UPDATED VMSA-2015-0009.3 VMware product updates address a critical deserialization vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2015-0009.3
Synopsis:    VMware product updates address a critical deserialization
             vulnerability
Issue date:  2015-12-18
Updated on:  2016-06-14
CVE number:  CVE-2015-6934

- ------------------------------------------------------------------------

1. Summary

   VMware product updates address a critical deserialization
   vulnerability

2. Relevant Releases

   vRealize Orchestrator 6.x
   vCenter Orchestrator 5.x
   vRealize Operations 6.x
   vRealize Infrastructure Navigator 5.8.x

3. Problem Description

   a. Deserialization vulnerability

   A deserialization vulnerability involving Apache Commons-collections
   and a specially constructed chain of classes exists. Successful
   exploitation could result in remote code execution, with the
   permissions of the application using the Commons-collections library.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2015-6934 to this issue.

   Column 4 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware                       Product   Running   Replace with/
   Product                      Version   on        Apply Patch
   =====================        =======   =======   =================
   vRealize Orchestrator        7.0       Any       Not Affected
   vRealize Orchestrator        6.x       Any       See KB2141244
   vCenter Orchestrator         5.x       Any       See KB2141244

   vRealize Operations          6.x       Windows   6.2 *
   vRealize Operations          6.x       Linux     Not Affected
   vCenter Operations           5.x       Any       Not Affected

   vCenter Application          7.x       Any       No patch planned *
   Discovery Manager (vADM)

   vRealize Infrastructure      5.8.x     Linux     5.8.5
   Navigator

   * Exploitation of the issue on vRealize Operations and vCenter
     Application Discovery Manager is limited to local privilege
escalation.

4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   vRealize Orchestrator 6.x and
   vCenter Orchestrator 5.x
   Downloads and Documentation:
   http://kb.vmware.com/kb/2141244

   vRealize Operations 6.x
   Release Notes
  
http://pubs.vmware.com/Release_Notes/en/vrops/62/vrops-62-release-notes.htm
l

   vRealize Infrastructure Navigator 5.8.5
   Release Notes
   http://pubs.vmware.com/Release_Notes/en/vin/585/releasenotes-vin585.html


5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6934

- ------------------------------------------------------------------------

6. Change log

   2015-12-18 VMSA-2015-0009
   Initial security advisory in conjunction with the release of vRealize
   Orchestrator 6.x and vCenter Orchestrator 5.x patches on 2015-12-18.

   2016-01-29 VMSA-2015-0009.1
   Updated security advisory in conjunction with the release of vRealize
   Operations 6.2 on 2016-01-28. Added a note below the table in
   section 3.a that exploitation of this issue in vCenter Application
   Discovery Manager is limited to local privilege escalation.

   2016-03-15 VMSA-2015-0009.2
   Updated security advisory to reflect the release of vRealize
   Infrastructure Navigator 5.8.5, which addresses CVE-2015-6934.

   2016-06-14 VMSA-2015-0009.3
   Updated security advisory to reflect that vCenter Operations 5.x is 
   not affected (earlier versions of this advisory said “Patch
   Pending”). Added that no patch is planned for vCenter Application
   Discovery Manager.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2015 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFXYOHhDEcm8Vbi9kMRAiL6AJ954G5q+cy2y3J6+tfv5DW+fwJ71QCfTXuy
3mud0ovsyCQIhMCfTOjs0Jg=
=r5lg
-----END PGP SIGNATURE-----

Leave a Reply