-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2014-0006.10 Synopsis: VMware product updates address OpenSSL security vulnerabilities Issue date: 2014-06-10 Updated on: 2014-09-09 CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470 - ----------------------------------------------------------------------- 1. Summary VMware product updates address OpenSSL security vulnerabilities. 2. Relevant Releases Big Data Extensions prior to 2.0.0 ESXi 5.5 without patch ESXi550-201406401-SG ESXi 5.1 without patch ESXi510-201406401-SG ESXi 5.0 without patch ESXi500-201407401-SG Workstation 10.x prior to 10.0.3 Workstation 9.x prior to 9.0.4 Player 6.x prior to 6.0.3 Player 5.x prior to 5.0.4 Fusion 6.x prior to 6.0.4 Fusion 5.x prior to 5.0.5 Horizon Mirage Edge Gateway prior to 4.4.3 Horizon View prior to 5.3.2 Horizon View 5.3 Feature Pack X prior to Feature Pack 3 Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm- 1.5.0.0-1876270. x86_64.rpm Horizon Workspace Server 1.8.x without patch horizon-nginx-rpm- 1.8.2.1820-1876338. x86_64.rpm Horizon View Clients prior to 3.0 vCD 5.5.x prior to 5.5.1.2 vCD 5.1.x prior to 5.1.3.1 vCenter prior to 5.5u1b vCenter prior to 5.1 U2a vCenter prior to 5.0U3a vCenter Support Assistant prior to 5.5.1.1 vCloud Automation Center prior to 6.0.1.2 vCenter Configuration Manager prior to 5.7.2 vCenter Converter Standalone prior to 5.5.2 Converter Standalone prior to 5.1.1 Usage Manager prior to 3.3 vCenter Operations Manager prior to 5.8.2 vCenter Operations Manager prior to 5.7.3 vCenter Chargeback Manager 2.6 prior to 2.6.0.1 vCloud Networking and Security prior to 5.5.2.1 vCloud Networking and Security prior to 5.1.4.1 vSphere PowerCLI 5.x vCSA prior to 5.5u1b vCSA prior to 5.1u2a vCSA prior to 5.0u3a OVF Tool prior to 5.3.2 Update Manager prior to 5.5u1b ITBM Standard prior to 1.1 VDDK prior to 5.5.2 VDDK prior to 5.1.3 VDDK prior to 5.0.4 NSX for Multi-Hypervisor 4.1.x prior to 4.1.3 NSX for Multi-Hypervisor 4.0.x prior to 4.0.4 NVP 3.0.x prior to 3.2.3 NSX 6.0.x for vSphere prior to 6.0.5 vFabric Web Server 5.x Pivotal Web Server prior to 5.4.1 vCenter Site Recovery Manager prior to 5.5.1.1 vCenter Site Recovery Manager prior to 5.1.2.1 vCenter Site Recovery Manager prior to 5.0.3.2 vSphere Replication prior to 5.8 vSphere Replication prior to 5.5.1.1 vSphere SDK for Perl prior to 5.5 Update 2 3. Problem Description a. OpenSSL update for multiple products. OpenSSL libraries have been updated in multiple products to versions 0.9.8za and 1.0.1h in order to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470, CVE-2014-0221 and CVE-2014-0195 to these issues. The most important of these issues is CVE-2014-0224. CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 are considered to be of moderate severity. Exploitation is highly unlikely or is mitigated due to the application configuration. CVE-2014-0221 and CVE-2014-0195, which are listed in the OpenSSL Security Advisory (see Reference section below), do not affect any VMware products. CVE-2014-0224 may lead to a Man-in-the-Middle attack if a server is running a vulnerable version of OpenSSL 1.0.1 and clients are running a vulnerable version of OpenSSL 0.9.8 or 1.0.1. Updating the server will mitigate this issue for both the server and all affected clients. CVE-2014-0224 may affect products differently depending on whether the product is acting as a client or a server and of which version of OpenSSL the product is using. For readability the affected products have been split into 3 tables below, based on the different client-server configurations and deployment scenarios. MITIGATIONS Clients that communicate with a patched or non-vulnerable server are not vulnerable to CVE-2014-0224. Applying these patches to affected servers will mitigate the affected clients (See Table 1 below). Clients that communicate over untrusted networks such as public Wi-Fi and communicate to a server running a vulnerable version of OpenSSL 1.0.1. can be mitigated by using a secure network such as VPN (see Table 2 below). Clients and servers that are deployed on an isolated network are less exposed to CVE-2014-0224 (see Table 3 below). The affected products are typically deployed to communicate over the management network. RECOMMENDATIONS VMware recommends customers evaluate and deploy patches for affected Servers in Table 1 below as these patches become available. Patching these servers will remove the ability to exploit the vulnerability described in CVE-2014-0224 on both clients and servers. VMware recommends customers consider applying patches to products listed in Table 2 & 3 as required. Column 4 of the following tables lists the action required to remediate the vulnerability in each release, if a solution is available. Table 1 ======= Affected servers running a vulnerable version of OpenSSL 1.0.1. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ============= ESXi 5.5 ESXi ESXi550- 201406401-SG Big Data Extensions 1.1 2.0.0 vCenter Chargeback Manager 2.6 2.6.0.1 Horizon Workspace Server 1.5.x horizon-nginx- rpm-1.5.0.0- 1876270. x86_64.rpm Horizon Workspace Server 1.8.x horizon-nginx- rpm-1.8.2.1820- 1876338. x86_64.rpm Horizon Mirage Edge Gateway 4.4.x 4.4.3 Horizon View 5.x 5.3.2 Horizon View Feature Pack 5.x 5.3 FP3 NSX for Multi-Hypervisor 4.1.2 4.1.3 NSX for Multi-Hypervisor 4.0.3 4.0.4 NSX for vSphere 6.0.4 6.0.5 NVP 3.2.2 3.2.3 vCloud Networking and Security 5.5.2 5.5.2.1 vCloud Networking and Security 5.1.4 5.1.4.1 Pivotal Web Server 5.4 5.4.1 vFabric Web Server 5.x Pivotal Web Server 5.4.1 Table 2 ======== Affected clients running a vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating over an untrusted network. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ============= vCSA 5.5 5.5u1b vCSA 5.1 5.1u2a vCSA 5.0 5.0u3a ESXi 5.1 ESXi ESXi510- 201406401-SG ESXi 5.0 ESXi ESXi500- 201407401-SG Workstation 10.x any 10.0.3 Workstation 9.x any 9.0.4 Fusion 6.x OSX 6.0.4 Fusion 5.x OSX 5.0.5 Player 6.x any 6.0.3 Player 5.x any 5.0.4 vCenter Chargeback Manager 2.5.x 2.6.0.1 Horizon Workspace Client 1.x OSX 1.8.2 Horizon Workspace Client 1.x Windows 1.8.2 Horizon View Client 2.x Android 3.0 Horizon View Client 2.x iOS 3.0 Horizon View Client 2.x OSX 3.0 Horizon View Client 2.x Windows 3.0 Horizon View Client 2.x WinStore 3.0 OVF Tool 3.5.1 3.5.2 OVF Tool 3.0.1 3.5.2 vCenter Operations Manager 5.8.x 5.8.2 vCenter Operations Manager 5.7.x 5.7.3 vCenter Support Assistant 5.5.1 5.5.1.1 vCD 5.5.1.x 5.5.1.2 vCD 5.1.x 5.1.3.1 vCenter Site Recovery Manager 5.5.x 5.5.1.1 vCenter Site Recovery Manager 5.1.x 5.1.2.1 vCenter Site Recovery Manager 5.0.3.x 5.0.3.2 vSphere Client 5.5 Windows 5.5u1b vSphere Client 5.1 Windows 5.1u2a vSphere Client 5.0 Windows 5.0u3a Table 3 ======= The following table lists all affected clients running a vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating over a trusted or isolated network. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ============= vCenter Server 5.5 any 5.5u1b vCenter Server 5.1 any 5.1u2a vCenter Server 5.0 any 5.0u3a Update Manager 5.5 Windows 5.5u1b vCenter Configuration Manager (VCM) 5.6 5.7.2 ITBM Standard 1.0.1 1.1 ITBM Standard 1.0 1.1 Studio 2.6.0.0 patch pending Usage Meter 3.3 3.3.1 vCenter Converter Standalone 5.5 5.5.2 vCenter Converter Standalone 5.1 5.1.1 vCloud Automation Center 6.0.x 6.0.1.2 VIX API 1.12 patch pending vMA (Management Assistant) 5.5.01 patch pending vSphere PowerCLI 5.x See VMware KB 2082132 vSphere Data Protection 5.5.6 patch pending vSphere Data Protection 5.1.11 patch pending vSphere Replication 5.5.1 5.5.1.1 vSphere Replication 5.6 5.8 vSphere SDK for Perl 5.5 5.5 Update 2 VDDK 5.5.x 5.5.2 VDDK 5.1.x 5.1.3 VDDK 5.0.x 5.0.4 4. Solution Big Data Extensions 2.0.0 ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download-bde ESXi 5.5, 5.1 and 5.0 ---------------------------- Download: https://www.vmware.com/patchmgr/findPatch.portal Horizon Mirage Edge Gateway 4.4.3 --------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-horizon-mirage vCD 5.5.1.2 ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download/vcloud-director vCenter Server 5.5u1b, 5.1u2a, 5.0u3a ------------------------------------ Downloads and Documentation: https://www.vmware.com/go/download-vsphere vCSA 5.5u1b, 5.1u2a and 5.0u3a ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere Update Manager 5.5u1b ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere VDDK 5.x ---------------------------- Downloads and Documentation: https://www.vmware.com/support/developer/vddk vCenter Configuration Manager (VCM) 5 ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download_vcm vCenter Operations Manager 5.8 and 5.7.3 ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere-ops-mgr OVF Tool 3.5.2 -------------- Download: https://www.vmware.com/support/developer/ovf/ vCenter Converter Standalone 5.5.2 ----------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-converter Horizon View 5 ---------------------------- Downloads and Documentation: https://www.vmware.com/go/downloadview Horizon View 5.3 Feature Pack 3 ----------------------------------- Downloads and Documentation: https://www.vmware.com/go/downloadview Horizon Workspace Server 1.5 and 1.8.x ---------------------------- Release Notes and download: http://kb.vmware.com/kb/2082181 Workstation ---------------------- https://www.vmware.com/go/downloadworkstation Fusion ------------------ https://www.vmware.com/go/downloadfusion VMware Player ------------------ https://www.vmware.com/go/downloadplayer vCenter Server 5.1 Update 2a ---------------------------------------------------- Download link: https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/ vmware_vsphere/5_1 vCenter Server 5.0 Update 3a ---------------------------------------------------- Download link: https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/ vmware_vsphere/5_0 