 2014-07-01

   2014-07-03 VMSA-2014-0006.5
   Updated security advisory in conjunction with the release of
   Workstation 9.0.4, Player 5.0.4, Fusion 5.0.5, vCenter Support
   Assistant 5.5.1.1, on 2014-07-03

   2014-07-08 VMSA-2014-0006.6
   Updated security advisory in conjunction with the release of
   vSphere PowerCLI 5.x on 2014-07-04 and Pivotal Web Server 5.4.1
   on 2014-07-08

   2014-07-10 VMSA-2014-0006.7
   Updated security advisory in conjunction with the release of
   vCloud Automation Center 6.0.1.2 and vCenter Operations Manager
   5.7.3 on 2014-07-10

   2014-07-18 VMSA-2014-0006.8
   Updated security advisory in conjunction with the release of
   patches for vCenter Site Recovery Manager 5.5.1.1 and
   vSphere Replication 5.5.1.1 on 2014-07-17

   2014-07-22 VMSA-2014-0006.9
   Updated security advisory in conjunction with the release of
   patches for vCenter Site Recovery Manager 5.1.2.1 and 5.0.3.2
   on 2014-07-22

   2014-09-09 VMSA-2014-0006.10
   Updated security advisory in conjunction with the release of
   patches for ITBM Standard 1.1, vSphere Replication 5.8 and
   vSphere SDK for Perl 5.5 Update 2 on 2014-09-09. vFabric
   Application Director has been removed from the table above since
   it is not affected by this issue.

- -----------------------------------------------------------------------


7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2014 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFUD16eDEcm8Vbi9kMRAgBdAJsG4mzXIKqUyD2j5rTkDDQvG9giYwCfTmv4
S8n3FBEzi2wj9s5V00WS7/4=
=2ZcF
-----END PGP SIGNATURE-----

UPDATED: VMSA-2014-0006.10 – VMware product updates address OpenSSL security vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2014-0006.10
Synopsis:    VMware product updates address OpenSSL
             security vulnerabilities
Issue date:  2014-06-10
Updated on:  2014-09-09
CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and
             CVE-2014-3470
- -----------------------------------------------------------------------

1. Summary

   VMware product updates address OpenSSL security vulnerabilities.

2. Relevant Releases

   Big Data Extensions prior to 2.0.0

   ESXi 5.5 without patch ESXi550-201406401-SG
   ESXi 5.1 without patch ESXi510-201406401-SG
   ESXi 5.0 without patch ESXi500-201407401-SG

   Workstation 10.x prior to 10.0.3
   Workstation 9.x prior to 9.0.4

   Player 6.x prior to 6.0.3
   Player 5.x prior to 5.0.4

   Fusion 6.x prior to 6.0.4
   Fusion 5.x prior to 5.0.5

   Horizon Mirage Edge Gateway prior to 4.4.3

   Horizon View prior to 5.3.2
   Horizon View 5.3 Feature Pack X prior to Feature Pack 3

   Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm-
                                                1.5.0.0-1876270.
                                                x86_64.rpm

   Horizon Workspace Server 1.8.x without patch horizon-nginx-rpm-
                                                1.8.2.1820-1876338.
                                                x86_64.rpm

   Horizon View Clients prior to 3.0

   vCD 5.5.x prior to 5.5.1.2
   vCD 5.1.x prior to 5.1.3.1

   vCenter prior to 5.5u1b
   vCenter prior to 5.1 U2a
   vCenter prior to 5.0U3a

   vCenter Support Assistant prior to 5.5.1.1

   vCloud Automation Center prior to 6.0.1.2

   vCenter Configuration Manager prior to 5.7.2

   vCenter Converter Standalone prior to 5.5.2
   Converter Standalone prior to 5.1.1

   Usage Manager prior to 3.3

   vCenter Operations Manager prior to 5.8.2
   vCenter Operations Manager prior to 5.7.3

   vCenter Chargeback Manager 2.6 prior to 2.6.0.1

   vCloud Networking and Security prior to 5.5.2.1
   vCloud Networking and Security prior to 5.1.4.1

   vSphere PowerCLI 5.x

   vCSA prior to 5.5u1b
   vCSA prior to 5.1u2a
   vCSA prior to 5.0u3a

   OVF Tool prior to 5.3.2

   Update Manager prior to 5.5u1b

   ITBM Standard  prior to 1.1

   VDDK prior to 5.5.2
   VDDK prior to 5.1.3
   VDDK prior to 5.0.4

   NSX for Multi-Hypervisor 4.1.x prior to 4.1.3
   NSX for Multi-Hypervisor 4.0.x prior to 4.0.4
   NVP 3.0.x prior to 3.2.3
   NSX 6.0.x for vSphere prior to 6.0.5

   vFabric Web Server 5.x
   Pivotal Web Server prior to 5.4.1

   vCenter Site Recovery Manager prior to 5.5.1.1
   vCenter Site Recovery Manager  prior to 5.1.2.1
   vCenter Site Recovery Manager  prior to 5.0.3.2

   vSphere Replication prior to 5.8
   vSphere Replication prior to 5.5.1.1

   vSphere SDK for Perl prior to 5.5 Update 2

3. Problem Description

   a. OpenSSL update for multiple products.

      OpenSSL libraries have been updated in multiple products to
      versions 0.9.8za and 1.0.1h in order to resolve multiple security
      issues.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2014-0224, CVE-2014-0198,
      CVE-2010-5298, CVE-2014-3470, CVE-2014-0221 and CVE-2014-0195 to
      these issues. The most important of these issues is
      CVE-2014-0224.

      CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 are considered to
      be of moderate severity. Exploitation is highly unlikely or is
      mitigated due to the application configuration.

      CVE-2014-0221 and CVE-2014-0195, which are listed in the OpenSSL
      Security Advisory (see Reference section below), do not affect
      any VMware products.

      CVE-2014-0224 may lead to a Man-in-the-Middle attack if a server
      is running a vulnerable version of OpenSSL 1.0.1 and clients are
      running a vulnerable version of OpenSSL 0.9.8 or 1.0.1. Updating
      the server will mitigate this issue for both the server and all
      affected clients.

      CVE-2014-0224 may affect products differently depending on
      whether the product is acting as a client or a server and of
      which version of OpenSSL the product is using. For readability
      the affected products have been split into 3 tables below,
      based on the different client-server configurations and
      deployment scenarios.

      MITIGATIONS

      Clients that communicate with a patched or non-vulnerable server
      are not vulnerable to CVE-2014-0224. Applying these patches to
      affected servers will mitigate the affected clients (See Table 1
      below).

      Clients that communicate over untrusted networks such as public
      Wi-Fi and communicate to a server running a vulnerable version of
      OpenSSL 1.0.1. can be mitigated by using a secure network such as
      VPN (see Table 2 below).

      Clients and servers that are deployed on an isolated network are
      less exposed to CVE-2014-0224 (see Table 3 below). The affected
      products are typically deployed to communicate over the
      management network.

      RECOMMENDATIONS

      VMware recommends customers evaluate and deploy patches for
      affected Servers in Table 1 below as these patches become
      available. Patching these servers will remove the ability to
      exploit the vulnerability described in CVE-2014-0224 on both
      clients and servers.

      VMware recommends customers consider
      applying patches to products listed in Table 2 & 3 as required.

      Column 4 of the following tables lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      Table 1
      =======
      Affected servers running a vulnerable version of OpenSSL 1.0.1.

      VMware                          Product  Running  Replace with/
      Product                         Version  on       Apply Patch
      ==============                  =======  =======  =============
      ESXi                            5.5      ESXi     ESXi550-
                                                        201406401-SG

      Big Data Extensions             1.1               2.0.0

      vCenter Chargeback Manager      2.6               2.6.0.1

      Horizon Workspace Server        1.5.x             horizon-nginx-
                                                        rpm-1.5.0.0-
                                                        1876270.
                                                        x86_64.rpm
      Horizon Workspace Server        1.8.x             horizon-nginx-
                                                        rpm-1.8.2.1820-
                                                        1876338.
                                                        x86_64.rpm

      Horizon Mirage Edge Gateway     4.4.x             4.4.3

      Horizon View                    5.x               5.3.2

      Horizon View Feature Pack       5.x               5.3 FP3

      NSX for Multi-Hypervisor        4.1.2             4.1.3
      NSX for Multi-Hypervisor        4.0.3             4.0.4
      NSX for vSphere                 6.0.4             6.0.5
      NVP                             3.2.2             3.2.3

      vCloud Networking and Security  5.5.2             5.5.2.1
      vCloud Networking and Security  5.1.4             5.1.4.1

      Pivotal Web Server              5.4               5.4.1
      vFabric Web Server              5.x               Pivotal Web
                                                        Server 5.4.1

      Table 2
      ========
      Affected clients running a vulnerable version of OpenSSL 0.9.8
      or 1.0.1 and communicating over an untrusted network.

