UPDATE : VMSA-2015-0003.2 – VMware product updates address critical information disclosure issue in JRE.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2015-0003.2
Synopsis:    VMware product updates address critical information 
             disclosure issue in JRE.
Issue date:  2015-04-02
Updated on:  2015-04-13
CVE number:  CVE-2014-6593, for other CVEs see JRE reference 

- ------------------------------------------------------------------------

1. Summary

   VMware product updates address critical information disclosure 
   issue in JRE.
 
2. Relevant Releases

   Horizon View 6.x or 5.x
   Horizon Workspace Portal Server 2.1 or 2.0
   Horizon DaaS Platform 6.1.4 or 5.4.5
   vRealize Operations Manager 6.0
   vCenter Operations Manager 5.8.x or 5.7.x
   vRealize Application Services 6.2 or 6.1
   vCloud Application Director 6.0
   vRealize Automation 6.2 or 6.1
   vCloud Automation Center 6.0.1
   vSphere Replication prior to 5.8.0.2 or 5.6.0.3
   vRealize Automation 6.2.x or 6.1.x
   vRealize Code Stream 1.1 or 1.0
   vRealize Hyperic 5.8.x, 5.7.x or 5.0.x
   vSphere AppHA Prior to 1.1.x
   vCenter Chargeback Manager 2.7 or 2.6
   vRealize Business Adv/Ent 8.1 or 8.0
   vRealize Business Standard prior to 1.1.x or 1.0.x
   NSX for Multi-Hypervisor  prior to 4.2.4  
   vCloud Director prior to 5.5.3
   vCloud Director Service Providers prior to 5.6.4.1
   vRealize Configuration Manager 5.7.x or 5.6.x
   vRealize Infrastructure 5.8 or 5.7
   vRealize Log Insight 2.5, 2.0, 1.5 or 1.0

3. Problem Description 

   a. Oracle JRE Update

      Oracle JRE is updated in VMware products to address a 
      critical security issue that existed in earlier releases of
      Oracle JRE. 

      VMware products running JRE 1.7 Update 75 or newer and 
      JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593,
      as documented in the Oracle Java SE Critical Patch Update 
      Advisory of January 2015. 

      This advisory also includes the other security issues that 
      are addressed  in JRE 1.7 Update 75 and JRE 1.6 Update 91. The 
      References section provides a link to the JRE advisory.


      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2014-6593 to this issue.  This 
      issue is also known as "SKIP" or "SKIP-TLS". 

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is 
      available.

      VMware                         Product    Running   Replace with/
      Product                        Version    on        Apply Patch**
      =============                  =======    =======   =================
      Horizon View                   6.x        any       6.1
      Horizon View                   5.x        any       5.3.4
      Horizon Workspace Portal       2.1 ,2.0   any       2.1.1
      Server 

      Horizon DaaS Platform          6.1        any       6.1.4
      Horizon DaaS Platform          6.0        any       patch pending
      Horizon DaaS Platform          5.4        any       5.4.5

      vCloud Networking and Security 5.5        any       patch pending*
      vCloud Connector               2.7        any       patch pending*
      vCloud Usage Meter             3.3        any       patch pending* 

      vCenter Site Recovery Manager  5.5.x      any       patch pending***
      vCenter Site Recovery Manager  5.1.x      any       patch pending***
      vCenter Site Recovery Manager  5.0.x      any       patch pending***

      vCenter Server                 6.0        any       patch pending
      vCenter Server                 5.5        any       patch pending
      vCenter Server                 5.1        any       patch pending
      vCenter Server                 5.0        any       patch pending

      vRealize Operations Manager    6.0        any       KB2112028
      vCenter Operations Manager     5.8.x      any       KB2111172
      vCenter Operations Manager     5.7.x      any       KB2111172

      vCenter Support Assistant      5.5.1.x    any       patch pending
   
      vRealize Application Services  6.2        any       KB2111981
      vRealize Application Services  6.1        any       KB2111981
      vCloud Application Director    6.0        any       KB2111981
      vCloud Application Director    5.2        any       KB2111981

      vRealize Automation            6.2        any       KB2111658
      vRealize Automation            6.1        any       KB2111658
      vCloud Automation Center       6.0.1      any       KB2111658
      vRealize Code Stream           1.1        any       KB2111658
      vRealize Code Stream           1.0        any       KB2111658

      vPostgres                      9.3.x      any       patch pending
      vPostgres                      9.2.x      any       patch pending
      vPostgres                      9.1.x      any       patch pending

      vSphere Replication            5.8.1      any       patch pending
      vSphere Replication            5.8.0      any       5.8.0.2
      vSphere Replication            5.6.0      any       5.6.0.3
      vSphere Replication            5.1        any       patch pending

      vSphere Storage Appliance      5.x        any       patch pending*
 
      vRealize Hyperic               5.8        any       KB2111337
      vRealize Hyperic               5.7        any       KB2111337
      vRealize Hyperic               5.0        any       KB2111337

      vSphere AppHA                  1.1        any       KB2111336
      vSphere Big Data Extensions    2.1        any       patch pending*
      vSphere Big Data Extensions    2.0        any       patch pending*

      vSphere Data Protection        6.0        any       patch pending*
      vSphere Data Protection        5.8        any       patch pending*
      vSphere Data Protection        5.5        any       patch pending*
      vSphere Data Protection        5.1        any       patch pending*

      vCenter Chargeback Manager     2.7        any       KB2112011*
      vCenter Chargeback Manager     2.6        any       KB2113178*

      vRealize Business Adv/Ent      8.1        any       KB2112258*
      vRealize Business Adv/Ent      8.0        any       KB2112258*

      vRealize Business Standard     6.0        any       KB2111802
      vRealize Business Standard     1.1        any       KB2111802
      vRealize Business Standard     1.0        any       KB2111802

