Monthly Archives: January 2016

VMWare

UPDATE VMSA-2015-0009.1 VMware product updates address a critical deserialization vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2015-0009.1
Synopsis:    VMware product updates address a critical deserialization
             vulnerability
Issue date:  2015-12-18
Updated on:  2016-01-29
CVE number:  CVE-2015-6934

- ------------------------------------------------------------------------

1. Summary

   VMware product updates address a critical deserialization
   vulnerability

2. Relevant Releases

   vRealize Orchestrator 6.x
   vCenter Orchestrator 5.x

3. Problem Description

   a. Deserialization vulnerability

   A deserialization vulnerability involving Apache Commons-collections
   and a specially constructed chain of classes exists. Successful
   exploitation could result in remote code execution, with the
   permissions of the application using the Commons-collections library.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2015-6934 to this issue.

   Column 4 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware                         Product    Running   Replace with/
   Product                        Version    on        Apply Patch
   =====================          =======    =======   =================
   vRealize Orchestrator          7.0        Any       Not Affected
   vRealize Orchestrator          6.x        Any       See KB2141244
   vCenter Orchestrator           5.x        Any       See KB2141244

   vRealize Operations            6.x        Windows   6.2 *
   vCenter Operations             5.x        Windows   Patch Pending *

   vCenter Application            7.x        Any       Patch Pending *
   Discovery Manager (vADM)

   * Exploitation of the issue on vRealize Operations, vCenter
     Operations, and vCenter Application Discovery Manager is limited to
     local privilege escalation.

4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   vRealize Orchestrator 6.x and
   vCenter Orchestrator 5.x
   Downloads and Documentation:
   http://kb.vmware.com/kb/2141244

   vRealize Operations 6.x
   Release Notes

http://pubs.vmware.com/Release_Notes/en/vrops/62/vrops-62-release-notes.htm
l

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6934

- ------------------------------------------------------------------------

6. Change log

   2015-12-18 VMSA-2015-0009
   Initial security advisory in conjunction with the release of vRealize
   Orchestrator 6.x and vCenter Orchestrator 5.x patches on 2015-12-18.

   2016-01-29 VMSA-2015-0009.1
   Updated security advisory in conjunction with the release of vRealize
   Operations 6.2 on 2016-01-28. Added a note below the table in
   section 3.a that exploitation of this issue in vCenter Application
   Discovery Manager is limited to local privilege escalation.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2015 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFWrAG7DEcm8Vbi9kMRAtUyAKDqGd2Fz3bzBP5GgS3VG1pXQhbDhgCg+8YK
pyrJ72cxfEW0TguF2XCNGLQ=
=+MxM
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org
http://lists.vmware.com/mailman/listinfo/security-announce
US-CERT

FTC Announces Enhancements to IdentityTheft.gov

Original release date: January 29, 2016

The Federal Trade Commission (FTC) has upgraded its IdentityTheft.gov site to provide improved help to victims of identity theft. Enhancements include more personalized response plans for consumers, automatic generation of documents to aid in recovery, and better integration of the site with the FTC’s consumer complaint system. Resources are also available for those who want to avoid becoming victims of identity theft.

Consumers are encouraged to visit FTC’s IdentityTheft.gov site and review US-CERT’s tip on Preventing and Responding to Identity Theft for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

NVD

CVE-2015-7521

The authorization framework in Apache Hive 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0 and 1.2.1, on clusters protected by Ranger and SqlStdHiveAuthorization, allows attackers to bypass intended parent table access restrictions via unspecified partition-level operations.

NVD

CVE-2015-8772

McPvDrv.sys 4.6.111.0 in McAfee File Lock 5.x in McAfee Total Protection allows local users to obtain sensitive information from kernel memory or cause a denial of service (system crash) via a large VERIFY_INFORMATION.Length value in an IOCTL_DISK_VERIFY ioctl call.

NVD

CVE-2015-8773

Stack-based buffer overflow in McPvDrv.sys 4.6.111.0 in McAfee File Lock 5.x in McAfee Total Protection allows attackers to cause a denial of service (system crash) via a long vault GUID in an ioctl call.