NEW VMSA-2016-0009 VMware vCenter Server updates address an important reflective cross-site scripting issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2016-0009
Synopsis:    VMware vCenter Server updates address an important
             reflective cross-site scripting issue
Issue date:  2016-06-14
Updated on:  2016-06-14 (Initial Advisory)
CVE number:  CVE-2015-6931
- ------------------------------------------------------------------------

1. Summary

   VMware vCenter Server updates address an important reflective
   cross-site scripting issue.

2. Relevant Releases

   vCenter Server 5.5 prior to 5.5 update 2d
   vCenter Server 5.1 prior to 5.1 update 3d
   vCenter Server 5.0 prior to 5.0 update 3g


3. Problem Description

   a. Important vCenter Server reflected cross-site scripting issue

   The vSphere Web Client contains a reflected cross-site scripting
   vulnerability due to a lack of input sanitization. An attacker can
   exploit this issue by tricking a victim into clicking a malicious
   link.

   VMware would like to thank Matt Schmidt for reporting this issue to
   us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2015-6931 to this issue.

   Column 4 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware             Product    Running   Replace with/
   Product            Version    on        Apply Patch
   ==============     =======    =======   =============
   vCenter Server     6.0        Any       not affected
   vCenter Server     5.5        Any       5.5 U2d *
   vCenter Server     5.1        Any       5.1 U3d *
   vCenter Server     5.0        Any       5.0 U3g *

   * The client side component of the vSphere Web Client does not need
     to be updated to remediate CVE-2015-6931. Updating the vCenter
     Server is sufficient to remediate this issue.


4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   vCenter Server
   --------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere


5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6931

- ------------------------------------------------------------------------

6. Change log

   2016-06-14 VMSA-2016-0009
   Initial security advisory in conjunction with the release of VMware
   vCenter Server 5.0 U3g on 2016-06-14.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

   security-announce at lists.vmware.com
   bugtraq at securityfocus.com
   fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2016 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFXYODdDEcm8Vbi9kMRAhi/AJ45s8NycL/AbvIawr+DK0QhGq19QwCeIJha
/NW3n6JSlZk+zaj6w33ZLyI=
=CSDo
-----END PGP SIGNATURE-----

Leave a Reply