      VMware                          Product  Running  Replace with/
      Product                         Version  on       Apply Patch
      ==============                  =======  =======  =============
      vCSA                            5.5               5.5u1b
      vCSA                            5.1               5.1u2a
      vCSA                            5.0               5.0u3a

      ESXi                            5.1      ESXi     ESXi510-
                                                        201406401-SG
      ESXi                            5.0      ESXi     ESXi500-
                                                        201407401-SG

      Workstation                     10.x     any      10.0.3
      Workstation                     9.x      any      9.0.4
      Fusion                          6.x      OSX      6.0.4
      Fusion                          5.x      OSX      5.0.5
      Player                          6.x      any      6.0.3
      Player                          5.x      any      5.0.4

      vCenter Chargeback Manager      2.5.x             2.6.0.1

      Horizon Workspace Client        1.x      OSX      1.8.2
      Horizon Workspace Client        1.x      Windows  1.8.2

      Horizon View Client             2.x      Android  3.0
      Horizon View Client             2.x      iOS      3.0
      Horizon View Client             2.x      OSX      3.0
      Horizon View Client             2.x      Windows  3.0
      Horizon View Client             2.x      WinStore 3.0

      OVF Tool                        3.5.1             3.5.2
      OVF Tool                        3.0.1             3.5.2

      vCenter Operations Manager      5.8.x             5.8.2
      vCenter Operations Manager      5.7.x             5.7.3

      vCenter Support Assistant       5.5.1             5.5.1.1

      vCD                             5.5.1.x           5.5.1.2
      vCD                             5.1.x             5.1.3.1

      vCenter Site Recovery Manager   5.5.x             5.5.1.1
      vCenter Site Recovery Manager   5.1.x             5.1.2.1
      vCenter Site Recovery Manager   5.0.3.x           5.0.3.2

      vSphere Client                  5.5       Windows 5.5u1b
      vSphere Client                  5.1       Windows 5.1u2a
      vSphere Client                  5.0       Windows 5.0u3a

      Table 3
      =======
      The following table lists all affected clients running a
      vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating
      over a trusted or isolated network.

      VMware                          Product  Running  Replace with/
      Product                         Version  on       Apply Patch
      ==============                  =======  =======  =============
      vCenter Server                  5.5      any      5.5u1b
      vCenter Server                  5.1      any      5.1u2a
      vCenter Server                  5.0      any      5.0u3a

      Update Manager                  5.5      Windows  5.5u1b

      vCenter Configuration
      Manager (VCM)                   5.6               5.7.2


      ITBM Standard                   1.0.1             1.1
      ITBM Standard                   1.0               1.1

      Studio                          2.6.0.0           patch pending

      Usage Meter                     3.3               3.3.1

      vCenter Converter Standalone    5.5               5.5.2
      vCenter Converter Standalone    5.1               5.1.1

      vCloud Automation Center        6.0.x             6.0.1.2

      VIX API                         1.12              patch pending

      vMA (Management Assistant)      5.5.01            patch pending

      vSphere PowerCLI                5.x               See VMware
                                                        KB 2082132

      vSphere Data Protection         5.5.6             patch pending
      vSphere Data Protection         5.1.11            patch pending

      vSphere Replication             5.5.1             5.5.1.1
      vSphere Replication             5.6               5.8

      vSphere SDK for Perl            5.5               5.5 Update 2

      VDDK                            5.5.x             5.5.2
      VDDK                            5.1.x             5.1.3
      VDDK                            5.0.x             5.0.4

   4. Solution

   Big Data Extensions 2.0.0
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-bde

   ESXi 5.5, 5.1 and 5.0
   ----------------------------
   Download:
   https://www.vmware.com/patchmgr/findPatch.portal

   Horizon Mirage Edge Gateway 4.4.3
   ---------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-horizon-mirage

   vCD 5.5.1.2
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download/vcloud-director

   vCenter Server 5.5u1b, 5.1u2a, 5.0u3a
   ------------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   vCSA 5.5u1b, 5.1u2a and 5.0u3a
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   Update Manager 5.5u1b
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   VDDK 5.x
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/support/developer/vddk

   vCenter Configuration Manager (VCM) 5
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download_vcm

   vCenter Operations Manager 5.8 and 5.7.3
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere-ops-mgr

   OVF Tool 3.5.2
   --------------
   Download:
   https://www.vmware.com/support/developer/ovf/

   vCenter Converter Standalone 5.5.2
   -----------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-converter

   Horizon View 5
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/downloadview

   Horizon View 5.3 Feature Pack 3
   -----------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/downloadview

   Horizon Workspace Server 1.5 and 1.8.x
   ----------------------------
   Release Notes and download:
   http://kb.vmware.com/kb/2082181

   Workstation
   ----------------------
   https://www.vmware.com/go/downloadworkstation

   Fusion
   ------------------
   https://www.vmware.com/go/downloadfusion

   VMware Player
   ------------------
   https://www.vmware.com/go/downloadplayer

   vCenter Server 5.1 Update 2a
   ----------------------------------------------------
   Download link:

https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_1

   vCenter Server 5.0 Update 3a
   ----------------------------------------------------
   Download link:

https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_0

   vCloud Networking and Security 5.5.2.1
   ------------------------------------
   Download

https://my.vmware.com/web/vmware/details?downloadGroup=VCNS552_GA&productId
=353&rPId=5255

   vCloud Networking and Security 5.1.4.1
   ------------------------------------
   Download:

https://my.vmware.com/web/vmware/details?downloadGroup=VCNS514_GA&productId
=285&rPId=5131

   NSX for Multi-Hypervisor, NSX for vSphere and NVP
   -------------------------------------------------
   Remediation Instructions and Download, available under support:
   http://www.vmware.com/products/nsx

   vCD 5.5.1.2 and vCD 5.1.3.1
   ---------------------------
   Download link:
   https://www.vmware.com/go/download-vcd-ns

   VMware vCenter Chargeback Manager
   ---------------------------------
   Download link:
   https://www.vmware.com/go/download-chargeback

   Converter Standalone 5.1.1
   ---------------------------
   Download link:
   https://www.vmware.com/go/download-converter

   Usage Manager 3.3
   -----------------
   Downloads and Documentation:
   https://communities.vmware.com/community/vmtn/vcd/vcloud_usage_meter

   vCenter Support Assistant
   --------------------------
   Downloads:
   https://www.vmware.com/go/download-vsphere

   Pivotal Web Server 5.4.1
   ------------------------

https://my.vmware.com/web/vmware/details?downloadGroup=VF_530_PVTL_WSVR_541
&productId=335&rPId=6214

   vCloud Automation Center
   --------------------------
   Downloads:
   https://www.vmware.com/go/download-vcac

   vCenter Site Recovery Manager 5.5.1.1
   -------------------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2081861

   vCenter Site Recovery Manager 5.1.2.1
   -------------------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2081860

   vCenter Site Recovery Manager 5.0.3.2
   -------------------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2081859

   vSphere Replication 5.8
   -----------------------
   Download:

https://my.vmware.com/web/vmware/details?downloadGroup=SDKPERL552&productId
=353

   vSphere Replication 5.5.1.1
   ---------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2082666

   ITBM Standard 1.1
   -----------------
   Download:

https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-110&product
Id=384&rPId=6384

   Release Notes:

https://www.vmware.com/support/itbms/doc/itbm-standard-edition-11-release-n
otes.html

   vSphere SDK for Perl  5.5 Update 2
   ----------------------------------
   Download:

https://my.vmware.com/web/vmware/details?downloadGroup=VR580&productId=451&
rPId=6436

   Release Notes:

https://www.vmware.com/support/vsphere-replication/doc/vsphere-replication-
58-release-notes.html

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470

   https://www.openssl.org/news/secadv_20140605.txt
   http://www.gopivotal.com/security/cve-2014-0224

   VMware Knowledge Base Article 2082132
   http://kb.vmware.com/kb/2082132

- -----------------------------------------------------------------------

6. Change Log

   2014-06-10 VMSA-2014-0006
   Initial security advisory in conjunction with the release of
   ESXi 5.5 updates on 2014-06-10

   2014-06-12 VMSA-2014-0006.1
   Updated security advisory in conjunction with the release of
   Big Data Extensions 2.0.0, Horizon Mirage Edge Gateway 4.4.3,
   vCD 5.5.1.2, vCenter Server 5.5u1b, vCSA 5.5u1b, and Update
   Manager 5.5u1b on 2014-06-12

   2014-06-17 VMSA-2014-0006.2
   Updated security advisory in conjunction with the release of
   ESXi 5.1 updates, VDDK 5.5.2, 5.1.3, and 5.0.4 on 2014-06-17

   2014-06-24 VMSA-2014-0006.3
   Updated security advisory in conjunction with the release of
   Horizon View 5.3.2, Horizon View 5.3 Feature Pack 3,
   vCenter Configuration Manager 5.7.2, vCenter
   Converter Standalone 5.5.2, vCenter Operations
   Manager 5.8.2, OVF Tool 5.3.2 on 2014-06-24

   2014-07-01 VMSA-2014-0006.4
   Updated security advisory in conjunction with the release of
   ESX 5.0 patches, Workstation 10.0.3, Player 6.0.3, Fusion 6.0.4,
   Horizon Workspace Server 1.5.x and 1.8.x updates, vCD
   5.1.3.1, vCenter Server 5.1 update 2a and 5.0 update 3a,
   vCSA 5.1 update 2a and 5.0 update 3a, Converter Standalone 5.1.1,
   vCenter Chargeback Manager 2.6.0.1,
   vCloud Networking and Security 5.5.2.1 and 5.1.4.1,
   NSX for Multi-Hypervisor 4.1.3,
   NSX for Multi-Hypervisor 4.0.4, NVP 3.2.3 and
   NSX 6.0.5 for vSphere on 2014-07-01

   2014-07-03 VMSA-2014-0006.5
   Updated security advisory in conjunction with the release of
   Workstation 9.0.4, Player 5.0.4, Fusion 5.0.5, vCenter Support
   Assistant 5.5.1.1, on 2014-07-03

   2014-07-08 VMSA-2014-0006.6
   Updated security advisory in conjunction with the release of
   vSphere PowerCLI 5.x on 2014-07-04 and Pivotal Web Server 5.4.1
   on 2014-07-08

   2014-07-10 VMSA-2014-0006.7
   Updated security advisory in conjunction with the release of
   vCloud Automation Center 6.0.1.2 and vCenter Operations Manager
   5.7.3 on 2014-07-10

   2014-07-18 VMSA-2014-0006.8
   Updated security advisory in conjunction with the release of
   patches for vCenter Site Recovery Manager 5.5.1.1 and
   vSphere Replication 5.5.1.1 on 2014-07-17

   2014-07-22 VMSA-2014-0006.9
   Updated security advisory in conjunction with the release of
   patches for vCenter Site Recovery Manager 5.1.2.1 and 5.0.3.2
   on 2014-07-22

   2014-09-09 VMSA-2014-0006.10
   Updated security advisory in conjunction with the release of
   patches for ITBM Standard 1.1, vSphere Replication 5.8 and
   vSphere SDK for Perl 5.5 Update 2 on 2014-09-09. vFabric
   Application Director has been removed from the table above since
   it is not affected by this issue.