vCloud Networking and Security 5.5.2.1 ------------------------------------ Download https://my.vmware.com/web/vmware/details?downloadGroup=VCNS552_GA&productId =353&rPId=5255 vCloud Networking and Security 5.1.4.1 ------------------------------------ Download: https://my.vmware.com/web/vmware/details?downloadGroup=VCNS514_GA&productId =285&rPId=5131 NSX for Multi-Hypervisor, NSX for vSphere and NVP ------------------------------------------------- Remediation Instructions and Download, available under support: http://www.vmware.com/products/nsx vCD 5.5.1.2 and vCD 5.1.3.1 --------------------------- Download link: https://www.vmware.com/go/download-vcd-ns VMware vCenter Chargeback Manager --------------------------------- Download link: https://www.vmware.com/go/download-chargeback Converter Standalone 5.1.1 --------------------------- Download link: https://www.vmware.com/go/download-converter Usage Manager 3.3 ----------------- Downloads and Documentation: https://communities.vmware.com/community/vmtn/vcd/vcloud_usage_meter vCenter Support Assistant -------------------------- Downloads: https://www.vmware.com/go/download-vsphere Pivotal Web Server 5.4.1 ------------------------ https://my.vmware.com/web/vmware/details?downloadGroup=VF_530_PVTL_WSVR_541 &productId=335&rPId=6214 vCloud Automation Center -------------------------- Downloads: https://www.vmware.com/go/download-vcac vCenter Site Recovery Manager 5.5.1.1 ------------------------------------- Remediation Instructions and Download: http://kb.vmware.com/kb/2081861 vCenter Site Recovery Manager 5.1.2.1 ------------------------------------- Remediation Instructions and Download: http://kb.vmware.com/kb/2081860 vCenter Site Recovery Manager 5.0.3.2 ------------------------------------- Remediation Instructions and Download: http://kb.vmware.com/kb/2081859 vSphere Replication 5.8 ----------------------- Download: https://my.vmware.com/web/vmware/details?downloadGroup=SDKPERL552&productId =353 vSphere Replication 5.5.1.1 --------------------------- Remediation Instructions and Download: http://kb.vmware.com/kb/2082666 ITBM Standard 1.1 ----------------- Download: https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-110&product Id=384&rPId=6384 Release Notes: https://www.vmware.com/support/itbms/doc/itbm-standard-edition-11-release-n otes.html vSphere SDK for Perl 5.5 Update 2 ---------------------------------- Download: https://my.vmware.com/web/vmware/details?downloadGroup=VR580&productId=451& rPId=6436 Release Notes: https://www.vmware.com/support/vsphere-replication/doc/vsphere-replication- 58-release-notes.html 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470 https://www.openssl.org/news/secadv_20140605.txt http://www.gopivotal.com/security/cve-2014-0224 VMware Knowledge Base Article 2082132 http://kb.vmware.com/kb/2082132 - ----------------------------------------------------------------------- 6. Change Log 2014-06-10 VMSA-2014-0006 Initial security advisory in conjunction with the release of ESXi 5.5 updates on 2014-06-10 2014-06-12 VMSA-2014-0006.1 Updated security advisory in conjunction with the release of Big Data Extensions 2.0.0, Horizon Mirage Edge Gateway 4.4.3, vCD 5.5.1.2, vCenter Server 5.5u1b, vCSA 5.5u1b, and Update Manager 5.5u1b on 2014-06-12 2014-06-17 VMSA-2014-0006.2 Updated security advisory in conjunction with the release of ESXi 5.1 updates, VDDK 5.5.2, 5.1.3, and 5.0.4 on 2014-06-17 2014-06-24 VMSA-2014-0006.3 Updated security advisory in conjunction with the release of Horizon View 5.3.2, Horizon View 5.3 Feature Pack 3, vCenter Configuration Manager 5.7.2, vCenter Converter Standalone 5.5.2, vCenter Operations Manager 5.8.2, OVF Tool 5.3.2 on 2014-06-24 2014-07-01 VMSA-2014-0006.4 Updated security advisory in conjunction with the release of ESX 5.0 patches, Workstation 10.0.3, Player 6.0.3, Fusion 6.0.4, Horizon Workspace Server 1.5.x and 1.8.x updates, vCD 5.1.3.1, vCenter Server 5.1 update 2a and 5.0 update 3a, vCSA 5.1 update 2a and 5.0 update 3a, Converter Standalone 5.1.1, vCenter Chargeback Manager 2.6.0.1, vCloud Networking and Security 5.5.2.1 and 5.1.4.1, NSX for Multi-Hypervisor 4.1.3, NSX for Multi-Hypervisor 4.0.4, NVP 3.2.3 and NSX 6.0.5 for vSphere on 2014-07-01 2014-07-03 VMSA-2014-0006.5 Updated security advisory in conjunction with the release of Workstation 9.0.4, Player 5.0.4, Fusion 5.0.5, vCenter Support Assistant 5.5.1.1, on 2014-07-03 2014-07-08 VMSA-2014-0006.6 Updated security advisory in conjunction with the release of vSphere PowerCLI 5.x on 2014-07-04 and Pivotal Web Server 5.4.1 on 2014-07-08 2014-07-10 VMSA-2014-0006.7 Updated security advisory in conjunction with the release of vCloud Automation Center 6.0.1.2 and vCenter Operations Manager 5.7.3 on 2014-07-10 2014-07-18 VMSA-2014-0006.8 Updated security advisory in conjunction with the release of patches for vCenter Site Recovery Manager 5.5.1.1 and vSphere Replication 5.5.1.1 on 2014-07-17 2014-07-22 VMSA-2014-0006.9 Updated security advisory in conjunction with the release of patches for vCenter Site Recovery Manager 5.1.2.1 and 5.0.3.2 on 2014-07-22 2014-09-09 VMSA-2014-0006.10 Updated security advisory in conjunction with the release of patches for ITBM Standard 1.1, vSphere Replication 5.8 and vSphere SDK for Perl 5.5 Update 2 on 2014-09-09. vFabric Application Director has been removed from the table above since it is not affected by this issue. - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2014 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFUD16eDEcm8Vbi9kMRAgBdAJsG4mzXIKqUyD2j5rTkDDQvG9giYwCfTmv4 S8n3FBEzi2wj9s5V00WS7/4= =2ZcF -----END PGP SIGNATURE-----
Category Archives: VMWare
VMWare
UPDATED: VMSA-2014-0006.10 – VMware product updates address OpenSSL security vulnerabilities
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2014-0006.10 Synopsis: VMware product updates address OpenSSL security vulnerabilities Issue date: 2014-06-10 Updated on: 2014-09-09 CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470 - ----------------------------------------------------------------------- 1. Summary VMware product updates address OpenSSL security vulnerabilities. 2. Relevant Releases Big Data Extensions prior to 2.0.0 ESXi 5.5 without patch ESXi550-201406401-SG ESXi 5.1 without patch ESXi510-201406401-SG ESXi 5.0 without patch ESXi500-201407401-SG Workstation 10.x prior to 10.0.3 Workstation 9.x prior to 9.0.4 Player 6.x prior to 6.0.3 Player 5.x prior to 5.0.4 Fusion 6.x prior to 6.0.4 Fusion 5.x prior to 5.0.5 Horizon Mirage Edge Gateway prior to 4.4.3 Horizon View prior to 5.3.2 Horizon View 5.3 Feature Pack X prior to Feature Pack 3 Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm- 1.5.0.0-1876270. x86_64.rpm Horizon Workspace Server 1.8.x without patch horizon-nginx-rpm- 1.8.2.1820-1876338. x86_64.rpm Horizon View Clients prior to 3.0 vCD 5.5.x prior to 5.5.1.2 vCD 5.1.x prior to 5.1.3.1 vCenter prior to 5.5u1b vCenter prior to 5.1 U2a vCenter prior to 5.0U3a vCenter Support Assistant prior to 5.5.1.1 vCloud Automation Center prior to 6.0.1.2 vCenter Configuration Manager prior to 5.7.2 vCenter Converter Standalone prior to 5.5.2 Converter Standalone prior to 5.1.1 Usage Manager prior to 3.3 vCenter Operations Manager prior to 5.8.2 vCenter Operations Manager prior to 5.7.3 vCenter Chargeback Manager 2.6 prior to 2.6.0.1 vCloud Networking and Security prior to 5.5.2.1 vCloud Networking and Security prior to 5.1.4.1 vSphere PowerCLI 5.x vCSA prior to 5.5u1b vCSA prior to 5.1u2a vCSA prior to 5.0u3a OVF Tool prior to 5.3.2 Update Manager prior to 5.5u1b ITBM Standard prior to 1.1 VDDK prior to 5.5.2 VDDK prior to 5.1.3 VDDK prior to 5.0.4 NSX for Multi-Hypervisor 4.1.x prior to 4.1.3 NSX for Multi-Hypervisor 4.0.x prior to 4.0.4 NVP 3.0.x prior to 3.2.3 NSX 6.0.x for vSphere prior to 6.0.5 vFabric Web Server 5.x Pivotal Web Server prior to 5.4.1 vCenter Site Recovery Manager prior to 5.5.1.1 vCenter Site Recovery Manager prior to 5.1.2.1 vCenter Site Recovery Manager prior to 5.0.3.2 vSphere Replication prior to 5.8 vSphere Replication prior to 5.5.1.1 vSphere SDK for Perl prior to 5.5 Update 2 3. Problem Description a. OpenSSL update for multiple products. OpenSSL libraries have been updated in multiple products to versions 0.9.8za and 1.0.1h in order to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470, CVE-2014-0221 and CVE-2014-0195 to these issues. The most important of these issues is CVE-2014-0224. CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 are considered to be of moderate severity. Exploitation is highly unlikely or is mitigated due to the application configuration. CVE-2014-0221 and CVE-2014-0195, which are listed in the OpenSSL Security Advisory (see Reference section below), do not affect any VMware products. CVE-2014-0224 may lead to a Man-in-the-Middle attack if a server is running a vulnerable version of OpenSSL 1.0.1 and clients are running a vulnerable version of OpenSSL 0.9.8 or 1.0.1. Updating the server will mitigate this issue for both the server and all affected clients. CVE-2014-0224 may affect products differently depending on whether the product is acting as a client or a server and of which version of OpenSSL the product is using. For readability the affected products have been split into 3 tables below, based on the different client-server configurations and deployment scenarios. MITIGATIONS Clients that communicate with a patched or non-vulnerable server are not vulnerable to CVE-2014-0224. Applying these patches to affected servers will mitigate the affected clients (See Table 1 below). Clients that communicate over untrusted networks such as public Wi-Fi and communicate to a server running a vulnerable version of OpenSSL 1.0.1. can be mitigated by using a secure network such as VPN (see Table 2 below). Clients and servers that are deployed on an isolated network are less exposed to CVE-2014-0224 (see Table 3 below). The affected products are typically deployed to communicate over the management network. RECOMMENDATIONS VMware recommends customers evaluate and deploy patches for affected Servers in Table 1 below as these patches become available. Patching these servers will remove the ability to exploit the vulnerability described in CVE-2014-0224 on both clients and servers. VMware recommends customers consider applying patches to products listed in Table 2 & 3 as required. Column 4 of the following tables lists the action required to remediate the vulnerability in each release, if a solution is available. Table 1 ======= Affected servers running a vulnerable version of OpenSSL 1.0.1. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ============= ESXi 5.5 ESXi ESXi550- 201406401-SG Big Data Extensions 1.1 2.0.0 vCenter Chargeback Manager 2.6 2.6.0.1 Horizon Workspace Server 1.5.x horizon-nginx- rpm-1.5.0.0- 1876270. x86_64.rpm Horizon Workspace Server 1.8.x horizon-nginx- rpm-1.8.2.1820- 1876338. x86_64.rpm Horizon Mirage Edge Gateway 4.4.x 4.4.3 Horizon View 5.x 5.3.2 Horizon View Feature Pack 5.x 5.3 FP3 NSX for Multi-Hypervisor 4.1.2 4.1.3 NSX for Multi-Hypervisor 4.0.3 4.0.4 NSX for vSphere 6.0.4 6.0.5 NVP 3.2.2 3.2.3 vCloud Networking and Security 5.5.2 5.5.2.1 vCloud Networking and Security 5.1.4 5.1.4.1 Pivotal Web Server 5.4 5.4.1 vFabric Web Server 5.x Pivotal Web Server 5.4.1 Table 2 ======== Affected clients running a vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating over an untrusted network. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ============= vCSA 5.5 5.5u1b vCSA 5.1 5.1u2a vCSA 5.0 5.0u3a ESXi 5.1 ESXi ESXi510- 201406401-SG ESXi 5.0 ESXi ESXi500- 201407401-SG Workstation 10.x any 10.0.3 Workstation 9.x any 9.0.4 Fusion 6.x OSX 6.0.4 Fusion 5.x OSX 5.0.5 Player 6.x any 6.0.3 Player 5.x any 5.0.4 vCenter Chargeback Manager 2.5.x 2.6.0.1 Horizon Workspace Client 1.x OSX 1.8.2 Horizon Workspace Client 1.x Windows 1.8.2 Horizon View Client 2.x Android 3.0 Horizon View Client 2.x iOS 3.0 Horizon View Client 2.x OSX 3.0 Horizon View Client 2.x Windows 3.0 Horizon View Client 2.x WinStore 3.0 OVF Tool 3.5.1 3.5.2 OVF Tool 3.0.1 3.5.2 vCenter Operations Manager 5.8.x 5.8.2 vCenter Operations Manager 5.7.x 5.7.3 vCenter Support Assistant 5.5.1 5.5.1.1 vCD 5.5.1.x 5.5.1.2 vCD 5.1.x 5.1.3.1 vCenter Site Recovery Manager 5.5.x 5.5.1.1 vCenter Site Recovery Manager 5.1.x 5.1.2.1 vCenter Site Recovery Manager 5.0.3.x 5.0.3.2 vSphere Client 5.5 Windows 5.5u1b vSphere Client 5.1 Windows 5.1u2a vSphere Client 5.0 Windows 5.0u3a Table 3 ======= The following table lists all affected clients running a vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating over a trusted or isolated network. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ============= vCenter Server 5.5 any 5.5u1b vCenter Server 5.1 any 5.1u2a vCenter Server 5.0 any 5.0u3a Update Manager 5.5 Windows 5.5u1b vCenter Configuration Manager (VCM) 5.6 5.7.2 ITBM Standard 1.0.1 1.1 ITBM Standard 1.0 1.1 Studio 2.6.0.0 patch pending Usage Meter 3.3 3.3.1 vCenter Converter Standalone 5.5 5.5.2 vCenter Converter Standalone 5.1 5.1.1 vCloud Automation Center 6.0.x 6.0.1.2 VIX API 1.12 patch pending vMA (Management Assistant) 5.5.01 patch pending vSphere PowerCLI 5.x See VMware KB 2082132 vSphere Data Protection 5.5.6 patch pending vSphere Data Protection 5.1.11 patch pending vSphere Replication 5.5.1 5.5.1.1 vSphere Replication 5.6 5.8 vSphere SDK for Perl 5.5 5.5 Update 2 VDDK 5.5.x 5.5.2 VDDK 5.1.x 5.1.3 VDDK 5.0.x 5.0.4 4. Solution Big Data Extensions 2.0.0 ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download-bde ESXi 5.5, 5.1 and 5.0 ---------------------------- Download: https://www.vmware.com/patchmgr/findPatch.portal Horizon Mirage Edge Gateway 4.4.3 --------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-horizon-mirage vCD 5.5.1.2 ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download/vcloud-director vCenter Server 5.5u1b, 5.1u2a, 5.0u3a ------------------------------------ Downloads and Documentation: https://www.vmware.com/go/download-vsphere vCSA 5.5u1b, 5.1u2a and 5.0u3a ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere Update Manager 5.5u1b ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere VDDK 5.x ---------------------------- Downloads and Documentation: https://www.vmware.com/support/developer/vddk vCenter Configuration Manager (VCM) 5 ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download_vcm vCenter Operations Manager 5.8 and 5.7.3 ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere-ops-mgr OVF Tool 3.5.2 -------------- Download: https://www.vmware.com/support/developer/ovf/ vCenter Converter Standalone 5.5.2 ----------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-converter Horizon View 5 ---------------------------- Downloads and Documentation: https://www.vmware.com/go/downloadview Horizon View 5.3 Feature Pack 3 ----------------------------------- Downloads and Documentation: https://www.vmware.com/go/downloadview Horizon Workspace Server 1.5 and 1.8.x ---------------------------- Release Notes and download: http://kb.vmware.com/kb/2082181 Workstation ---------------------- https://www.vmware.com/go/downloadworkstation Fusion ------------------ https://www.vmware.com/go/downloadfusion VMware Player ------------------ https://www.vmware.com/go/downloadplayer vCenter Server 5.1 Update 2a ---------------------------------------------------- Download link: https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/ vmware_vsphere/5_1 vCenter Server 5.0 Update 3a ---------------------------------------------------- Download link: https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/ vmware_vsphere/5_0 vCloud Networking and Security 5.5.2.1 ------------------------------------ Download https://my.vmware.com/web/vmware/details?downloadGroup=VCNS552_GA&productId =353&rPId=5255 vCloud Networking and Security 5.1.4.1 ------------------------------------ Download: https://my.vmware.com/web/vmware/details?downloadGroup=VCNS514_GA&productId =285&rPId=5131 NSX for Multi-Hypervisor, NSX for vSphere and NVP ------------------------------------------------- Remediation Instructions and Download, available under support: http://www.vmware.com/products/nsx vCD 5.5.1.2 and vCD 5.1.3.1 --------------------------- Download link: https://www.vmware.com/go/download-vcd-ns VMware vCenter Chargeback Manager --------------------------------- Download link: https://www.vmware.com/go/download-chargeback Converter Standalone 5.1.1 --------------------------- Download link: https://www.vmware.com/go/download-converter Usage Manager 3.3 ----------------- Downloads and Documentation: https://communities.vmware.com/community/vmtn/vcd/vcloud_usage_meter vCenter Support Assistant -------------------------- Downloads: https://www.vmware.com/go/download-vsphere Pivotal Web Server 5.4.1 ------------------------ https://my.vmware.com/web/vmware/details?downloadGroup=VF_530_PVTL_WSVR_541 &productId=335&rPId=6214 vCloud Automation Center -------------------------- Downloads: https://www.vmware.com/go/download-vcac vCenter Site Recovery Manager 5.5.1.1 ------------------------------------- Remediation Instructions and Download: http://kb.vmware.com/kb/2081861 vCenter Site Recovery Manager 5.1.2.1 ------------------------------------- Remediation Instructions and Download: http://kb.vmware.com/kb/2081860 vCenter Site Recovery Manager 5.0.3.2 ------------------------------------- Remediation Instructions and Download: http://kb.vmware.com/kb/2081859 vSphere Replication 5.8 ----------------------- Download: https://my.vmware.com/web/vmware/details?downloadGroup=SDKPERL552&productId =353 vSphere Replication 5.5.1.1 --------------------------- Remediation Instructions and Download: http://kb.vmware.com/kb/2082666 ITBM Standard 1.1 ----------------- Download: https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-110&product Id=384&rPId=6384 Release Notes: https://www.vmware.com/support/itbms/doc/itbm-standard-edition-11-release-n otes.html vSphere SDK for Perl 5.5 Update 2 ---------------------------------- Download: https://my.vmware.com/web/vmware/details?downloadGroup=VR580&productId=451& rPId=6436 Release Notes: https://www.vmware.com/support/vsphere-replication/doc/vsphere-replication- 58-release-notes.html 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470 https://www.openssl.org/news/secadv_20140605.txt http://www.gopivotal.com/security/cve-2014-0224 VMware Knowledge Base Article 2082132 http://kb.vmware.com/kb/2082132 - ----------------------------------------------------------------------- 6. Change Log 2014-06-10 VMSA-2014-0006 Initial security advisory in conjunction with the release of ESXi 5.5 updates on 2014-06-10 2014-06-12 VMSA-2014-0006.1 Updated security advisory in conjunction with the release of Big Data Extensions 2.0.0, Horizon Mirage Edge Gateway 4.4.3, vCD 5.5.1.2, vCenter Server 5.5u1b, vCSA 5.5u1b, and Update Manager 5.5u1b on 2014-06-12 2014-06-17 VMSA-2014-0006.2 Updated security advisory in conjunction with the release of ESXi 5.1 updates, VDDK 5.5.2, 5.1.3, and 5.0.4 on 2014-06-17 2014-06-24 VMSA-2014-0006.3 Updated security advisory in conjunction with the release of Horizon View 5.3.2, Horizon View 5.3 Feature Pack 3, vCenter Configuration Manager 5.7.2, vCenter Converter Standalone 5.5.2, vCenter Operations Manager 5.8.2, OVF Tool 5.3.2 on 2014-06-24 2014-07-01 VMSA-2014-0006.4 Updated security advisory in conjunction with the release of ESX 5.0 patches, Workstation 10.0.3, Player 6.0.3, Fusion 6.0.4, Horizon Workspace Server 1.5.x and 1.8.x updates, vCD 5.1.3.1, vCenter Server 5.1 update 2a and 5.0 update 3a, vCSA 5.1 update 2a and 5.0 update 3a, Converter Standalone 5.1.1, vCenter Chargeback Manager 2.6.0.1, vCloud Networking and Security 5.5.2.1 