      NSX for vSphere                6.1        any       patch pending*
      NSX for Multi-Hypervisor       4.2        any       4.2.4*
      vCloud Director                5.5.x      any       5.5.3*
      
      vCloud Director For            5.6.4      any       5.6.4.1*
      Service Providers   

      vCenter Application Discovery  7.0        any       patch pending*
      Manager

      vRealize Configuration Manager 5.7.x      any       KB2111670
      vRealize Configuration Manager 5.6        any       KB2111670

      vRealize Infrastructure        5.8        any       5.8.4
      Navigator  

      vRealize Infrastructure        5.7        any       KB2111334*
      Navigator              

      vRealize Orchestrator          6.0        any       patch pending*
      vRealize Orchestrator          5.2        any       patch pending*
      vRealize Orchestrator          5.1        any       patch pending*

      vShield                        5.5        any       patch pending*

      vRealize Log Insight           2.5        any       KB2113235*
      vRealize Log Insight           2.0        any       KB2113235*
      vRealize Log Insight           1.5        any       KB2113235*
      vRealize Log Insight           1.0        any       KB2113235*

      vSphere Management Assistant   5.x        any       patch pending 

      vSphere Update Manager         6.0        any       patch pending*
      vSphere Update Manager         5.5        any       patch pending*
      vSphere Update Manager         5.1        any       patch pending*
      vSphere Update Manager         5.0        any       patch pending*

      *   The severity of critical is lowered to important for this product
          as is not considered Internet facing

      **  Knowledge Base (KB) articles provides details of the patches and
          how to install them. 
 
      *** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not 
          include JRE but they include the vSphere Replication appliance 
          which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include 
          JRE nor the vSphere Replication appliance.
 
4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file. 
   Horizon View 6.1, 5.3.4:
   ========================
   Downloads: 
  
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productI
d=492
  
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&pro
ductId=396

   VMware Workspace Portal 2.1.1
   =============================
   Download:
  
https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=5
01&rPId=7586
   Documentation:
  
https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.h
tml

   Horizon DaaS Platform 6.1.4
   ===========================
   Download:
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN
&productId=405&rPId=6527

   Horizon DaaS Platform 5.4.5
   ===========================
   Download:
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM-
540&productId=398&rPId=5214

   vRealize Operations Manager 6.0.1
   =================================
   Downloads and Documentation: http://kb.vmware.com/kb/2112028

   vRealize Application Services 6.2, 6.1
   ======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111981

   vCloud Application Director 6.0
   ======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111981

   vCloud Director for Service Providers 5.6.4.1
   =============================================
   Downloads and Documentation:
https://www.vmware.com/support/pubs/vcd_sp_pubs.html

   vCenter Operations Manager 6.0, 5.8.5, 5.7.4
   =======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111172

   vCloud Automation Center 6.0.1.2
   ================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111685

   vSphere Replication 5.8.0.2, 5.6.0.3
   ====================================
   Downloads:
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802   
   https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603
   
   Documentation: 
   http://kb.vmware.com/kb/2112025
   http://kb.vmware.com/kb/2112022 

   vRealize Automation 6.2.1, 6.1.1
   ================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111658

   vRealize Code Stream 1.1, 1.0
   =============================
   Downloads and Documentation: http://kb.vmware.com/kb/2111685

   vRealize Hyperic 5.8.4, 5.7.2, 5.0.3
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/KB2111337

   vSphere AppHA 1.1.1
   ===================
   Downloads and Documentation: http://kb.vmware.com/kb/2111336

   vCenter Chargeback Manager 2.7
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2112011

   vCenter Chargeback Manager 2.6
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2113178

   vRealize Business Adv/Ent 8.1, 8.0
   ====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2112258

   vRealize Business Standard 6.0, 1.1 , 1.0
   =======================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111802

   vRealize Configuration Manager 5.7.3
   ===================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111670

   vRealize Infrastructure Navigator 5.8.4
   =======================================
   Download:
  
https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=47
6
 
   vRealize Infrastructure Navigator 5.7
   =====================================
   Downloads and Documentation: http://kb.vmware.com/kb/2111334

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593

   JRE 
   Oracle Java SE Critical Patch Update Advisory of January 2015
 
  
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

- ------------------------------------------------------------------------

6. Change log

   2015-04-02 VMSA-2015-0003
   Initial security advisory in conjunction with the release of VMware
   Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5;
   vCenter Operations Manager 5.7.4; vCloud Automation Center
   6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize 
   Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0;
   vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1;
   vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration 
   Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches 
   released on 2015-04-02.

   2015-04-09 VMSA-2015-0003.1
   Updated Security advisory in conjunction with the release of VMware
   Horizon DaaS Platform 6.1.4, 5.4.5; vRealize Operations Manager 6.0; 
   vRealize Application Services 6.2; vRealize Application Services 6.1;
   vCloud Application Director 6.0; vCenter Chargeback Manager 2.7, 2.6;
   vCloud Director For Service Providers 5.6.4.1;
   vRealize Log Insight 2.5, 2.0, 1.5, 1.0 Patches 
   released on 2015-04-09.

   2015-04-13 VMSA-2015-0003.2
   Updated Security advisory in conjunction with the release of
   vRealize Business Adv/Ent 8.1, 8.0 Patches released 
   on 2015-04-13.
- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2015 VMware Inc.  All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFVLBMgDEcm8Vbi9kMRAvaaAKDrax6e77WldoyNU0b+OEym+b1tfgCfamxh
gjaTHulE0WVOGNNLpjHZ4jk=
=L8TV
-----END PGP SIGNATURE-----

Leave a Reply