- -----------------------------------------------------------------------


7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2014 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFUD16eDEcm8Vbi9kMRAgBdAJsG4mzXIKqUyD2j5rTkDDQvG9giYwCfTmv4
S8n3FBEzi2wj9s5V00WS7/4=
=2ZcF
-----END PGP SIGNATURE-----

UPDATED: VMSA-2014-0007.2 – VMware product updates address security vulnerabilities in Apache Struts library

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2014-0007.2
Synopsis:    VMware product updates address security vulnerabilities in 
             Apache Struts library 
Issue date:  2014-06-24
Updated on:  2014-09-09
CVE number:  CVE-2014-0050, CVE-2014-0094, CVE-2014-0112
- ------------------------------------------------------------------------

1. Summary

    VMware product updates address security vulnerabilities in Apache 
    Struts library

2. Relevant releases

    VMware vCenter Operations Management Suite prior to 5.8.2
    VMware vCenter Operations Management Suite prior to 5.7.3

    VMware vCenter Orchestrator prior to 5.5.2

3. Problem Description

   a. The Apache Struts library is updated to version 2.3.16.2 to 
      address multiple security issues.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2014-0050, CVE-2014-0094, and
      CVE-2014-0112 to these issues. 

      CVE-2014-0112 may lead to remote code execution. This issue was 
      found to be only partially addressed in CVE-2014-0094.

      CVE-2014-0050 may lead to a denial of service condition.

      vCenter Operations Management Suite (vCOps) is affected by both 
      CVE-2014-0112 and CVE-2014-0050. Exploitation of CVE-2014-0112
      may lead to remote code execution without authentication. 

      vCenter Orchestrator (vCO) is affected by CVE-2014-0050 and not 
      by CVE-2014-0112.

      Workaround

      A workaround for CVE-2014-0112 is documented in VMware Knowledge Base
      article 2081470.


      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is 
      available.

      VMware      Product   RunningReplace with/
      Product     Version   on      Apply Patch
      ==========  =======   ========================
      vCOPS      5.8.x    any vCOPS 5.8.2
      vCOPS       5.7.x     any      vCOPS 5.7.3

      vCO         5.5       any      vCO 5.5.2
      vCO         5.1       any      patch pending
      vCO         4.2       any      patch pending

4. Solution

   Please review the patch/release notes for your product and version 
   and verify the checksum of your downloaded file. 

   vCenter Operations Management Suite 5.8.2 and 5.7.3
   ---------------------------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vcops

   vCenter Orchestrator 5.5.2
   --------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0112

   http://kb.vmware.com/kb/2081470

- ------------------------------------------------------------------------

6. Change log

   2014-06-24 VMSA-2014-0007
   Initial security advisory in conjunction with the release of vCenter
   Operations Management Suite 5.8.2 on 2014-06-24.

   2014-07-11 VMSA-2014-0007.1
   Updated security advisory in conjunction with the release of vCenter
   Operations Management Suite 5.7.3 on 2014-07-10.

   2014-09-09 VMSA-2014-0007.2
   Updated security advisory in conjunction with the release of vCenter
   Orchestrator 5.5.2 on 2014-09-09.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2014 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFUD2OBDEcm8Vbi9kMRAvS6AKDqvOoAKkUoghqYONuEBm98u8/ZoACg1/s3
Sxk/o2UW00LIgdOXpUKB9D4=
=nRjh
-----END PGP SIGNATURE-----

UPDATED: VMSA-2014-0007.2 – VMware product updates address security vulnerabilities in Apache Struts library

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2014-0007.2
Synopsis:    VMware product updates address security vulnerabilities in 
             Apache Struts library 
Issue date:  2014-06-24
Updated on:  2014-09-09
CVE number:  CVE-2014-0050, CVE-2014-0094, CVE-2014-0112
- ------------------------------------------------------------------------

1. Summary

    VMware product updates address security vulnerabilities in Apache 
    Struts library

2. Relevant releases

    VMware vCenter Operations Management Suite prior to 5.8.2
    VMware vCenter Operations Management Suite prior to 5.7.3

    VMware vCenter Orchestrator prior to 5.5.2

3. Problem Description

   a. The Apache Struts library is updated to version 2.3.16.2 to 
      address multiple security issues.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2014-0050, CVE-2014-0094, and
      CVE-2014-0112 to these issues. 

      CVE-2014-0112 may lead to remote code execution. This issue was 
      found to be only partially addressed in CVE-2014-0094.

      CVE-2014-0050 may lead to a denial of service condition.

      vCenter Operations Management Suite (vCOps) is affected by both 
      CVE-2014-0112 and CVE-2014-0050. Exploitation of CVE-2014-0112
      may lead to remote code execution without authentication. 

      vCenter Orchestrator (vCO) is affected by CVE-2014-0050 and not 
      by CVE-2014-0112.

      Workaround

      A workaround for CVE-2014-0112 is documented in VMware Knowledge Base
      article 2081470.


      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is 
      available.

      VMware      Product   RunningReplace with/
      Product     Version   on      Apply Patch
      ==========  =======   ========================
      vCOPS      5.8.x    any vCOPS 5.8.2
      vCOPS       5.7.x     any      vCOPS 5.7.3

      vCO         5.5       any      vCO 5.5.2
      vCO         5.1       any      patch pending
      vCO         4.2       any      patch pending

4. Solution

   Please review the patch/release notes for your product and version 
   and verify the checksum of your downloaded file. 

   vCenter Operations Management Suite 5.8.2 and 5.7.3
   ---------------------------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vcops

   vCenter Orchestrator 5.5.2
   --------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0112

   http://kb.vmware.com/kb/2081470

- ------------------------------------------------------------------------

6. Change log

   2014-06-24 VMSA-2014-0007
   Initial security advisory in conjunction with the release of vCenter
   Operations Management Suite 5.8.2 on 2014-06-24.

   2014-07-11 VMSA-2014-0007.1
   Updated security advisory in conjunction with the release of vCenter
   Operations Management Suite 5.7.3 on 2014-07-10.

   2014-09-09 VMSA-2014-0007.2
   Updated security advisory in conjunction with the release of vCenter
   Orchestrator 5.5.2 on 2014-09-09.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2014 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFUD2OBDEcm8Vbi9kMRAvS6AKDqvOoAKkUoghqYONuEBm98u8/ZoACg1/s3
Sxk/o2UW00LIgdOXpUKB9D4=
=nRjh
-----END PGP SIGNATURE-----

NEW VMSA-2014-0008 VMware vSphere product updates to third party libraries

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2014-0008
Synopsis:    VMware vSphere product updates to third party libraries
Issue date:  2014-09-09
Updated on:  2014-09-09 (Initial Advisory)
CVE numbers:  --- Struts ---
             CVE-2014-0114
             --- tc-server ---
              CVE-2013-4590, CVE-2013-4322, and CVE-2014-0050
             --- glibc ---
             CVE-2013-0242 and CVE-2013-1914
             --- JRE ---
             See references
- ------------------------------------------------------------------------

1. Summary

    VMware has updated vSphere third party libraries

2. Relevant releases

 
    VMware vCenter Server 5.5 prior to Update 2

    VMware vCenter Update Manager 5.5 prior to Update 2

    VMware ESXi 5.5 without patch ESXi550-201409101-SG


3. Problem Description

   a. vCenter Server Apache Struts Update

      The Apache Struts library is updated to address a security issue.  

      This issue may lead to remote code execution after authentication.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2014-0114 to this issue.


      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is 
      available.

      VMware         ProductRunningReplace with/
      Product        Versionon      Apply Patch
      =============  ===============================
      vCenter Server 5.5       any         5.5 Update 2
      vCenter Server 5.1       any         Patch Pending
      vCenter Server 5.0       any         Patch Pending

   b. vCenter Server tc-server 2.9.5 / Apache Tomcat 7.0.52 updates

      tc-server has been updated to version 2.9.5 to address multiple 
      security issues. This version of tc-server includes Apache Tomcat 
      7.0.52.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifiers CVE-2013-4590, CVE-2013-4322, and 
      CVE-2014-0050 to these issues. 

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is 
      available.