and 5.1.4.1, NSX for Multi-Hypervisor 4.1.3, NSX for Multi-Hypervisor 4.0.4, NVP 3.2.3 and NSX 6.0.5 for vSphere on 2014-07-01 2014-07-03 VMSA-2014-0006.5 Updated security advisory in conjunction with the release of Workstation 9.0.4, Player 5.0.4, Fusion 5.0.5, vCenter Support Assistant 5.5.1.1, on 2014-07-03 2014-07-08 VMSA-2014-0006.6 Updated security advisory in conjunction with the release of vSphere PowerCLI 5.x on 2014-07-04 and Pivotal Web Server 5.4.1 on 2014-07-08 2014-07-10 VMSA-2014-0006.7 Updated security advisory in conjunction with the release of vCloud Automation Center 6.0.1.2 and vCenter Operations Manager 5.7.3 on 2014-07-10 2014-07-18 VMSA-2014-0006.8 Updated security advisory in conjunction with the release of patches for vCenter Site Recovery Manager 5.5.1.1 and vSphere Replication 5.5.1.1 on 2014-07-17 2014-07-22 VMSA-2014-0006.9 Updated security advisory in conjunction with the release of patches for vCenter Site Recovery Manager 5.1.2.1 and 5.0.3.2 on 2014-07-22 2014-09-09 VMSA-2014-0006.10 Updated security advisory in conjunction with the release of patches for ITBM Standard 1.1, vSphere Replication 5.8 and vSphere SDK for Perl 5.5 Update 2 on 2014-09-09. vFabric Application Director has been removed from the table above since it is not affected by this issue. - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2014 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFUD16eDEcm8Vbi9kMRAgBdAJsG4mzXIKqUyD2j5rTkDDQvG9giYwCfTmv4 S8n3FBEzi2wj9s5V00WS7/4= =2ZcF -----END PGP SIGNATURE-----
UPDATED: VMSA-2014-0007.2 – VMware product updates address security vulnerabilities in Apache Struts library
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2014-0007.2 Synopsis: VMware product updates address security vulnerabilities in Apache Struts library Issue date: 2014-06-24 Updated on: 2014-09-09 CVE number: CVE-2014-0050, CVE-2014-0094, CVE-2014-0112 - ------------------------------------------------------------------------ 1. Summary VMware product updates address security vulnerabilities in Apache Struts library 2. Relevant releases VMware vCenter Operations Management Suite prior to 5.8.2 VMware vCenter Operations Management Suite prior to 5.7.3 VMware vCenter Orchestrator prior to 5.5.2 3. Problem Description a. The Apache Struts library is updated to version 2.3.16.2 to address multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0050, CVE-2014-0094, and CVE-2014-0112 to these issues. CVE-2014-0112 may lead to remote code execution. This issue was found to be only partially addressed in CVE-2014-0094. CVE-2014-0050 may lead to a denial of service condition. vCenter Operations Management Suite (vCOps) is affected by both CVE-2014-0112 and CVE-2014-0050. Exploitation of CVE-2014-0112 may lead to remote code execution without authentication. vCenter Orchestrator (vCO) is affected by CVE-2014-0050 and not by CVE-2014-0112. Workaround A workaround for CVE-2014-0112 is documented in VMware Knowledge Base article 2081470. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product RunningReplace with/ Product Version on Apply Patch ========== ======= ======================== vCOPS 5.8.x any vCOPS 5.8.2 vCOPS 5.7.x any vCOPS 5.7.3 vCO 5.5 any vCO 5.5.2 vCO 5.1 any patch pending vCO 4.2 any patch pending 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Operations Management Suite 5.8.2 and 5.7.3 --------------------------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vcops vCenter Orchestrator 5.5.2 -------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0112 http://kb.vmware.com/kb/2081470 - ------------------------------------------------------------------------ 6. Change log 2014-06-24 VMSA-2014-0007 Initial security advisory in conjunction with the release of vCenter Operations Management Suite 5.8.2 on 2014-06-24. 2014-07-11 VMSA-2014-0007.1 Updated security advisory in conjunction with the release of vCenter Operations Management Suite 5.7.3 on 2014-07-10. 2014-09-09 VMSA-2014-0007.2 Updated security advisory in conjunction with the release of vCenter Orchestrator 5.5.2 on 2014-09-09. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2014 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFUD2OBDEcm8Vbi9kMRAvS6AKDqvOoAKkUoghqYONuEBm98u8/ZoACg1/s3 Sxk/o2UW00LIgdOXpUKB9D4= =nRjh -----END PGP SIGNATURE-----
UPDATED: VMSA-2014-0007.2 – VMware product updates address security vulnerabilities in Apache Struts library
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2014-0007.2 Synopsis: VMware product updates address security vulnerabilities in Apache Struts library Issue date: 2014-06-24 Updated on: 2014-09-09 CVE number: CVE-2014-0050, CVE-2014-0094, CVE-2014-0112 - ------------------------------------------------------------------------ 1. Summary VMware product updates address security vulnerabilities in Apache Struts library 2. Relevant releases VMware vCenter Operations Management Suite prior to 5.8.2 VMware vCenter Operations Management Suite prior to 5.7.3 VMware vCenter Orchestrator prior to 5.5.2 3. Problem Description a. The Apache Struts library is updated to version 2.3.16.2 to address multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0050, CVE-2014-0094, and CVE-2014-0112 to these issues. CVE-2014-0112 may lead to remote code execution. This issue was found to be only partially addressed in CVE-2014-0094. CVE-2014-0050 may lead to a denial of service condition. vCenter Operations Management Suite (vCOps) is affected by both CVE-2014-0112 and CVE-2014-0050. Exploitation of CVE-2014-0112 may lead to remote code execution without authentication. vCenter Orchestrator (vCO) is affected by CVE-2014-0050 and not by CVE-2014-0112. Workaround A workaround for CVE-2014-0112 is documented in VMware Knowledge Base article 2081470. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product RunningReplace with/ Product Version on Apply Patch ========== ======= ======================== vCOPS 5.8.x any vCOPS 5.8.2 vCOPS 5.7.x any vCOPS 5.7.3 vCO 5.5 any vCO 5.5.2 vCO 5.1 any patch pending vCO 4.2 any patch pending 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Operations Management Suite 5.8.2 and 5.7.3 --------------------------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vcops vCenter Orchestrator 5.5.2 -------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0112 http://kb.vmware.com/kb/2081470 - ------------------------------------------------------------------------ 6. Change log 2014-06-24 VMSA-2014-0007 Initial security advisory in conjunction with the release of vCenter Operations Management Suite 5.8.2 on 2014-06-24. 2014-07-11 VMSA-2014-0007.1 Updated security advisory in conjunction with the release of vCenter Operations Management Suite 5.7.3 on 2014-07-10. 2014-09-09 VMSA-2014-0007.2 Updated security advisory in conjunction with the release of vCenter Orchestrator 5.5.2 on 2014-09-09. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2014 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFUD2OBDEcm8Vbi9kMRAvS6AKDqvOoAKkUoghqYONuEBm98u8/ZoACg1/s3 Sxk/o2UW00LIgdOXpUKB9D4= =nRjh -----END PGP SIGNATURE-----
NEW VMSA-2014-0008 VMware vSphere product updates to third party libraries
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2014-0008 Synopsis: VMware vSphere product updates to third party libraries Issue date: 2014-09-09 Updated on: 2014-09-09 (Initial Advisory) CVE numbers: --- Struts --- CVE-2014-0114 --- tc-server --- CVE-2013-4590, CVE-2013-4322, and CVE-2014-0050 --- glibc --- CVE-2013-0242 and CVE-2013-1914 --- JRE --- See references - ------------------------------------------------------------------------ 1. Summary VMware has updated vSphere third party libraries 2. Relevant releases VMware vCenter Server 5.5 prior to Update 2 VMware vCenter Update Manager 5.5 prior to Update 2 VMware ESXi 5.5 without patch ESXi550-201409101-SG 3. Problem Description a. vCenter Server Apache Struts Update The Apache Struts library is updated to address a security issue. This issue may lead to remote code execution after authentication. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-0114 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware ProductRunningReplace with/ Product Versionon Apply Patch ============= =============================== vCenter Server 5.5 any 5.5 Update 2 vCenter Server 5.1 any Patch Pending vCenter Server 5.0 any Patch Pending b. vCenter Server tc-server 2.9.5 / Apache Tomcat 7.0.52 updates tc-server has been updated to version 2.9.5 to address multiple security issues. This version of tc-server includes Apache Tomcat 7.0.52. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2013-4590, CVE-2013-4322, and CVE-2014-0050 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware ProductRunning Replace with/ Product Versionon Apply Patch ============= ============== ================= vCenter Server 5.5 any 5.5 Update 2 vCenter Server 5.1 any Patch Pending vCenter Server 5.0 any Patch Pending c. Update to ESXi glibc package glibc is updated to address multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2013-0242 and CVE-2013-1914 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware ProductRunning Replace with/ Product Versionon Apply Patch ============= ============== ================= ESXi 5.5 any ESXi550-201409101-SG ESXi 5.1 any Patch Pending ESXi 5.0 any Patch Pending d. vCenter and Update Manager, Oracle JRE 1.7 Update 55 Oracle has documented the CVE identifiers that are addressed in JRE 1.7.0 update 55 in the Oracle Java SE Critical Patch Update Advisory of April 2014. The References section provides a link to this advisory. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware ProductRunning Replace with/ Product Versionon Apply Patch ============= ============== ================= vCenter Server 5.5 any 5.5 Update 2 vCenter Server 5.1 any not applicable * vCenter Server 5.0 any not applicable * vCenter Update Manager 5.5 any 5.5 Update 2 vCenter Update Manager 5.1 any not applicable * vCenter Update Manager 5.0 any not applicable * * this product uses the Oracle JRE 1.6.0 family * 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Server and Update Manager 5.5u2 --------------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere ESXi 5.5 -------- Download: https://www.vmware.com/patchmgr/findPatch.portal 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0242 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1914 JRE --- Oracle Java SE Critical Patch Update Advisory of April 2014 http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html - ------------------------------------------------------------------------ 6. Change log 2014-09-09 VMSA-2014-0008 Initial security advisory in conjunction with the release of vSphere 5.5 Update 2 on 2014-09-09. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2014 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFUD2LADEcm8Vbi9kMRAp0lAKCCB15Aa21ThBMqWRJTeYEweSVrdQCaAsNC he8AihUDo3UB9amCBiImxq0= =W0+t -----END PGP SIGNATURE-----
