-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
--------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2016-0005.1
Synopsis: VMware product updates address critical and important
security issues
Issue date: 2016-05-17
Updated on: 2016-05-24
CVE number: CVE-2016-3427, CVE-2016-2077
- ------------------------------------------------------------------------
1. Summary
VMware product updates address critical and important
security issues.
2. Relevant Releases
vCenter Server 6.0 on Windows without workaround of KB 2145343
vCenter Server 6.0 on Linux (VCSA) prior to 6.0.0b
vCenter Server 5.5 prior to 5.5 U3d (on Windows), 5.5 U3 (VCSA)
vCenter Server 5.1 prior to 5.1 U3b
vCenter Server 5.0 prior to 5.0 U3e
vCloud Director prior to 8.0.1.1
vCloud Director prior to 5.6.5.1
vCloud Director prior to 5.5.6.1
vSphere Replication prior to 6.0.0.3
vSphere Replication prior to 5.8.1.2
vSphere Replication prior to 5.6.0.6
vRealize Operations Manager 6.x (non-appliance version)
VMware Workstation prior to 11.1.3
VMware Player prior to 7.1.3
3. Problem Description
a. Critical JMX issue when deserializing authentication credentials
The RMI server of Oracle JRE JMX deserializes any class when
deserializing authentication credentials. This may allow a remote,
unauthenticated attacker to cause deserialization flaws and execute
their commands.
Workarounds CVE-2016-3427
vCenter Server
Apply the steps of VMware Knowledge Base article 2145343 to vCenter
Server 6.0 on Windows. See the table below for the specific vCenter
Server 6.0 versions on Windows this applies to.
vCloud Director
No workaround identified
vSphere Replication
No workaround identified
vRealize Operations Manager (non-appliance)
The non-appliance version of vRealize Operations Manager (vROps),
which can be installed on Windows and Linux has no default
firewall. In order to remove the remote exploitation possibility,
access to the following external ports will need to be blocked on
the system where the non-appliance version of vROps is installed:
- vROps 6.2.x: port 9004, 9005, 9006, 9007, 9008
- vROps 6.1.x: port 9004, 9005, 9007, 9008
- vROps 6.0.x: port 9004, 9005
Note: These ports are already blocked by default in the appliance
version of vROps.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-3427 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
====================== ========= ======= =============
vCenter Server 6.0 Windows 6.0.0b + KB 2145343 *
vCenter Server 6.0 Linux 6.0.0b
vCenter Server 5.5 Windows (5.5 U3b + KB 2144428
**)
or 5.5 U3d
vCenter Server 5.5 Linux 5.5 U3
vCenter Server 5.1 Windows (5.1 U3b + KB 2144428
**)
or 5.1U3d
vCenter Server 5.1 Linux 5.1 U3b
vCenter Server 5.0 Windows 5.0 U3e + KB 2144428 **
vCenter Server 5.0 Linux 5.0 U3e
vCloud Director 8.0.x Linux 8.0.1.1
vCloud Director 5.6.x Linux 5.6.5.1
vCloud Director 5.5.x Linux 5.5.6.1
vSphere Replication 6.1.x Linux patch pending ***
vSphere Replication 6.0.x Linux 6.0.0.3 ***
vSphere Replication 5.8.x Linux 5.8.1.2 ***
vSphere Replication 5.6.x Linux 5.6.0.6 ***
vROps (non-appliance) 6.x All Apply workaround
vROps (appliance) 6.x Linux Not affected
* Remote and local exploitation is feasible on vCenter Server 6.0 and
6.0.0a for Windows. Remote exploitation is not feasible on vCenter
Server 6.0.0b (and above) for Windows but local exploitation is. The
local exploitation possibility can be removed by applying the steps
of KB 2145343 to vCenter Server 6.0.0b (and above) for Windows.
** See VMSA-2015-0007 for details.
vCenter Server 5.5 U3d and 5.1 U3d running on Windows addresses
CVE-2016-3427 without the need to install the additional patch
of KB 2144428 documented in VMSA-2015-0007.
*** vSphere Replication is affected if its vCloud Tunneling Agent
is running, which is not enabled by default. This agent is used
in environments that replicate data between the cloud and an
on-premise datacenter.
b. Important VMware Workstation and Player for Windows host privilege
escalation vulnerability.
VMware Workstation and Player for Windows do not properly reference
one of their executables. This may allow a local attacker on the host
to elevate their privileges.
VMware would like to thank Andrew Smith of Sword & Shield Enterprise
Security for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2016-2077 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
================== ======= ======= =================
VMware Workstation 12.x any not affected
VMware Workstation 11.x Windows 11.1.3
VMware Workstation 11.x Linux not affected
VMware Player 8.x any not affected
VMware Player 7.x Windows 7.1.3
VMware Player 7.x Linux not affected
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
vCenter Server
--------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
vCloud Director
---------------
Downloads and Documentation:
https://www.vmware.com/go/download/vcloud-director
vSphere Replication
-------------------
Downloads and Documentation:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR6003
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5812
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5606
https://www.vmware.com/support/pubs/vsphere-replication-pubs.html
VMware Workstation
-------------------------
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
VMware Player
-------------
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2077
VMware Security Advisory VMSA-2015-0007
http://www.vmware.com/security/advisories/VMSA-2015-0007.html
VMware Knowledge Base article 2145343
kb.vmware.com/kb/2145343
VMware Knowledge Base article 2144428
kb.vmware.com/kb/2144428
- ------------------------------------------------------------------------
6. Change log
2016-05-17 VMSA-2016-0005
Initial security advisory in conjunction with the release of VMware
vCloud Director 8.0.1.1, 5.6.5.1, and 5.5.6.1, and vSphere
Replication 6.0.0.3, 5.8.1.2, and 5.6.0.6 on 2016-05-17.
2016-05-24 VMSA-2016-0005.1
Updated security advisory in conjunction with the release of vSphere
5.1 U3d on 2016-05-24. vCenter Server 5.1 U3d running on
Windows addresses CVE-2016-3427 without the need to install the
additional patch.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2016 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFXRBrxDEcm8Vbi9kMRArdBAJ9folVLwEJ96XeQYcXgYZVhb91muQCgrCgl
6lMvZLSvXOxYO8jc6xakF5o=
=sGc+
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org
http://lists.vmware.com/mailman/listinfo/security-announce