      VMware                 ProductRunning    Replace with/
      Product                Versionon     Apply Patch
      =============          ==============    =================
      vCenter Server         5.5     any        5.5 Update 2
      vCenter Server         5.1     any        Patch Pending
      vCenter Server         5.0     any        Patch Pending
 
   c. Update to ESXi glibc package

      glibc is updated to address multiple security issues.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifiers CVE-2013-0242 and CVE-2013-1914 to 
      these issues. 

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is 
      available.

      VMware         ProductRunning  Replace with/
      Product        Versionon   Apply Patch
      =============  ==============  =================
      ESXi           5.5       any      ESXi550-201409101-SG
      ESXi           5.1       any      Patch Pending
      ESXi           5.0       any      Patch Pending

d. vCenter and Update Manager, Oracle JRE 1.7 Update 55

      Oracle has documented the CVE identifiers that are addressed in 
      JRE 1.7.0 update 55 in the Oracle Java SE Critical Patch Update 
      Advisory of April 2014. The References section provides a link to
      this advisory.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is 
      available.

      VMware                 ProductRunning  Replace with/
      Product                Versionon       Apply Patch
      =============          ==============  =================
      vCenter Server         5.5     any      5.5 Update 2
      vCenter Server         5.1     any      not applicable *
      vCenter Server         5.0     any      not applicable *
      vCenter Update Manager 5.5     any      5.5 Update 2
      vCenter Update Manager 5.1     any      not applicable *
      vCenter Update Manager 5.0     any      not applicable *
 
      * this product uses the Oracle JRE 1.6.0 family *

4. Solution

   Please review the patch/release notes for your product and version 
   and verify the checksum of your downloaded file. 

 
   vCenter Server and Update Manager 5.5u2
   ---------------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   ESXi 5.5
   --------
   Download:
   https://www.vmware.com/patchmgr/findPatch.portal
   
5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0242
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1914

   JRE
   ---
   Oracle Java SE Critical Patch Update Advisory of April 2014
  
http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html


- ------------------------------------------------------------------------

6. Change log

   2014-09-09 VMSA-2014-0008
   Initial security advisory in conjunction with the release of vSphere
   5.5 Update 2 on 2014-09-09.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2014 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFUD2LADEcm8Vbi9kMRAp0lAKCCB15Aa21ThBMqWRJTeYEweSVrdQCaAsNC
he8AihUDo3UB9amCBiImxq0=
=W0+t
-----END PGP SIGNATURE-----

NEW VMSA-2014-0008 VMware vSphere product updates to third party libraries

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2014-0008
Synopsis:    VMware vSphere product updates to third party libraries
Issue date:  2014-09-09
Updated on:  2014-09-09 (Initial Advisory)
CVE numbers:  --- Struts ---
             CVE-2014-0114
             --- tc-server ---
              CVE-2013-4590, CVE-2013-4322, and CVE-2014-0050
             --- glibc ---
             CVE-2013-0242 and CVE-2013-1914
             --- JRE ---
             See references
- ------------------------------------------------------------------------

1. Summary

    VMware has updated vSphere third party libraries

2. Relevant releases

 
    VMware vCenter Server 5.5 prior to Update 2

    VMware vCenter Update Manager 5.5 prior to Update 2

    VMware ESXi 5.5 without patch ESXi550-201409101-SG


3. Problem Description

   a. vCenter Server Apache Struts Update

      The Apache Struts library is updated to address a security issue.  

      This issue may lead to remote code execution after authentication.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2014-0114 to this issue.


      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is 
      available.

      VMware         ProductRunningReplace with/
      Product        Versionon      Apply Patch
      =============  ===============================
      vCenter Server 5.5       any         5.5 Update 2
      vCenter Server 5.1       any         Patch Pending
      vCenter Server 5.0       any         Patch Pending

   b. vCenter Server tc-server 2.9.5 / Apache Tomcat 7.0.52 updates

      tc-server has been updated to version 2.9.5 to address multiple 
      security issues. This version of tc-server includes Apache Tomcat 
      7.0.52.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifiers CVE-2013-4590, CVE-2013-4322, and 
      CVE-2014-0050 to these issues. 

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is 
      available.

      VMware                 ProductRunning    Replace with/
      Product                Versionon     Apply Patch
      =============          ==============    =================
      vCenter Server         5.5     any        5.5 Update 2
      vCenter Server         5.1     any        Patch Pending
      vCenter Server         5.0     any        Patch Pending
 
   c. Update to ESXi glibc package

      glibc is updated to address multiple security issues.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifiers CVE-2013-0242 and CVE-2013-1914 to 
      these issues. 

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is 
      available.

      VMware         ProductRunning  Replace with/
      Product        Versionon   Apply Patch
      =============  ==============  =================
      ESXi           5.5       any      ESXi550-201409101-SG
      ESXi           5.1       any      Patch Pending
      ESXi           5.0       any      Patch Pending

d. vCenter and Update Manager, Oracle JRE 1.7 Update 55

      Oracle has documented the CVE identifiers that are addressed in 
      JRE 1.7.0 update 55 in the Oracle Java SE Critical Patch Update 
      Advisory of April 2014. The References section provides a link to
      this advisory.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is 
      available.

      VMware                 ProductRunning  Replace with/
      Product                Versionon       Apply Patch
      =============          ==============  =================
      vCenter Server         5.5     any      5.5 Update 2
      vCenter Server         5.1     any      not applicable *
      vCenter Server         5.0     any      not applicable *
      vCenter Update Manager 5.5     any      5.5 Update 2
      vCenter Update Manager 5.1     any      not applicable *
      vCenter Update Manager 5.0     any      not applicable *
 
      * this product uses the Oracle JRE 1.6.0 family *

4. Solution

   Please review the patch/release notes for your product and version 
   and verify the checksum of your downloaded file. 

 
   vCenter Server and Update Manager 5.5u2
   ---------------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   ESXi 5.5
   --------
   Download:
   https://www.vmware.com/patchmgr/findPatch.portal
   
5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0242
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1914

   JRE
   ---
   Oracle Java SE Critical Patch Update Advisory of April 2014
  
http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html


- ------------------------------------------------------------------------

6. Change log

   2014-09-09 VMSA-2014-0008
   Initial security advisory in conjunction with the release of vSphere
   5.5 Update 2 on 2014-09-09.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2014 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFUD2LADEcm8Vbi9kMRAp0lAKCCB15Aa21ThBMqWRJTeYEweSVrdQCaAsNC
he8AihUDo3UB9amCBiImxq0=
=W0+t
-----END PGP SIGNATURE-----

UPDATED : VMSA-2014-0006.9 VMware product updates address OpenSSL security vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2014-0006.9
Synopsis:    VMware product updates address OpenSSL 
             security vulnerabilities
Issue date:  2014-06-10
Updated on:  2014-07-22
CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and 
             CVE-2014-3470
- -----------------------------------------------------------------------

1. Summary

   VMware product updates address OpenSSL security vulnerabilities.

2. Relevant Releases

   Big Data Extensions prior to 2.0.0

   ESXi 5.5 without patch ESXi550-201406401-SG
   ESXi 5.1 without patch ESXi510-201406401-SG
   ESXi 5.0 without patch ESXi500-201407401-SG

   Workstation 10.x prior to 10.0.3 
   Workstation 9.x prior to 9.0.4 

   Player 6.x prior to 6.0.3
   Player 5.x prior to 5.0.4

   Fusion 6.x prior to 6.0.4
   Fusion 5.x prior to 5.0.5

   Horizon Mirage Edge Gateway prior to 4.4.3

   Horizon View prior to 5.3.2
   Horizon View 5.3 Feature Pack X prior to Feature Pack 3

   Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm-
                                                1.5.0.0-1876270.
                                                x86_64.rpm

   Horizon Workspace Server 1.8.x without patch horizon-nginx-rpm-
                                                1.8.2.1820-1876338.
                                                x86_64.rpm

   Horizon View Clients prior to 3.0
      
   vCD 5.5.x prior to 5.5.1.2
   vCD 5.1.x prior to 5.1.3.1

   vCenter prior to 5.5u1b
   vCenter prior to 5.1 U2a
   vCenter prior to 5.0U3a

   vCenter Support Assistant prior to 5.5.1.1

   vCloud Automation Center prior to 6.0.1.2 

   vCenter Configuration Manager prior to 5.7.2

   vCenter Converter Standalone prior to 5.5.2
   Converter Standalone prior to 5.1.1

   vCenter Operations Manager prior to 5.8.2
   vCenter Operations Manager prior to 5.7.3 

   vCenter Chargeback Manager 2.6 prior to 2.6.0.1

   vCloud Networking and Security prior to 5.5.2.1
   vCloud Networking and Security prior to 5.1.4.1

   vSphere PowerCLI 5.x

   vCSA prior to 5.5u1b
   vCSA prior to 5.1u2a
   vCSA prior to 5.0u3a

   OVF Tool prior to 5.3.2

   Update Manager prior to 5.5u1b

   VDDK prior to 5.5.2
   VDDK prior to 5.1.3
   VDDK prior to 5.0.4

   NSX for Multi-Hypervisor 4.1.x prior to 4.1.3
   NSX for Multi-Hypervisor 4.0.x prior to 4.0.4
   NVP 3.0.x prior to 3.2.3
   NSX 6.0.x for vSphere prior to 6.0.5

   vFabric Web Server 5.x        
   Pivotal Web Server prior to 5.4.1 
 
   vCenter Site Recovery Manager prior to 5.5.1.1
   vCenter Site Recovery Manager  prior to 5.1.2.1
   vCenter Site Recovery Manager  prior to 5.0.3.2

   vSphere Replication prior to 5.5.1.1

3. Problem Description

   a. OpenSSL update for multiple products.