NEW VMSA-2014-0008 VMware vSphere product updates to third party libraries
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2014-0008 Synopsis: VMware vSphere product updates to third party libraries Issue date: 2014-09-09 Updated on: 2014-09-09 (Initial Advisory) CVE numbers: --- Struts --- CVE-2014-0114 --- tc-server --- CVE-2013-4590, CVE-2013-4322, and CVE-2014-0050 --- glibc --- CVE-2013-0242 and CVE-2013-1914 --- JRE --- See references - ------------------------------------------------------------------------ 1. Summary VMware has updated vSphere third party libraries 2. Relevant releases VMware vCenter Server 5.5 prior to Update 2 VMware vCenter Update Manager 5.5 prior to Update 2 VMware ESXi 5.5 without patch ESXi550-201409101-SG 3. Problem Description a. vCenter Server Apache Struts Update The Apache Struts library is updated to address a security issue. This issue may lead to remote code execution after authentication. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-0114 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware ProductRunningReplace with/ Product Versionon Apply Patch ============= =============================== vCenter Server 5.5 any 5.5 Update 2 vCenter Server 5.1 any Patch Pending vCenter Server 5.0 any Patch Pending b. vCenter Server tc-server 2.9.5 / Apache Tomcat 7.0.52 updates tc-server has been updated to version 2.9.5 to address multiple security issues. This version of tc-server includes Apache Tomcat 7.0.52. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2013-4590, CVE-2013-4322, and CVE-2014-0050 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware ProductRunning Replace with/ Product Versionon Apply Patch ============= ============== ================= vCenter Server 5.5 any 5.5 Update 2 vCenter Server 5.1 any Patch Pending vCenter Server 5.0 any Patch Pending c. Update to ESXi glibc package glibc is updated to address multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2013-0242 and CVE-2013-1914 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware ProductRunning Replace with/ Product Versionon Apply Patch ============= ============== ================= ESXi 5.5 any ESXi550-201409101-SG ESXi 5.1 any Patch Pending ESXi 5.0 any Patch Pending d. vCenter and Update Manager, Oracle JRE 1.7 Update 55 Oracle has documented the CVE identifiers that are addressed in JRE 1.7.0 update 55 in the Oracle Java SE Critical Patch Update Advisory of April 2014. The References section provides a link to this advisory. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware ProductRunning Replace with/ Product Versionon Apply Patch ============= ============== ================= vCenter Server 5.5 any 5.5 Update 2 vCenter Server 5.1 any not applicable * vCenter Server 5.0 any not applicable * vCenter Update Manager 5.5 any 5.5 Update 2 vCenter Update Manager 5.1 any not applicable * vCenter Update Manager 5.0 any not applicable * * this product uses the Oracle JRE 1.6.0 family * 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Server and Update Manager 5.5u2 --------------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere ESXi 5.5 -------- Download: https://www.vmware.com/patchmgr/findPatch.portal 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0242 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1914 JRE --- Oracle Java SE Critical Patch Update Advisory of April 2014 http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html - ------------------------------------------------------------------------ 6. Change log 2014-09-09 VMSA-2014-0008 Initial security advisory in conjunction with the release of vSphere 5.5 Update 2 on 2014-09-09. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2014 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFUD2LADEcm8Vbi9kMRAp0lAKCCB15Aa21ThBMqWRJTeYEweSVrdQCaAsNC he8AihUDo3UB9amCBiImxq0= =W0+t -----END PGP SIGNATURE-----
UPDATED : VMSA-2014-0006.9 VMware product updates address OpenSSL security vulnerabilities
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2014-0006.9 Synopsis: VMware product updates address OpenSSL security vulnerabilities Issue date: 2014-06-10 Updated on: 2014-07-22 CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470 - ----------------------------------------------------------------------- 1. Summary VMware product updates address OpenSSL security vulnerabilities. 2. Relevant Releases Big Data Extensions prior to 2.0.0 ESXi 5.5 without patch ESXi550-201406401-SG ESXi 5.1 without patch ESXi510-201406401-SG ESXi 5.0 without patch ESXi500-201407401-SG Workstation 10.x prior to 10.0.3 Workstation 9.x prior to 9.0.4 Player 6.x prior to 6.0.3 Player 5.x prior to 5.0.4 Fusion 6.x prior to 6.0.4 Fusion 5.x prior to 5.0.5 Horizon Mirage Edge Gateway prior to 4.4.3 Horizon View prior to 5.3.2 Horizon View 5.3 Feature Pack X prior to Feature Pack 3 Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm- 1.5.0.0-1876270. x86_64.rpm Horizon Workspace Server 1.8.x without patch horizon-nginx-rpm- 1.8.2.1820-1876338. x86_64.rpm Horizon View Clients prior to 3.0 vCD 5.5.x prior to 5.5.1.2 vCD 5.1.x prior to 5.1.3.1 vCenter prior to 5.5u1b vCenter prior to 5.1 U2a vCenter prior to 5.0U3a vCenter Support Assistant prior to 5.5.1.1 vCloud Automation Center prior to 6.0.1.2 vCenter Configuration Manager prior to 5.7.2 vCenter Converter Standalone prior to 5.5.2 Converter Standalone prior to 5.1.1 vCenter Operations Manager prior to 5.8.2 vCenter Operations Manager prior to 5.7.3 vCenter Chargeback Manager 2.6 prior to 2.6.0.1 vCloud Networking and Security prior to 5.5.2.1 vCloud Networking and Security prior to 5.1.4.1 vSphere PowerCLI 5.x vCSA prior to 5.5u1b vCSA prior to 5.1u2a vCSA prior to 5.0u3a OVF Tool prior to 5.3.2 Update Manager prior to 5.5u1b VDDK prior to 5.5.2 VDDK prior to 5.1.3 VDDK prior to 5.0.4 NSX for Multi-Hypervisor 4.1.x prior to 4.1.3 NSX for Multi-Hypervisor 4.0.x prior to 4.0.4 NVP 3.0.x prior to 3.2.3 NSX 6.0.x for vSphere prior to 6.0.5 vFabric Web Server 5.x Pivotal Web Server prior to 5.4.1 vCenter Site Recovery Manager prior to 5.5.1.1 vCenter Site Recovery Manager prior to 5.1.2.1 vCenter Site Recovery Manager prior to 5.0.3.2 vSphere Replication prior to 5.5.1.1 3. Problem Description a. OpenSSL update for multiple products. OpenSSL libraries have been updated in multiple products to versions 0.9.8za and 1.0.1h in order to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470, CVE-2014-0221 and CVE-2014-0195 to these issues. The most important of these issues is CVE-2014-0224. CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 are considered to be of moderate severity. Exploitation is highly unlikely or is mitigated due to the application configuration. CVE-2014-0221 and CVE-2014-0195, which are listed in the OpenSSL Security Advisory (see Reference section below), do not affect any VMware products. CVE-2014-0224 may lead to a Man-in-the-Middle attack if a server is running a vulnerable version of OpenSSL 1.0.1 and clients are running a vulnerable version of OpenSSL 0.9.8 or 1.0.1. Updating the server will mitigate this issue for both the server and all affected clients. CVE-2014-0224 may affect products differently depending on whether the product is acting as a client or a server and of which version of OpenSSL the product is using. For readability the affected products have been split into 3 tables below, based on the different client-server configurations and deployment scenarios. MITIGATIONS Clients that communicate with a patched or non-vulnerable server are not vulnerable to CVE-2014-0224. Applying these patches to affected servers will mitigate the affected clients (See Table 1 below). Clients that communicate over untrusted networks such as public Wi-Fi and communicate to a server running a vulnerable version of OpenSSL 1.0.1. can be mitigated by using a secure network such as VPN (see Table 2 below). Clients and servers that are deployed on an isolated network are less exposed to CVE-2014-0224 (see Table 3 below). The affected products are typically deployed to communicate over the management network. RECOMMENDATIONS VMware recommends customers evaluate and deploy patches for affected Servers in Table 1 below as these patches become available. Patching these servers will remove the ability to exploit the vulnerability described in CVE-2014-0224 on both clients and servers. VMware recommends customers consider applying patches to products listed in Table 2 & 3 as required. Column 4 of the following tables lists the action required to remediate the vulnerability in each release, if a solution is available. Table 1 ======= Affected servers running a vulnerable version of OpenSSL 1.0.1. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ============= ESXi 5.5 ESXi ESXi550- 201406401-SG Big Data Extensions 1.1 2.0.0 vCenter Chargeback Manager 2.6 2.6.0.1 Horizon Workspace Server 1.5.x horizon-nginx- rpm-1.5.0.0- 1876270. x86_64.rpm Horizon Workspace Server 1.8.x horizon-nginx- rpm-1.8.2.1820- 1876338. x86_64.rpm Horizon Mirage Edge Gateway 4.4.x 4.4.3 Horizon View 5.x 5.3.2 Horizon View Feature Pack 5.x 5.3 FP3 NSX for Multi-Hypervisor 4.1.2 4.1.3 NSX for Multi-Hypervisor 4.0.3 4.0.4 NSX for vSphere 6.0.4 6.0.5 NVP 3.2.2 3.2.3 vCloud Networking and Security 5.5.2 5.5.2.1 vCloud Networking and Security 5.1.4 5.1.4.1 Pivotal Web Server 5.4 5.4.1 vFabric Web Server 5.x Pivotal Web Server 5.4.1 Table 2 ======== Affected clients running a vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating over an untrusted network. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ============= vCSA 5.5 5.5u1b vCSA 5.1 5.1u2a vCSA 5.0 5.0u3a ESXi 5.1 ESXi ESXi510- 201406401-SG ESXi 5.0 ESXi ESXi500- 201407401-SG Workstation 10.x any 10.0.3 Workstation 9.x any 9.0.4 Fusion 6.x OSX 6.0.4 Fusion 5.x OSX 5.0.5 Player 6.x any 6.0.3 Player 5.x any 5.0.4 vCenter Chargeback Manager 2.5.x 2.6.0.1 Horizon Workspace Client 1.x OSX 1.8.2 Horizon Workspace Client 1.x Windows 1.8.2 Horizon View Client 2.x Android 3.0 Horizon View Client 2.x iOS 3.0 Horizon View Client 2.x OSX 3.0 Horizon View Client 2.x Windows 3.0 Horizon View Client 2.x WinStore 3.0 OVF Tool 3.5.1 3.5.2 OVF Tool 3.0.1 3.5.2 vCenter Operations Manager 5.8.x 5.8.2 vCenter Operations Manager 5.7.x 5.7.3 vCenter Support Assistant 5.5.1 5.5.1.1 vCD 5.5.1.x 5.5.1.2 vCD 5.1.x 5.1.3.1 vCenter Site Recovery Manager 5.5.x 5.5.1.1 vCenter Site Recovery Manager 5.1.x 5.1.2.1 vCenter Site Recovery Manager 5.0.3.x 5.0.3.2 vSphere Client 5.5 Windows 5.5u1b vSphere Client 5.1 Windows 5.1u2a vSphere Client 5.0 Windows 5.0u3a Table 3 ======= The following table lists all affected clients running a vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating over a trusted or isolated network. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ============= vCenter Server 5.5 any 5.5u1b vCenter Server 5.1 any 5.1u2a vCenter Server 5.0 any 5.0u3a Update Manager 5.5 Windows 5.5u1b vCenter Configuration Manager (VCM) 5.6 5.7.2 ITBM Standard 1.0.1 patch pending ITBM Standard 1.0 patch pending Studio 2.6.0.0 patch pending Usage Meter 3.3 patch pending vCenter Converter Standalone 5.5 5.5.2 vCenter Converter Standalone 5.1 5.1.1 vCloud Application Director 6.0.x patch pending vFabric Application Director 5.2.0 patch pending vFabric Application Director 5.0.0 patch pending vCloud Automation Center 6.0.x 6.0.1.2 VIX API 1.12 patch pending vMA (Management Assistant) 5.1.0.1 patch pending vSphere PowerCLI 5.x See VMware KB 2082132 vSphere Data Protection 5.5.6 patch pending vSphere Data Protection 5.1.11 patch pending vSphere Replication 5.5.1 5.5.1.1 vSphere Replication 5.6 patch pending vSphere SDK for Perl 5.5 patch pending VDDK 5.5.x 5.5.2 VDDK 5.1.x 5.1.3 VDDK 5.0.x 5.0.4 4. Solution Big Data Extensions 2.0.0 ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download-bde ESXi 5.5, 5.1 and 5.0 ---------------------------- Download: https://www.vmware.com/patchmgr/findPatch.portal Horizon Mirage Edge Gateway 4.4.3 --------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-horizon-mirage vCD 5.5.1.2 ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download/vcloud-director vCenter Server 5.5u1b, 5.1u2a, 5.0u3a ------------------------------------ Downloads and Documentation: https://www.vmware.com/go/download-vsphere vCSA 5.5u1b, 5.1u2a and 5.0u3a ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere Update Manager 5.5u1b ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere VDDK 5.x ---------------------------- Downloads and Documentation: https://www.vmware.com/support/developer/vddk vCenter Configuration Manager (VCM) 5 ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download_vcm vCenter Operations Manager 5.8 and 5.7.3 ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere-ops-mgr OVF Tool 3.5.2 -------------- Download: https://www.vmware.com/support/developer/ovf/ vCenter Converter Standalone 5.5.2 ----------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-converter Horizon View 5 ---------------------------- Downloads and Documentation: https://www.vmware.com/go/downloadview Horizon View 5.3 Feature Pack 3 ----------------------------------- Downloads and Documentation: https://www.vmware.com/go/downloadview Horizon Workspace Server 1.5 and 1.8.x ---------------------------- Release Notes and download: http://kb.vmware.com/kb/2082181 Workstation ---------------------- https://www.vmware.com/go/downloadworkstation Fusion ------------------ https://www.vmware.com/go/downloadfusion VMware Player ------------------ https://www.vmware.com/go/downloadplayer vCenter Server 5.1 Update 2a ---------------------------------------------------- Download link: https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/ vmware_vsphere/5_1 vCenter Server 5.0 Update 3a ---------------------------------------------------- Download link: https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/ vmware_vsphere/5_0 vCloud Networking and Security 5.5.2.1 ------------------------------------ Download https://my.vmware.com/web/vmware/details?downloadGroup=VCNS552_GA&productId =353&rPId=5255 vCloud Networking and Security 5.1.4.1 ------------------------------------ Download: https://my.vmware.com/web/vmware/details?downloadGroup=VCNS514_GA&productId =285&rPId=5131 NSX for Multi-Hypervisor, NSX for vSphere and NVP ------------------------------------------------- Remediation Instructions and Download, available under support: http://www.vmware.com/products/nsx vCD 5.5.1.2 and vCD 5.1.3.1 --------------------------- Download link: https://www.vmware.com/go/download-vcd-ns VMware vCenter Chargeback Manager --------------------------------- Download link: https://www.vmware.com/go/download-chargeback Converter Standalone 5.1.1 --------------------------- Download link: https://www.vmware.com/go/download-converter vCenter Support Assistant -------------------------- Downloads: https://www.vmware.com/go/download-vsphere Pivotal Web Server 5.4.1 ------------------------ https://my.vmware.com/web/vmware/details?downloadGroup=VF_530_PVTL_WSVR_541 &productId=335&rPId=6214 vCloud Automation Center -------------------------- Downloads: https://www.vmware.com/go/download-vcac vCenter Site Recovery Manager 5.5.1.1 ------------------------------------- Remediation Instructions and Download: http://kb.vmware.com/kb/2081861 vCenter Site Recovery Manager 5.1.2.1 ------------------------------------- Remediation Instructions and Download: http://kb.vmware.com/kb/2081860 vCenter Site Recovery Manager 5.0.3.2 ------------------------------------- Remediation Instructions and Download: http://kb.vmware.com/kb/2081859 vSphere Replication 5.5.1.1 --------------------------- Remediation Instructions and Download: http://kb.vmware.com/kb/2082666 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470 https://www.openssl.org/news/secadv_20140605.txt http://www.gopivotal.com/security/cve-2014-0224 VMware Knowledge Base Article 2082132 http://kb.vmware.com/kb/2082132 - ----------------------------------------------------------------------- 6. Change Log 2014-06-10 VMSA-2014-0006 Initial security advisory in conjunction with the release of ESXi 5.5 updates on 2014-06-10 2014-06-12 VMSA-2014-0006.1 Updated security advisory in conjunction with the release of Big Data Extensions 2.0.0, Horizon Mirage Edge Gateway 4.4.3, vCD 5.5.1.2, vCenter Server 5.5u1b, vCSA 5.5u1b, and Update Manager 5.5u1b on 2014-06-12 2014-06-17 VMSA-2014-0006.2 Updated security advisory in conjunction with the release of ESXi 5.1 updates, VDDK 5.5.2, 5.1.3, and 5.0.4 on 2014-06-17 2014-06-24 VMSA-2014-0006.3 Updated security advisory in conjunction with the release of Horizon View 5.3.2, Horizon View 5.3 Feature Pack 3, vCenter Configuration Manager 5.7.2, vCenter Converter Standalone 5.5.2, vCenter Operations Manager 5.8.2, OVF Tool 5.3.2 on 2014-06-24 2014-07-01 VMSA-2014-0006.4 Updated security advisory in conjunction with the release of ESX 5.0 patches, Workstation 10.0.3, Player 6.0.3, Fusion 6.0.4, Horizon Workspace Server 1.5.x and 1.8.x updates, vCD 5.1.3.1, vCenter Server 5.1 update 2a and 5.0 update 3a, vCSA 5.1 update 2a and 5.0 update 3a, Converter Standalone 5.1.1, vCenter Chargeback Manager 2.6.0.1, vCloud Networking and Security 5.5.2.1 and 5.1.4.1, NSX for Multi-Hypervisor 4.1.3, NSX for Multi-Hypervisor 4.0.4, NVP 3.2.3 and NSX 6.0.5 for vSphere on 2014-07-01 2014-07-03 VMSA-2014-0006.5 Updated security advisory in conjunction with the release of Workstation 9.0.4, Player 5.0.4, Fusion 5.0.5, vCenter Support Assistant 5.5.1.1, on 2014-07-03 2014-07-08 VMSA-2014-0006.6 Updated security advisory in conjunction with the release of vSphere PowerCLI 5.x on 2014-07-04 and Pivotal Web Server 5.4.1 on 2014-07-08 2014-07-10 VMSA-2014-0006.7 Updated security advisory in conjunction with the release of vCloud Automation Center 6.0.1.2 and vCenter Operations Manager 5.7.3 on 2014-07-10 2014-07-18 VMSA-2014-0006.8 Updated security advisory in conjunction with the release of patches for vCenter Site Recovery Manager 5.5.1.1 and vSphere Replication 5.5.1.1 on 2014-07-17 2014-07-22 VMSA-2014-0006.8 Updated security advisory in conjunction with the release of patches for vCenter Site Recovery Manager 5.1.2.1 and 5.0.3.2 on 2014-07-22 - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2014 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFTzpZcDEcm8Vbi9kMRAga+AKCzEY/Ut+tN3qGTilKf5KslUPO6aQCfXuRp /7HxhovpiO8xURBCf/uu8EI= =YjIJ -----END PGP SIGNATURE-----
UPDATED : VMSA-2014-0006.9 VMware product updates address OpenSSL security vulnerabilities