      OpenSSL libraries have been updated in multiple products to
      versions 0.9.8za and 1.0.1h in order to resolve multiple security
      issues.
 
      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2014-0224, CVE-2014-0198,
      CVE-2010-5298, CVE-2014-3470, CVE-2014-0221 and CVE-2014-0195 to
      these issues. The most important of these issues is
      CVE-2014-0224.

      CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 are considered to
      be of moderate severity. Exploitation is highly unlikely or is
      mitigated due to the application configuration.

      CVE-2014-0221 and CVE-2014-0195, which are listed in the OpenSSL 
      Security Advisory (see Reference section below), do not affect
      any VMware products.     

      CVE-2014-0224 may lead to a Man-in-the-Middle attack if a server
      is running a vulnerable version of OpenSSL 1.0.1 and clients are
      running a vulnerable version of OpenSSL 0.9.8 or 1.0.1. Updating
      the server will mitigate this issue for both the server and all
      affected clients.

      CVE-2014-0224 may affect products differently depending on
      whether the product is acting as a client or a server and of
      which version of OpenSSL the product is using. For readability
      the affected products have been split into 3 tables below, 
      based on the different client-server configurations and
      deployment scenarios.

      MITIGATIONS

      Clients that communicate with a patched or non-vulnerable server
      are not vulnerable to CVE-2014-0224. Applying these patches to 
      affected servers will mitigate the affected clients (See Table 1
      below).

      Clients that communicate over untrusted networks such as public
      Wi-Fi and communicate to a server running a vulnerable version of 
      OpenSSL 1.0.1. can be mitigated by using a secure network such as 
      VPN (see Table 2 below).
      
      Clients and servers that are deployed on an isolated network are
      less exposed to CVE-2014-0224 (see Table 3 below). The affected
      products are typically deployed to communicate over the
      management network. 

      RECOMMENDATIONS

      VMware recommends customers evaluate and deploy patches for
      affected Servers in Table 1 below as these patches become
      available. Patching these servers will remove the ability to
      exploit the vulnerability described in CVE-2014-0224 on both
      clients and servers. 

      VMware recommends customers consider 
      applying patches to products listed in Table 2 & 3 as required.

      Column 4 of the following tables lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      Table 1
      =======
      Affected servers running a vulnerable version of OpenSSL 1.0.1. 

      VMware                          Product  Running  Replace with/
      Product                         Version  on       Apply Patch 
      ==============                  =======  =======  =============
      ESXi                            5.5      ESXi     ESXi550-
                                                        201406401-SG 

      Big Data Extensions             1.1               2.0.0 

      vCenter Chargeback Manager      2.6               2.6.0.1

      Horizon Workspace Server        1.5.x             horizon-nginx-
                                                        rpm-1.5.0.0-
                                                        1876270.
                                                        x86_64.rpm
      Horizon Workspace Server        1.8.x             horizon-nginx-
                                                        rpm-1.8.2.1820-
                                                        1876338.
                                                        x86_64.rpm 

      Horizon Mirage Edge Gateway     4.4.x             4.4.3 

      Horizon View                    5.x               5.3.2 

      Horizon View Feature Pack       5.x               5.3 FP3 

      NSX for Multi-Hypervisor        4.1.2             4.1.3 
      NSX for Multi-Hypervisor        4.0.3             4.0.4 
      NSX for vSphere                 6.0.4             6.0.5
      NVP                             3.2.2             3.2.3 
      
      vCloud Networking and Security  5.5.2             5.5.2.1 
      vCloud Networking and Security  5.1.4             5.1.4.1 

      Pivotal Web Server              5.4               5.4.1
      vFabric Web Server              5.x               Pivotal Web 
                                                        Server 5.4.1 

      Table 2
      ========
      Affected clients running a vulnerable version of OpenSSL 0.9.8 
      or 1.0.1 and communicating over an untrusted network. 

      VMware                          Product  Running  Replace with/
      Product                         Version  on       Apply Patch 
      ==============                  =======  =======  =============
      vCSA                            5.5               5.5u1b
      vCSA                            5.1               5.1u2a 
      vCSA                            5.0               5.0u3a

      ESXi                            5.1      ESXi     ESXi510-
                                                        201406401-SG
      ESXi                            5.0      ESXi     ESXi500-
                                                        201407401-SG

      Workstation                     10.x     any      10.0.3 
      Workstation                     9.x      any      9.0.4 
      Fusion                          6.x      OSX      6.0.4
      Fusion                          5.x      OSX      5.0.5 
      Player                          6.x      any      6.0.3 
      Player                          5.x      any      5.0.4

      vCenter Chargeback Manager      2.5.x             2.6.0.1 

      Horizon Workspace Client        1.x      OSX      1.8.2
      Horizon Workspace Client        1.x      Windows  1.8.2 

      Horizon View Client             2.x      Android  3.0
      Horizon View Client             2.x      iOS      3.0
      Horizon View Client             2.x      OSX      3.0
      Horizon View Client             2.x      Windows  3.0
      Horizon View Client             2.x      WinStore 3.0

      OVF Tool                        3.5.1             3.5.2 
      OVF Tool                        3.0.1             3.5.2 

      vCenter Operations Manager      5.8.x             5.8.2
      vCenter Operations Manager      5.7.x             5.7.3

      vCenter Support Assistant       5.5.1             5.5.1.1 
          
      vCD                             5.5.1.x           5.5.1.2
      vCD                             5.1.x             5.1.3.1 

      vCenter Site Recovery Manager   5.5.x             5.5.1.1  
      vCenter Site Recovery Manager   5.1.x             5.1.2.1
      vCenter Site Recovery Manager   5.0.3.x           5.0.3.2

      vSphere Client                  5.5       Windows 5.5u1b
      vSphere Client                  5.1       Windows 5.1u2a
      vSphere Client                  5.0       Windows 5.0u3a

      Table 3
      =======
      The following table lists all affected clients running a
      vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating 
      over a trusted or isolated network.

      VMware                          Product  Running  Replace with/
      Product                         Version  on       Apply Patch 
      ==============                  =======  =======  =============
      vCenter Server                  5.5      any      5.5u1b
      vCenter Server                  5.1      any      5.1u2a
      vCenter Server                  5.0      any      5.0u3a

      Update Manager                  5.5      Windows  5.5u1b

      vCenter Configuration
      Manager (VCM)                   5.6               5.7.2

 
      ITBM Standard                   1.0.1             patch pending 
      ITBM Standard                   1.0               patch pending 

      Studio                          2.6.0.0           patch pending 
    
      Usage Meter                     3.3               patch pending 
     
      vCenter Converter Standalone    5.5               5.5.2
      vCenter Converter Standalone    5.1               5.1.1 
  
      vCloud Application Director     6.0.x             patch pending 
      vFabric Application Director    5.2.0             patch pending 
      vFabric Application Director    5.0.0             patch pending 

      vCloud Automation Center        6.0.x             6.0.1.2

      VIX API                         1.12              patch pending 
      
      vMA (Management Assistant)      5.1.0.1           patch pending     
  
      vSphere PowerCLI                5.x               See VMware 
                                                        KB 2082132 
     
      vSphere Data Protection         5.5.6             patch pending
      vSphere Data Protection         5.1.11            patch pending

      vSphere Replication             5.5.1             5.5.1.1 
      vSphere Replication             5.6               patch pending
 
      vSphere SDK for Perl            5.5               patch pending
 
      VDDK                            5.5.x             5.5.2
      VDDK                            5.1.x             5.1.3
      VDDK                            5.0.x             5.0.4 

   4. Solution

   Big Data Extensions 2.0.0
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-bde

   ESXi 5.5, 5.1 and 5.0
   ----------------------------
   Download:
   https://www.vmware.com/patchmgr/findPatch.portal

   Horizon Mirage Edge Gateway 4.4.3
   ---------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-horizon-mirage

   vCD 5.5.1.2
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download/vcloud-director

   vCenter Server 5.5u1b, 5.1u2a, 5.0u3a
   ------------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   vCSA 5.5u1b, 5.1u2a and 5.0u3a
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   Update Manager 5.5u1b
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   VDDK 5.x
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/support/developer/vddk

   vCenter Configuration Manager (VCM) 5
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download_vcm

   vCenter Operations Manager 5.8 and 5.7.3
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere-ops-mgr

   OVF Tool 3.5.2 
   --------------
   Download: 
   https://www.vmware.com/support/developer/ovf/

   vCenter Converter Standalone 5.5.2
   -----------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-converter

   Horizon View 5
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/downloadview

   Horizon View 5.3 Feature Pack 3
   -----------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/downloadview

   Horizon Workspace Server 1.5 and 1.8.x
   ----------------------------
   Release Notes and download: 
   http://kb.vmware.com/kb/2082181

   Workstation
   ---------------------- 
   https://www.vmware.com/go/downloadworkstation

   Fusion 
   ------------------ 
   https://www.vmware.com/go/downloadfusion

   VMware Player  
   ------------------ 
   https://www.vmware.com/go/downloadplayer 

   vCenter Server 5.1 Update 2a 
   ---------------------------------------------------- 
   Download link: 
  
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_1 

   vCenter Server 5.0 Update 3a 
   ---------------------------------------------------- 
   Download link: 
  
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_0 

   vCloud Networking and Security 5.5.2.1
   ------------------------------------
   Download
  
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS552_GA&productId
=353&rPId=5255

   vCloud Networking and Security 5.1.4.1
   ------------------------------------
   Download:
  
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS514_GA&productId
=285&rPId=5131

   NSX for Multi-Hypervisor, NSX for vSphere and NVP
   -------------------------------------------------
   Remediation Instructions and Download, available under support:
   http://www.vmware.com/products/nsx

   vCD 5.5.1.2 and vCD 5.1.3.1
   ---------------------------
   Download link: 
   https://www.vmware.com/go/download-vcd-ns

   VMware vCenter Chargeback Manager 
   ---------------------------------
   Download link: 
   https://www.vmware.com/go/download-chargeback

   Converter Standalone 5.1.1
   ---------------------------
   Download link: 
   https://www.vmware.com/go/download-converter

   vCenter Support Assistant
   --------------------------
   Downloads:
   https://www.vmware.com/go/download-vsphere

   Pivotal Web Server 5.4.1
   ------------------------
  
https://my.vmware.com/web/vmware/details?downloadGroup=VF_530_PVTL_WSVR_541
&productId=335&rPId=6214

   vCloud Automation Center
   --------------------------
   Downloads:
   https://www.vmware.com/go/download-vcac

   vCenter Site Recovery Manager 5.5.1.1 
   -------------------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2081861

   vCenter Site Recovery Manager 5.1.2.1 
   -------------------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2081860

   vCenter Site Recovery Manager 5.0.3.2 
   -------------------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2081859

   vSphere Replication 5.5.1.1
   ---------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2082666

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470
   
   https://www.openssl.org/news/secadv_20140605.txt
   http://www.gopivotal.com/security/cve-2014-0224

   VMware Knowledge Base Article 2082132
   http://kb.vmware.com/kb/2082132

- -----------------------------------------------------------------------

6. Change Log

   2014-06-10 VMSA-2014-0006
   Initial security advisory in conjunction with the release of
   ESXi 5.5 updates on 2014-06-10

   2014-06-12 VMSA-2014-0006.1
   Updated security advisory in conjunction with the release of
   Big Data Extensions 2.0.0, Horizon Mirage Edge Gateway 4.4.3, 
   vCD 5.5.1.2, vCenter Server 5.5u1b, vCSA 5.5u1b, and Update
   Manager 5.5u1b on 2014-06-12

   2014-06-17 VMSA-2014-0006.2
   Updated security advisory in conjunction with the release of
   ESXi 5.1 updates, VDDK 5.5.2, 5.1.3, and 5.0.4 on 2014-06-17

   2014-06-24 VMSA-2014-0006.3
   Updated security advisory in conjunction with the release of
   Horizon View 5.3.2, Horizon View 5.3 Feature Pack 3, 
   vCenter Configuration Manager 5.7.2, vCenter 
   Converter Standalone 5.5.2, vCenter Operations 
   Manager 5.8.2, OVF Tool 5.3.2 on 2014-06-24

   2014-07-01 VMSA-2014-0006.4
   Updated security advisory in conjunction with the release of
   ESX 5.0 patches, Workstation 10.0.3, Player 6.0.3, Fusion 6.0.4,
   Horizon Workspace Server 1.5.x and 1.8.x updates, vCD 
   5.1.3.1, vCenter Server 5.1 update 2a and 5.0 update 3a, 
   vCSA 5.1 update 2a and 5.0 update 3a, Converter Standalone 5.1.1,
   vCenter Chargeback Manager 2.6.0.1, 
   vCloud Networking and Security 5.5.2.1 and 5.1.4.1, 
   NSX for Multi-Hypervisor 4.1.3, 
   NSX for Multi-Hypervisor 4.0.4, NVP 3.2.3 and
   NSX 6.0.5 for vSphere on 2014-07-01

   2014-07-03 VMSA-2014-0006.5
   Updated security advisory in conjunction with the release of
   Workstation 9.0.4, Player 5.0.4, Fusion 5.0.5, vCenter Support 
   Assistant 5.5.1.1, on 2014-07-03

   2014-07-08 VMSA-2014-0006.6
   Updated security advisory in conjunction with the release of 
   vSphere PowerCLI 5.x on 2014-07-04 and Pivotal Web Server 5.4.1 
   on 2014-07-08

   2014-07-10 VMSA-2014-0006.7
   Updated security advisory in conjunction with the release of 
   vCloud Automation Center 6.0.1.2 and vCenter Operations Manager
   5.7.3 on 2014-07-10

   2014-07-18 VMSA-2014-0006.8
   Updated security advisory in conjunction with the release of 
   patches for vCenter Site Recovery Manager 5.5.1.1 and 
   vSphere Replication 5.5.1.1 on 2014-07-17


   2014-07-22 VMSA-2014-0006.8
   Updated security advisory in conjunction with the release of 
   patches for vCenter Site Recovery Manager 5.1.2.1 and 5.0.3.2 
   on 2014-07-22
- -----------------------------------------------------------------------
 
7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2014 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFTzpZcDEcm8Vbi9kMRAga+AKCzEY/Ut+tN3qGTilKf5KslUPO6aQCfXuRp
/7HxhovpiO8xURBCf/uu8EI=
=YjIJ
-----END PGP SIGNATURE-----

UPDATED : VMSA-2014-0006.9 VMware product updates address OpenSSL security vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2014-0006.9
Synopsis:    VMware product updates address OpenSSL 
             security vulnerabilities
Issue date:  2014-06-10
Updated on:  2014-07-22
CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and 
             CVE-2014-3470
- -----------------------------------------------------------------------

1. Summary

   VMware product updates address OpenSSL security vulnerabilities.

2. Relevant Releases

   Big Data Extensions prior to 2.0.0

   ESXi 5.5 without patch ESXi550-201406401-SG
   ESXi 5.1 without patch ESXi510-201406401-SG
   ESXi 5.0 without patch ESXi500-201407401-SG

   Workstation 10.x prior to 10.0.3 
   Workstation 9.x prior to 9.0.4 

   Player 6.x prior to 6.0.3
   Player 5.x prior to 5.0.4

   Fusion 6.x prior to 6.0.4
   Fusion 5.x prior to 5.0.5

   Horizon Mirage Edge Gateway prior to 4.4.3

   Horizon View prior to 5.3.2
   Horizon View 5.3 Feature Pack X prior to Feature Pack 3

   Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm-
                                                1.5.0.0-1876270.
                                                x86_64.rpm

   Horizon Workspace Server 1.8.x without patch horizon-nginx-rpm-
                                                1.8.2.1820-1876338.
                                                x86_64.rpm

   Horizon View Clients prior to 3.0
      
   vCD 5.5.x prior to 5.5.1.2
   vCD 5.1.x prior to 5.1.3.1

   vCenter prior to 5.5u1b
   vCenter prior to 5.1 U2a
   vCenter prior to 5.0U3a

   vCenter Support Assistant prior to 5.5.1.1

   vCloud Automation Center prior to 6.0.1.2 

   vCenter Configuration Manager prior to 5.7.2

   vCenter Converter Standalone prior to 5.5.2
   Converter Standalone prior to 5.1.1

   vCenter Operations Manager prior to 5.8.2
   vCenter Operations Manager prior to 5.7.3 

   vCenter Chargeback Manager 2.6 prior to 2.6.0.1

   vCloud Networking and Security prior to 5.5.2.1
   vCloud Networking and Security prior to 5.1.4.1

   vSphere PowerCLI 5.x

   vCSA prior to 5.5u1b
   vCSA prior to 5.1u2a
   vCSA prior to 5.0u3a

   OVF Tool prior to 5.3.2

   Update Manager prior to 5.5u1b

   VDDK prior to 5.5.2
   VDDK prior to 5.1.3
   VDDK prior to 5.0.4

   NSX for Multi-Hypervisor 4.1.x prior to 4.1.3
   NSX for Multi-Hypervisor 4.0.x prior to 4.0.4
   NVP 3.0.x prior to 3.2.3
   NSX 6.0.x for vSphere prior to 6.0.5

   vFabric Web Server 5.x        
   Pivotal Web Server prior to 5.4.1 
 
   vCenter Site Recovery Manager prior to 5.5.1.1
   vCenter Site Recovery Manager  prior to 5.1.2.1
   vCenter Site Recovery Manager  prior to 5.0.3.2

   vSphere Replication prior to 5.5.1.1

3. Problem Description

   a. OpenSSL update for multiple products.

      OpenSSL libraries have been updated in multiple products to
      versions 0.9.8za and 1.0.1h in order to resolve multiple security
      issues.
 
      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2014-0224, CVE-2014-0198,
      CVE-2010-5298, CVE-2014-3470, CVE-2014-0221 and CVE-2014-0195 to
      these issues. The most important of these issues is
      CVE-2014-0224.

      CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 are considered to
      be of moderate severity. Exploitation is highly unlikely or is
      mitigated due to the application configuration.

      CVE-2014-0221 and CVE-2014-0195, which are listed in the OpenSSL 
      Security Advisory (see Reference section below), do not affect
      any VMware products.     

      CVE-2014-0224 may lead to a Man-in-the-Middle attack if a server
      is running a vulnerable version of OpenSSL 1.0.1 and clients are
      running a vulnerable version of OpenSSL 0.9.8 or 1.0.1. Updating
      the server will mitigate this issue for both the server and all
      affected clients.

      CVE-2014-0224 may affect products differently depending on
      whether the product is acting as a client or a server and of
      which version of OpenSSL the product is using. For readability
      the affected products have been split into 3 tables below, 
      based on the different client-server configurations and
      deployment scenarios.