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2014-0006.9 Synopsis: VMware product updates address OpenSSL security vulnerabilities Issue date: 2014-06-10 Updated on: 2014-07-22 CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470 - ----------------------------------------------------------------------- 1. Summary VMware product updates address OpenSSL security vulnerabilities. 2. Relevant Releases Big Data Extensions prior to 2.0.0 ESXi 5.5 without patch ESXi550-201406401-SG ESXi 5.1 without patch ESXi510-201406401-SG ESXi 5.0 without patch ESXi500-201407401-SG Workstation 10.x prior to 10.0.3 Workstation 9.x prior to 9.0.4 Player 6.x prior to 6.0.3 Player 5.x prior to 5.0.4 Fusion 6.x prior to 6.0.4 Fusion 5.x prior to 5.0.5 Horizon Mirage Edge Gateway prior to 4.4.3 Horizon View prior to 5.3.2 Horizon View 5.3 Feature Pack X prior to Feature Pack 3 Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm- 1.5.0.0-1876270. x86_64.rpm Horizon Workspace Server 1.8.x without patch horizon-nginx-rpm- 1.8.2.1820-1876338. x86_64.rpm Horizon View Clients prior to 3.0 vCD 5.5.x prior to 5.5.1.2 vCD 5.1.x prior to 5.1.3.1 vCenter prior to 5.5u1b vCenter prior to 5.1 U2a vCenter prior to 5.0U3a vCenter Support Assistant prior to 5.5.1.1 vCloud Automation Center prior to 6.0.1.2 vCenter Configuration Manager prior to 5.7.2 vCenter Converter Standalone prior to 5.5.2 Converter Standalone prior to 5.1.1 vCenter Operations Manager prior to 5.8.2 vCenter Operations Manager prior to 5.7.3 vCenter Chargeback Manager 2.6 prior to 2.6.0.1 vCloud Networking and Security prior to 5.5.2.1 vCloud Networking and Security prior to 5.1.4.1 vSphere PowerCLI 5.x vCSA prior to 5.5u1b vCSA prior to 5.1u2a vCSA prior to 5.0u3a OVF Tool prior to 5.3.2 Update Manager prior to 5.5u1b VDDK prior to 5.5.2 VDDK prior to 5.1.3 VDDK prior to 5.0.4 NSX for Multi-Hypervisor 4.1.x prior to 4.1.3 NSX for Multi-Hypervisor 4.0.x prior to 4.0.4 NVP 3.0.x prior to 3.2.3 NSX 6.0.x for vSphere prior to 6.0.5 vFabric Web Server 5.x Pivotal Web Server prior to 5.4.1 vCenter Site Recovery Manager prior to 5.5.1.1 vCenter Site Recovery Manager prior to 5.1.2.1 vCenter Site Recovery Manager prior to 5.0.3.2 vSphere Replication prior to 5.5.1.1 3. Problem Description a. OpenSSL update for multiple products. OpenSSL libraries have been updated in multiple products to versions 0.9.8za and 1.0.1h in order to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470, CVE-2014-0221 and CVE-2014-0195 to these issues. The most important of these issues is CVE-2014-0224. CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 are considered to be of moderate severity. Exploitation is highly unlikely or is mitigated due to the application configuration. CVE-2014-0221 and CVE-2014-0195, which are listed in the OpenSSL Security Advisory (see Reference section below), do not affect any VMware products. CVE-2014-0224 may lead to a Man-in-the-Middle attack if a server is running a vulnerable version of OpenSSL 1.0.1 and clients are running a vulnerable version of OpenSSL 0.9.8 or 1.0.1. Updating the server will mitigate this issue for both the server and all affected clients. CVE-2014-0224 may affect products differently depending on whether the product is acting as a client or a server and of which version of OpenSSL the product is using. For readability the affected products have been split into 3 tables below, based on the different client-server configurations and deployment scenarios. MITIGATIONS Clients that communicate with a patched or non-vulnerable server are not vulnerable to CVE-2014-0224. Applying these patches to affected servers will mitigate the affected clients (See Table 1 below). Clients that communicate over untrusted networks such as public Wi-Fi and communicate to a server running a vulnerable version of OpenSSL 1.0.1. can be mitigated by using a secure network such as VPN (see Table 2 below). Clients and servers that are deployed on an isolated network are less exposed to CVE-2014-0224 (see Table 3 below). The affected products are typically deployed to communicate over the management network. RECOMMENDATIONS VMware recommends customers evaluate and deploy patches for affected Servers in Table 1 below as these patches become available. Patching these servers will remove the ability to exploit the vulnerability described in CVE-2014-0224 on both clients and servers. VMware recommends customers consider applying patches to products listed in Table 2 & 3 as required. Column 4 of the following tables lists the action required to remediate the vulnerability in each release, if a solution is available. Table 1 ======= Affected servers running a vulnerable version of OpenSSL 1.0.1. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ============= ESXi 5.5 ESXi ESXi550- 201406401-SG Big Data Extensions 1.1 2.0.0 vCenter Chargeback Manager 2.6 2.6.0.1 Horizon Workspace Server 1.5.x horizon-nginx- rpm-1.5.0.0- 1876270. x86_64.rpm Horizon Workspace Server 1.8.x horizon-nginx- rpm-1.8.2.1820- 1876338. x86_64.rpm Horizon Mirage Edge Gateway 4.4.x 4.4.3 Horizon View 5.x 5.3.2 Horizon View Feature Pack 5.x 5.3 FP3 NSX for Multi-Hypervisor 4.1.2 4.1.3 NSX for Multi-Hypervisor 4.0.3 4.0.4 NSX for vSphere 6.0.4 6.0.5 NVP 3.2.2 3.2.3 vCloud Networking and Security 5.5.2 5.5.2.1 vCloud Networking and Security 5.1.4 5.1.4.1 Pivotal Web Server 5.4 5.4.1 vFabric Web Server 5.x Pivotal Web Server 5.4.1 Table 2 ======== Affected clients running a vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating over an untrusted network. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ============= vCSA 5.5 5.5u1b vCSA 5.1 5.1u2a vCSA 5.0 5.0u3a ESXi 5.1 ESXi ESXi510- 201406401-SG ESXi 5.0 ESXi ESXi500- 201407401-SG Workstation 10.x any 10.0.3 Workstation 9.x any 9.0.4 Fusion 6.x OSX 6.0.4 Fusion 5.x OSX 5.0.5 Player 6.x any 6.0.3 Player 5.x any 5.0.4 vCenter Chargeback Manager 2.5.x 2.6.0.1 Horizon Workspace Client 1.x OSX 1.8.2 Horizon Workspace Client 1.x Windows 1.8.2 Horizon View Client 2.x Android 3.0 Horizon View Client 2.x iOS 3.0 Horizon View Client 2.x OSX 3.0 Horizon View Client 2.x Windows 3.0 Horizon View Client 2.x WinStore 3.0 OVF Tool 3.5.1 3.5.2 OVF Tool 3.0.1 3.5.2 vCenter Operations Manager 5.8.x 5.8.2 vCenter Operations Manager 5.7.x 5.7.3 vCenter Support Assistant 5.5.1 5.5.1.1 vCD 5.5.1.x 5.5.1.2 vCD 5.1.x 5.1.3.1 vCenter Site Recovery Manager 5.5.x 5.5.1.1 vCenter Site Recovery Manager 5.1.x 5.1.2.1 vCenter Site Recovery Manager 5.0.3.x 5.0.3.2 vSphere Client 5.5 Windows 5.5u1b vSphere Client 5.1 Windows 5.1u2a vSphere Client 5.0 Windows 5.0u3a Table 3 ======= The following table lists all affected clients running a vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating over a trusted or isolated network. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ============= vCenter Server 5.5 any 5.5u1b vCenter Server 5.1 any 5.1u2a vCenter Server 5.0 any 5.0u3a Update Manager 5.5 Windows 5.5u1b vCenter Configuration Manager (VCM) 5.6 5.7.2 ITBM Standard 1.0.1 patch pending ITBM Standard 1.0 patch pending Studio 2.6.0.0 patch pending Usage Meter 3.3 patch pending vCenter Converter Standalone 5.5 5.5.2 vCenter Converter Standalone 5.1 5.1.1 vCloud Application Director 6.0.x patch pending vFabric Application Director 5.2.0 patch pending vFabric Application Director 5.0.0 patch pending vCloud Automation Center 6.0.x 6.0.1.2 VIX API 1.12 patch pending vMA (Management Assistant) 5.1.0.1 patch pending vSphere PowerCLI 5.x See VMware KB 2082132 vSphere Data Protection 5.5.6 patch pending vSphere Data Protection 5.1.11 patch pending vSphere Replication 5.5.1 5.5.1.1 vSphere Replication 5.6 patch pending vSphere SDK for Perl 5.5 patch pending VDDK 5.5.x 5.5.2 VDDK 5.1.x 5.1.3 VDDK 5.0.x 5.0.4 4. Solution Big Data Extensions 2.0.0 ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download-bde ESXi 5.5, 5.1 and 5.0 ---------------------------- Download: https://www.vmware.com/patchmgr/findPatch.portal Horizon Mirage Edge Gateway 4.4.3 --------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-horizon-mirage vCD 5.5.1.2 ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download/vcloud-director vCenter Server 5.5u1b, 5.1u2a, 5.0u3a ------------------------------------ Downloads and Documentation: https://www.vmware.com/go/download-vsphere vCSA 5.5u1b, 5.1u2a and 5.0u3a ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere Update Manager 5.5u1b ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere VDDK 5.x ---------------------------- Downloads and Documentation: https://www.vmware.com/support/developer/vddk vCenter Configuration Manager (VCM) 5 ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download_vcm vCenter Operations Manager 5.8 and 5.7.3 ---------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere-ops-mgr OVF Tool 3.5.2 -------------- Download: https://www.vmware.com/support/developer/ovf/ vCenter Converter Standalone 5.5.2 ----------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-converter Horizon View 5 ---------------------------- Downloads and Documentation: https://www.vmware.com/go/downloadview Horizon View 5.3 Feature Pack 3 ----------------------------------- Downloads and Documentation: https://www.vmware.com/go/downloadview Horizon Workspace Server 1.5 and 1.8.x ---------------------------- Release Notes and download: http://kb.vmware.com/kb/2082181 Workstation ---------------------- https://www.vmware.com/go/downloadworkstation Fusion ------------------ https://www.vmware.com/go/downloadfusion VMware Player ------------------ https://www.vmware.com/go/downloadplayer vCenter Server 5.1 Update 2a ---------------------------------------------------- Download link: https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/ vmware_vsphere/5_1 vCenter Server 5.0 Update 3a ---------------------------------------------------- Download link: https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/ vmware_vsphere/5_0 vCloud Networking and Security 5.5.2.1 ------------------------------------ Download https://my.vmware.com/web/vmware/details?downloadGroup=VCNS552_GA&productId =353&rPId=5255 vCloud Networking and Security 5.1.4.1 ------------------------------------ Download: https://my.vmware.com/web/vmware/details?downloadGroup=VCNS514_GA&productId =285&rPId=5131 NSX for Multi-Hypervisor, NSX for vSphere and NVP ------------------------------------------------- Remediation Instructions and Download, available under support: http://www.vmware.com/products/nsx vCD 5.5.1.2 and vCD 5.1.3.1 --------------------------- Download link: https://www.vmware.com/go/download-vcd-ns VMware vCenter Chargeback Manager --------------------------------- Download link: https://www.vmware.com/go/download-chargeback Converter Standalone 5.1.1 --------------------------- Download link: https://www.vmware.com/go/download-converter vCenter Support Assistant -------------------------- Downloads: https://www.vmware.com/go/download-vsphere Pivotal Web Server 5.4.1 ------------------------ https://my.vmware.com/web/vmware/details?downloadGroup=VF_530_PVTL_WSVR_541 &productId=335&rPId=6214 vCloud Automation Center -------------------------- Downloads: https://www.vmware.com/go/download-vcac vCenter Site Recovery Manager 5.5.1.1 ------------------------------------- Remediation Instructions and Download: http://kb.vmware.com/kb/2081861 vCenter Site Recovery Manager 5.1.2.1 ------------------------------------- Remediation Instructions and Download: http://kb.vmware.com/kb/2081860 vCenter Site Recovery Manager 5.0.3.2 ------------------------------------- Remediation Instructions and Download: http://kb.vmware.com/kb/2081859 vSphere Replication 5.5.1.1 --------------------------- Remediation Instructions and Download: http://kb.vmware.com/kb/2082666 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470 https://www.openssl.org/news/secadv_20140605.txt http://www.gopivotal.com/security/cve-2014-0224 VMware Knowledge Base Article 2082132 http://kb.vmware.com/kb/2082132 - ----------------------------------------------------------------------- 6. Change Log 2014-06-10 VMSA-2014-0006 Initial security advisory in conjunction with the release of ESXi 5.5 updates on 2014-06-10 2014-06-12 VMSA-2014-0006.1 Updated security advisory in conjunction with the release of Big Data Extensions 2.0.0, Horizon Mirage Edge Gateway 4.4.3, vCD 5.5.1.2, vCenter Server 5.5u1b, vCSA 5.5u1b, and Update Manager 5.5u1b on 2014-06-12 2014-06-17 VMSA-2014-0006.2 Updated security advisory in conjunction with the release of ESXi 5.1 updates, VDDK 5.5.2, 5.1.3, and 5.0.4 on 2014-06-17 2014-06-24 VMSA-2014-0006.3 Updated security advisory in conjunction with the release of Horizon View 5.3.2, Horizon View 5.3 Feature Pack 3, vCenter Configuration Manager 5.7.2, vCenter Converter Standalone 5.5.2, vCenter Operations Manager 5.8.2, OVF Tool 5.3.2 on 2014-06-24 2014-07-01 VMSA-2014-0006.4 Updated security advisory in conjunction with the release of ESX 5.0 patches, Workstation 10.0.3, Player 6.0.3, Fusion 6.0.4, Horizon Workspace Server 1.5.x and 1.8.x updates, vCD 5.1.3.1, vCenter Server 5.1 update 2a and 5.0 update 3a, vCSA 5.1 update 2a and 5.0 update 3a, Converter Standalone 5.1.1, vCenter Chargeback Manager 2.6.0.1, vCloud Networking and Security 5.5.2.1 and 5.1.4.1, NSX for Multi-Hypervisor 4.1.3, NSX for Multi-Hypervisor 4.0.4, NVP 3.2.3 and NSX 6.0.5 for vSphere on 2014-07-01 2014-07-03 VMSA-2014-0006.5 Updated security advisory in conjunction with the release of Workstation 9.0.4, Player 5.0.4, Fusion 5.0.5, vCenter Support Assistant 5.5.1.1, on 2014-07-03 2014-07-08 VMSA-2014-0006.6 Updated security advisory in conjunction with the release of vSphere PowerCLI 5.x on 2014-07-04 and Pivotal Web Server 5.4.1 on 2014-07-08 2014-07-10 VMSA-2014-0006.7 Updated security advisory in conjunction with the release of vCloud Automation Center 6.0.1.2 and vCenter Operations Manager 5.7.3 on 2014-07-10 2014-07-18 VMSA-2014-0006.8 Updated security advisory in conjunction with the release of patches for vCenter Site Recovery Manager 5.5.1.1 and vSphere Replication 5.5.1.1 on 2014-07-17 2014-07-22 VMSA-2014-0006.8 Updated security advisory in conjunction with the release of patches for vCenter Site Recovery Manager 5.1.2.1 and 5.0.3.2 on 2014-07-22 - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2014 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFTzpZcDEcm8Vbi9kMRAga+AKCzEY/Ut+tN3qGTilKf5KslUPO6aQCfXuRp /7HxhovpiO8xURBCf/uu8EI= =YjIJ -----END PGP SIGNATURE-----
UPDATED VMSA-2014-0007.1 – VMware product updates address security vulnerabilities in Apache Struts library
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2014-0007.1 Synopsis: VMware product updates address security vulnerabilities in Apache Struts library Issue date: 2014-06-24 Updated on: 2014-07-11 CVE number: CVE-2014-0050, CVE-2014-0094, CVE-2014-0112 - ------------------------------------------------------------------------ 1. Summary VMware product updates address security vulnerabilities in Apache Struts library 2. Relevant releases VMware vCenter Operations Management Suite prior to 5.8.2 VMware vCenter Operations Management Suite prior to 5.7.3 3. Problem Description a. The Apache Struts library is updated to version 2.3.16.2 to address multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0050, CVE-2014-0094, and CVE-2014-0112 to these issues. CVE-2014-0112 may lead to remote code execution. This issue was found to be only partially addressed in CVE-2014-0094. CVE-2014-0050 may lead to a denial of service condition. vCenter Operations Management Suite (vCOps) is affected by both CVE-2014-0112 and CVE-2014-0050. Exploitation of CVE-2014-0112 may lead to remote code execution without authentication. vCenter Orchestrator (vCO) is affected by CVE-2014-0050 and not by CVE-2014-0112. Workaround A workaround for CVE-2014-0112 is documented in VMware Knowledge Base article 2081470. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= vCOPS 5.8.x any vCOPS 5.8.2 vCOPS 5.7.x any vCOPS 5.7.3 vCO 5.5 any patch pending vCO 5.1 any patch pending vCO 4.2 any patch pending 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Operations Management Suite 5.8.2 and 5.7.3 --------------------------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vcops 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0112 http://kb.vmware.com/kb/2081470 - ------------------------------------------------------------------------ 6. Change log 2014-06-24 VMSA-2014-0007 Initial security advisory in conjunction with the release of vCenter Operations Management Suite 5.8.2 on 2014-06-24. 2014-07-11 VMSA-2014-0007.1 Updated security advisory in conjunction with the release of vCenter Operations Management Suite 5.7.3 on 2014-07-10. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2014 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15337) Charset: utf-8 wj8DBQFTwA1hDEcm8Vbi9kMRAjniAKDI6G/93Kzr9rYuXIs6EiIvoz2e6gCg44sD JkL4twZx7tZJ/vFjjkNikfs= =nQJG -----END PGP SIGNATURE----- _______________________________________________ Security-announce mailing list Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org http://lists.vmware.com/mailman/listinfo/security-announce
UPDATED VMSA-2014-0007.1 – VMware product updates address security vulnerabilities in Apache Struts library
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2014-0007.1 Synopsis: VMware product updates address security vulnerabilities in Apache Struts library Issue date: 2014-06-24 Updated on: 2014-07-11 CVE number: CVE-2014-0050, CVE-2014-0094, CVE-2014-0112 - ------------------------------------------------------------------------ 1. Summary VMware product updates address security vulnerabilities in Apache Struts library 2. Relevant releases VMware vCenter Operations Management Suite prior to 5.8.2 VMware vCenter Operations Management Suite prior to 5.7.3 3. Problem Description a. The Apache Struts library is updated to version 2.3.16.2 to address multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0050, CVE-2014-0094, and CVE-2014-0112 to these issues. CVE-2014-0112 may lead to remote code execution. This issue was found to be only partially addressed in CVE-2014-0094. CVE-2014-0050 may lead to a denial of service condition. vCenter Operations Management Suite (vCOps) is affected by both CVE-2014-0112 and CVE-2014-0050. Exploitation of CVE-2014-0112 may lead to remote code execution without authentication. vCenter Orchestrator (vCO) is affected by CVE-2014-0050 and not by CVE-2014-0112. Workaround A workaround for CVE-2014-0112 is documented in VMware Knowledge Base article 2081470. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= vCOPS 5.8.x any vCOPS 5.8.2 vCOPS 5.7.x any vCOPS 5.7.3 vCO 5.5 any patch pending vCO 5.1 any patch pending vCO 4.2 any patch pending 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Operations Management Suite 5.8.2 and 5.7.3 --------------------------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vcops 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0112 http://kb.vmware.com/kb/2081470 - ------------------------------------------------------------------------ 6. Change log 2014-06-24 VMSA-2014-0007 Initial security advisory in conjunction with the release of vCenter Operations Management Suite 5.8.2 on 2014-06-24. 2014-07-11 VMSA-2014-0007.1 Updated security advisory in conjunction with the release of vCenter Operations Management Suite 5.7.3 on 2014-07-10. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2014 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15337) Charset: utf-8 wj8DBQFTwA1hDEcm8Vbi9kMRAjniAKDI6G/93Kzr9rYuXIs6EiIvoz2e6gCg44sD JkL4twZx7tZJ/vFjjkNikfs= =nQJG -----END PGP SIGNATURE----- _______________________________________________ Security-announce mailing list Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org http://lists.vmware.com/mailman/listinfo/security-announce