      MITIGATIONS

      Clients that communicate with a patched or non-vulnerable server
      are not vulnerable to CVE-2014-0224. Applying these patches to 
      affected servers will mitigate the affected clients (See Table 1
      below).

      Clients that communicate over untrusted networks such as public
      Wi-Fi and communicate to a server running a vulnerable version of 
      OpenSSL 1.0.1. can be mitigated by using a secure network such as 
      VPN (see Table 2 below).
      
      Clients and servers that are deployed on an isolated network are
      less exposed to CVE-2014-0224 (see Table 3 below). The affected
      products are typically deployed to communicate over the
      management network. 

      RECOMMENDATIONS

      VMware recommends customers evaluate and deploy patches for
      affected Servers in Table 1 below as these patches become
      available. Patching these servers will remove the ability to
      exploit the vulnerability described in CVE-2014-0224 on both
      clients and servers. 

      VMware recommends customers consider 
      applying patches to products listed in Table 2 & 3 as required.

      Column 4 of the following tables lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      Table 1
      =======
      Affected servers running a vulnerable version of OpenSSL 1.0.1. 

      VMware                          Product  Running  Replace with/
      Product                         Version  on       Apply Patch 
      ==============                  =======  =======  =============
      ESXi                            5.5      ESXi     ESXi550-
                                                        201406401-SG 

      Big Data Extensions             1.1               2.0.0 

      vCenter Chargeback Manager      2.6               2.6.0.1

      Horizon Workspace Server        1.5.x             horizon-nginx-
                                                        rpm-1.5.0.0-
                                                        1876270.
                                                        x86_64.rpm
      Horizon Workspace Server        1.8.x             horizon-nginx-
                                                        rpm-1.8.2.1820-
                                                        1876338.
                                                        x86_64.rpm 

      Horizon Mirage Edge Gateway     4.4.x             4.4.3 

      Horizon View                    5.x               5.3.2 

      Horizon View Feature Pack       5.x               5.3 FP3 

      NSX for Multi-Hypervisor        4.1.2             4.1.3 
      NSX for Multi-Hypervisor        4.0.3             4.0.4 
      NSX for vSphere                 6.0.4             6.0.5
      NVP                             3.2.2             3.2.3 
      
      vCloud Networking and Security  5.5.2             5.5.2.1 
      vCloud Networking and Security  5.1.4             5.1.4.1 

      Pivotal Web Server              5.4               5.4.1
      vFabric Web Server              5.x               Pivotal Web 
                                                        Server 5.4.1 

      Table 2
      ========
      Affected clients running a vulnerable version of OpenSSL 0.9.8 
      or 1.0.1 and communicating over an untrusted network. 

      VMware                          Product  Running  Replace with/
      Product                         Version  on       Apply Patch 
      ==============                  =======  =======  =============
      vCSA                            5.5               5.5u1b
      vCSA                            5.1               5.1u2a 
      vCSA                            5.0               5.0u3a

      ESXi                            5.1      ESXi     ESXi510-
                                                        201406401-SG
      ESXi                            5.0      ESXi     ESXi500-
                                                        201407401-SG

      Workstation                     10.x     any      10.0.3 
      Workstation                     9.x      any      9.0.4 
      Fusion                          6.x      OSX      6.0.4
      Fusion                          5.x      OSX      5.0.5 
      Player                          6.x      any      6.0.3 
      Player                          5.x      any      5.0.4

      vCenter Chargeback Manager      2.5.x             2.6.0.1 

      Horizon Workspace Client        1.x      OSX      1.8.2
      Horizon Workspace Client        1.x      Windows  1.8.2 

      Horizon View Client             2.x      Android  3.0
      Horizon View Client             2.x      iOS      3.0
      Horizon View Client             2.x      OSX      3.0
      Horizon View Client             2.x      Windows  3.0
      Horizon View Client             2.x      WinStore 3.0

      OVF Tool                        3.5.1             3.5.2 
      OVF Tool                        3.0.1             3.5.2 

      vCenter Operations Manager      5.8.x             5.8.2
      vCenter Operations Manager      5.7.x             5.7.3

      vCenter Support Assistant       5.5.1             5.5.1.1 
          
      vCD                             5.5.1.x           5.5.1.2
      vCD                             5.1.x             5.1.3.1 

      vCenter Site Recovery Manager   5.5.x             5.5.1.1  
      vCenter Site Recovery Manager   5.1.x             5.1.2.1
      vCenter Site Recovery Manager   5.0.3.x           5.0.3.2

      vSphere Client                  5.5       Windows 5.5u1b
      vSphere Client                  5.1       Windows 5.1u2a
      vSphere Client                  5.0       Windows 5.0u3a

      Table 3
      =======
      The following table lists all affected clients running a
      vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating 
      over a trusted or isolated network.

      VMware                          Product  Running  Replace with/
      Product                         Version  on       Apply Patch 
      ==============                  =======  =======  =============
      vCenter Server                  5.5      any      5.5u1b
      vCenter Server                  5.1      any      5.1u2a
      vCenter Server                  5.0      any      5.0u3a

      Update Manager                  5.5      Windows  5.5u1b

      vCenter Configuration
      Manager (VCM)                   5.6               5.7.2

 
      ITBM Standard                   1.0.1             patch pending 
      ITBM Standard                   1.0               patch pending 

      Studio                          2.6.0.0           patch pending 
    
      Usage Meter                     3.3               patch pending 
     
      vCenter Converter Standalone    5.5               5.5.2
      vCenter Converter Standalone    5.1               5.1.1 
  
      vCloud Application Director     6.0.x             patch pending 
      vFabric Application Director    5.2.0             patch pending 
      vFabric Application Director    5.0.0             patch pending 

      vCloud Automation Center        6.0.x             6.0.1.2

      VIX API                         1.12              patch pending 
      
      vMA (Management Assistant)      5.1.0.1           patch pending     
  
      vSphere PowerCLI                5.x               See VMware 
                                                        KB 2082132 
     
      vSphere Data Protection         5.5.6             patch pending
      vSphere Data Protection         5.1.11            patch pending

      vSphere Replication             5.5.1             5.5.1.1 
      vSphere Replication             5.6               patch pending
 
      vSphere SDK for Perl            5.5               patch pending
 
      VDDK                            5.5.x             5.5.2
      VDDK                            5.1.x             5.1.3
      VDDK                            5.0.x             5.0.4 

   4. Solution

   Big Data Extensions 2.0.0
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-bde

   ESXi 5.5, 5.1 and 5.0
   ----------------------------
   Download:
   https://www.vmware.com/patchmgr/findPatch.portal

   Horizon Mirage Edge Gateway 4.4.3
   ---------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-horizon-mirage

   vCD 5.5.1.2
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download/vcloud-director

   vCenter Server 5.5u1b, 5.1u2a, 5.0u3a
   ------------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   vCSA 5.5u1b, 5.1u2a and 5.0u3a
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   Update Manager 5.5u1b
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   VDDK 5.x
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/support/developer/vddk

   vCenter Configuration Manager (VCM) 5
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download_vcm

   vCenter Operations Manager 5.8 and 5.7.3
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere-ops-mgr

   OVF Tool 3.5.2 
   --------------
   Download: 
   https://www.vmware.com/support/developer/ovf/

   vCenter Converter Standalone 5.5.2
   -----------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-converter

   Horizon View 5
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/downloadview

   Horizon View 5.3 Feature Pack 3
   -----------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/downloadview

   Horizon Workspace Server 1.5 and 1.8.x
   ----------------------------
   Release Notes and download: 
   http://kb.vmware.com/kb/2082181

   Workstation
   ---------------------- 
   https://www.vmware.com/go/downloadworkstation

   Fusion 
   ------------------ 
   https://www.vmware.com/go/downloadfusion

   VMware Player  
   ------------------ 
   https://www.vmware.com/go/downloadplayer 

   vCenter Server 5.1 Update 2a 
   ---------------------------------------------------- 
   Download link: 
  
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_1 

   vCenter Server 5.0 Update 3a 
   ---------------------------------------------------- 
   Download link: 
  
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_0 

   vCloud Networking and Security 5.5.2.1
   ------------------------------------
   Download
  
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS552_GA&productId
=353&rPId=5255

   vCloud Networking and Security 5.1.4.1
   ------------------------------------
   Download:
  
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS514_GA&productId
=285&rPId=5131

   NSX for Multi-Hypervisor, NSX for vSphere and NVP
   -------------------------------------------------
   Remediation Instructions and Download, available under support:
   http://www.vmware.com/products/nsx

   vCD 5.5.1.2 and vCD 5.1.3.1
   ---------------------------
   Download link: 
   https://www.vmware.com/go/download-vcd-ns

   VMware vCenter Chargeback Manager 
   ---------------------------------
   Download link: 
   https://www.vmware.com/go/download-chargeback

   Converter Standalone 5.1.1
   ---------------------------
   Download link: 
   https://www.vmware.com/go/download-converter

   vCenter Support Assistant
   --------------------------
   Downloads:
   https://www.vmware.com/go/download-vsphere

   Pivotal Web Server 5.4.1
   ------------------------
  
https://my.vmware.com/web/vmware/details?downloadGroup=VF_530_PVTL_WSVR_541
&productId=335&rPId=6214

   vCloud Automation Center
   --------------------------
   Downloads:
   https://www.vmware.com/go/download-vcac

   vCenter Site Recovery Manager 5.5.1.1 
   -------------------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2081861

   vCenter Site Recovery Manager 5.1.2.1 
   -------------------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2081860

   vCenter Site Recovery Manager 5.0.3.2 
   -------------------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2081859

   vSphere Replication 5.5.1.1
   ---------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2082666

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470
   
   https://www.openssl.org/news/secadv_20140605.txt
   http://www.gopivotal.com/security/cve-2014-0224

   VMware Knowledge Base Article 2082132
   http://kb.vmware.com/kb/2082132

- -----------------------------------------------------------------------

6. Change Log

   2014-06-10 VMSA-2014-0006
   Initial security advisory in conjunction with the release of
   ESXi 5.5 updates on 2014-06-10

   2014-06-12 VMSA-2014-0006.1
   Updated security advisory in conjunction with the release of
   Big Data Extensions 2.0.0, Horizon Mirage Edge Gateway 4.4.3, 
   vCD 5.5.1.2, vCenter Server 5.5u1b, vCSA 5.5u1b, and Update
   Manager 5.5u1b on 2014-06-12

   2014-06-17 VMSA-2014-0006.2
   Updated security advisory in conjunction with the release of
   ESXi 5.1 updates, VDDK 5.5.2, 5.1.3, and 5.0.4 on 2014-06-17

   2014-06-24 VMSA-2014-0006.3
   Updated security advisory in conjunction with the release of
   Horizon View 5.3.2, Horizon View 5.3 Feature Pack 3, 
   vCenter Configuration Manager 5.7.2, vCenter 
   Converter Standalone 5.5.2, vCenter Operations 
   Manager 5.8.2, OVF Tool 5.3.2 on 2014-06-24

   2014-07-01 VMSA-2014-0006.4
   Updated security advisory in conjunction with the release of
   ESX 5.0 patches, Workstation 10.0.3, Player 6.0.3, Fusion 6.0.4,
   Horizon Workspace Server 1.5.x and 1.8.x updates, vCD 
   5.1.3.1, vCenter Server 5.1 update 2a and 5.0 update 3a, 
   vCSA 5.1 update 2a and 5.0 update 3a, Converter Standalone 5.1.1,
   vCenter Chargeback Manager 2.6.0.1, 
   vCloud Networking and Security 5.5.2.1 and 5.1.4.1, 
   NSX for Multi-Hypervisor 4.1.3, 
   NSX for Multi-Hypervisor 4.0.4, NVP 3.2.3 and
   NSX 6.0.5 for vSphere on 2014-07-01

   2014-07-03 VMSA-2014-0006.5
   Updated security advisory in conjunction with the release of
   Workstation 9.0.4, Player 5.0.4, Fusion 5.0.5, vCenter Support 
   Assistant 5.5.1.1, on 2014-07-03

   2014-07-08 VMSA-2014-0006.6
   Updated security advisory in conjunction with the release of 
   vSphere PowerCLI 5.x on 2014-07-04 and Pivotal Web Server 5.4.1 
   on 2014-07-08

   2014-07-10 VMSA-2014-0006.7
   Updated security advisory in conjunction with the release of 
   vCloud Automation Center 6.0.1.2 and vCenter Operations Manager
   5.7.3 on 2014-07-10

   2014-07-18 VMSA-2014-0006.8
   Updated security advisory in conjunction with the release of 
   patches for vCenter Site Recovery Manager 5.5.1.1 and 
   vSphere Replication 5.5.1.1 on 2014-07-17


   2014-07-22 VMSA-2014-0006.8
   Updated security advisory in conjunction with the release of 
   patches for vCenter Site Recovery Manager 5.1.2.1 and 5.0.3.2 
   on 2014-07-22
- -----------------------------------------------------------------------
 
7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2014 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFTzpZcDEcm8Vbi9kMRAga+AKCzEY/Ut+tN3qGTilKf5KslUPO6aQCfXuRp
/7HxhovpiO8xURBCf/uu8EI=
=YjIJ
-----END PGP SIGNATURE-----

UPDATED VMSA-2014-0007.1 – VMware product updates address security vulnerabilities in Apache Struts library

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2014-0007.1
Synopsis:    VMware product updates address security vulnerabilities in
             Apache Struts library
Issue date:  2014-06-24
Updated on:  2014-07-11
CVE number:  CVE-2014-0050, CVE-2014-0094, CVE-2014-0112
- ------------------------------------------------------------------------

1. Summary

    VMware product updates address security vulnerabilities in Apache
    Struts library

2. Relevant releases

    VMware vCenter Operations Management Suite prior to 5.8.2
    VMware vCenter Operations Management Suite prior to 5.7.3

3. Problem Description

   a. The Apache Struts library is updated to version 2.3.16.2 to
      address multiple security issues.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2014-0050, CVE-2014-0094, and
      CVE-2014-0112 to these issues.

      CVE-2014-0112 may lead to remote code execution. This issue was
      found to be only partially addressed in CVE-2014-0094.

      CVE-2014-0050 may lead to a denial of service condition.

      vCenter Operations Management Suite (vCOps) is affected by both
      CVE-2014-0112 and CVE-2014-0050. Exploitation of CVE-2014-0112
      may lead to remote code execution without authentication.

      vCenter Orchestrator (vCO) is affected by CVE-2014-0050 and not
      by CVE-2014-0112.

      Workaround

      A workaround for CVE-2014-0112 is documented in VMware Knowledge Base
      article 2081470.


      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware         Product               Running               Replace with/
      Product        Version  on           Apply Patch
      =============  =======   =======             =================
      vCOPS                  5.8.x any         vCOPS 5.8.2
      vCOPS          5.7.x      any     vCOPS 5.7.3

      vCO            5.5        any     patch pending
      vCO            5.1        any     patch pending
      vCO            4.2        any     patch pending

4. Solution

   Please review the patch/release notes for your product and version
   and verify the checksum of your downloaded file.

   vCenter Operations Management Suite 5.8.2 and 5.7.3
   ---------------------------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vcops

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0112

   http://kb.vmware.com/kb/2081470

- ------------------------------------------------------------------------

6. Change log

   2014-06-24 VMSA-2014-0007
   Initial security advisory in conjunction with the release of vCenter
   Operations Management Suite 5.8.2 on 2014-06-24.

   2014-07-11 VMSA-2014-0007.1
   Updated security advisory in conjunction with the release of vCenter
   Operations Management Suite 5.7.3 on 2014-07-10.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2014 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15337)
Charset: utf-8

wj8DBQFTwA1hDEcm8Vbi9kMRAjniAKDI6G/93Kzr9rYuXIs6EiIvoz2e6gCg44sD
JkL4twZx7tZJ/vFjjkNikfs=
=nQJG
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org
http://lists.vmware.com/mailman/listinfo/security-announce

UPDATED VMSA-2014-0007.1 – VMware product updates address security vulnerabilities in Apache Struts library

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2014-0007.1
Synopsis:    VMware product updates address security vulnerabilities in
             Apache Struts library
Issue date:  2014-06-24
Updated on:  2014-07-11
CVE number:  CVE-2014-0050, CVE-2014-0094, CVE-2014-0112
- ------------------------------------------------------------------------

1. Summary

    VMware product updates address security vulnerabilities in Apache
    Struts library

2. Relevant releases

    VMware vCenter Operations Management Suite prior to 5.8.2
    VMware vCenter Operations Management Suite prior to 5.7.3

3. Problem Description

   a. The Apache Struts library is updated to version 2.3.16.2 to
      address multiple security issues.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2014-0050, CVE-2014-0094, and
      CVE-2014-0112 to these issues.

      CVE-2014-0112 may lead to remote code execution. This issue was
      found to be only partially addressed in CVE-2014-0094.

      CVE-2014-0050 may lead to a denial of service condition.

      vCenter Operations Management Suite (vCOps) is affected by both
      CVE-2014-0112 and CVE-2014-0050. Exploitation of CVE-2014-0112
      may lead to remote code execution without authentication.

      vCenter Orchestrator (vCO) is affected by CVE-2014-0050 and not
      by CVE-2014-0112.

      Workaround

      A workaround for CVE-2014-0112 is documented in VMware Knowledge Base
      article 2081470.


      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware         Product               Running               Replace with/
      Product        Version  on           Apply Patch
      =============  =======   =======             =================
      vCOPS                  5.8.x any         vCOPS 5.8.2
      vCOPS          5.7.x      any     vCOPS 5.7.3

      vCO            5.5        any     patch pending
      vCO            5.1        any     patch pending
      vCO            4.2        any     patch pending

4. Solution

   Please review the patch/release notes for your product and version
   and verify the checksum of your downloaded file.

   vCenter Operations Management Suite 5.8.2 and 5.7.3
   ---------------------------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vcops

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0112

   http://kb.vmware.com/kb/2081470

- ------------------------------------------------------------------------

6. Change log

   2014-06-24 VMSA-2014-0007
   Initial security advisory in conjunction with the release of vCenter
   Operations Management Suite 5.8.2 on 2014-06-24.

   2014-07-11 VMSA-2014-0007.1
   Updated security advisory in conjunction with the release of vCenter
   Operations Management Suite 5.7.3 on 2014-07-10.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2014 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15337)
Charset: utf-8

wj8DBQFTwA1hDEcm8Vbi9kMRAjniAKDI6G/93Kzr9rYuXIs6EiIvoz2e6gCg44sD
JkL4twZx7tZJ/vFjjkNikfs=
=nQJG
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org
http://lists.vmware.com/mailman/listinfo/security-announce