-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2016-0005.4
Synopsis: VMware product updates address critical and important
security issues
Issue date: 2016-05-17
Updated on: 2016-06-14
CVE number: CVE-2016-3427, CVE-2016-2077
- ------------------------------------------------------------------------
1. Summary
VMware product updates address critical and important
security issues.
2. Relevant Releases
vCenter Server 6.0 on Windows without workaround of KB 2145343
vCenter Server 6.0 on Linux (VCSA) prior to 6.0.0b
vCenter Server 5.5 prior to 5.5 U3d (on Windows), 5.5 U3 (VCSA)
vCenter Server 5.1 prior to 5.1 U3b
vCenter Server 5.0 prior to 5.0 U3e
vCloud Director prior to 8.0.1.1
vCloud Director prior to 5.6.5.1
vCloud Director prior to 5.5.6.1
vSphere Replication prior to 6.1.1
vSphere Replication prior to 6.0.0.3
vSphere Replication prior to 5.8.1.2
vSphere Replication prior to 5.6.0.6
vRealize Operations Manager 6.x (non-appliance version)
vRealize Infrastructure Navigator prior to 5.8.6
VMware Workstation prior to 11.1.3
VMware Player prior to 7.1.3
3. Problem Description
a. Critical JMX issue when deserializing authentication credentials
The RMI server of Oracle JRE JMX deserializes any class when
deserializing authentication credentials. This may allow a remote,
unauthenticated attacker to cause deserialization flaws and execute
their commands.
Workarounds CVE-2016-3427
vCenter Server
Apply the steps of VMware Knowledge Base article 2145343 to vCenter
Server 6.0 on Windows. See the table below for the specific vCenter
Server 6.0 versions on Windows this applies to.
vCloud Director
No workaround identified
vSphere Replication
No workaround identified
vRealize Operations Manager (non-appliance)
The non-appliance version of vRealize Operations Manager (vROps),
which can be installed on Windows and Linux has no default
firewall. In order to remove the remote exploitation possibility,
access to the following external ports will need to be blocked on
the system where the non-appliance version of vROps is installed:
- vROps 6.2.x: port 9004, 9005, 9006, 9007, 9008
- vROps 6.1.x: port 9004, 9005, 9007, 9008
- vROps 6.0.x: port 9004, 9005
Note: These ports are already blocked by default in the appliance
version of vROps.
vRealize Infrastructure Navigator
No workaround identified
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-3427 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
====================== ========= ======= =============
vCenter Server 6.0 Windows 6.0.0b + KB 2145343 *
vCenter Server 6.0 Linux 6.0.0b
vCenter Server 5.5 Windows (5.5 U3b + KB 2144428
**)
or 5.5 U3d
vCenter Server 5.5 Linux 5.5 U3
vCenter Server 5.1 Windows (5.1 U3b + KB 2144428
**)
or 5.1U3d
vCenter Server 5.1 Linux 5.1 U3b
vCenter Server 5.0 Windows (5.0 U3e + KB 2144428
**)
or 5.0 U3g
vCenter Server 5.0 Linux 5.0 U3e
vCloud Director 8.0.x Linux 8.0.1.1
vCloud Director 5.6.x Linux 5.6.5.1
vCloud Director 5.5.x Linux 5.5.6.1
vSphere Replication 6.1.x Linux 6.1.1 ***
vSphere Replication 6.0.x Linux 6.0.0.3 ***
vSphere Replication 5.8.x Linux 5.8.1.2 ***
vSphere Replication 5.6.x Linux 5.6.0.6 ***
vROps (non-appliance) 6.x All Apply workaround
vROps (appliance) 6.x Linux Not affected
vRealize Infrastructure 5.8.x All 5.8.6
Navigator
* Remote and local exploitation is feasible on vCenter Server 6.0 and
6.0.0a for Windows. Remote exploitation is not feasible on vCenter
Server 6.0.0b (and above) for Windows but local exploitation is. The
local exploitation possibility can be removed by applying the steps
of KB 2145343 to vCenter Server 6.0.0b (and above) for Windows.
** See VMSA-2015-0007 for details.
vCenter Server 5.5 U3d, 5.1 U3d, and 5.0 U3g running on Windows
address CVE-2016-3427 without the need to install the additional
patch of KB 2144428 documented in VMSA-2015-0007.
*** vSphere Replication is affected if its vCloud Tunneling Agent
is running, which is not enabled by default. This agent is used
in environments that replicate data between the cloud and an
on-premise datacenter.
b. Important VMware Workstation and Player for Windows host privilege
escalation vulnerability.
VMware Workstation and Player for Windows do not properly reference
one of their executables. This may allow a local attacker on the host
to elevate their privileges.
VMware would like to thank Andrew Smith of Sword & Shield Enterprise
Security for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2016-2077 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
================== ======= ======= =================
VMware Workstation 12.x any not affected
VMware Workstation 11.x Windows 11.1.3
VMware Workstation 11.x Linux not affected
VMware Player 8.x any not affected
VMware Player 7.x Windows 7.1.3
VMware Player 7.x Linux not affected
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
vCenter Server
--------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
vCloud Director
---------------
Downloads and Documentation:
https://www.vmware.com/go/download/vcloud-director
vSphere Replication
-------------------
Downloads and Documentation:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR611
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR6003
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5812
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5606
https://www.vmware.com/support/pubs/vsphere-replication-pubs.html
vRealize Infrastructure Navigator
---------------------------------
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VIN_586&productId=54
2&rPId=11127
VMware Workstation
-------------------------
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
VMware Player
-------------
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2077
VMware Security Advisory VMSA-2015-0007
http://www.vmware.com/security/advisories/VMSA-2015-0007.html
VMware Knowledge Base article 2145343
kb.vmware.com/kb/2145343
VMware Knowledge Base article 2144428
kb.vmware.com/kb/2144428
- ------------------------------------------------------------------------
6. Change log
2016-05-17 VMSA-2016-0005
Initial security advisory in conjunction with the release of VMware
vCloud Director 8.0.1.1, 5.6.5.1, and 5.5.6.1, and vSphere
Replication 6.0.0.3, 5.8.1.2, and 5.6.0.6 on 2016-05-17.
2016-05-24 VMSA-2016-0005.1
Updated security advisory in conjunction with the release of vSphere
5.1 U3d on 2016-05-24. vCenter Server 5.1 U3d running on
Windows addresses CVE-2016-3427 without the need to install the
additional patch.
2016-05-27 VMSA-2016-0005.2
Updated security advisory in conjunction with the release of vSphere
Replication 6.1.1 on 2016-05-26.
2016-06-03 VMSA-2016-0005.3
Updated security advisory in conjunction with the release of vRealize
Infrastructure Navigator 5.8.6 on 2016-06-02
2016-06-14 VMSA-2016-0005.4
Updated security advisory in conjunction with the release of vSphere
5.0 U3g on 2016-06-14. vCenter Server 5.0 U3g running on
Windows addresses CVE-2016-3427 without the need to install the
additional patch.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2016 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFXYOFvDEcm8Vbi9kMRAuovAKDtHfrRsPdxfY8NrfTvxUGH8CiQaQCdGoZY
YdbtA9ZFozV6QqTZMD+G7Nk=
=EBfq
-----END PGP SIGNATURE-----
Category Archives: VMWare
VMWare
NEW VMSA-2016-0009 VMware vCenter Server updates address an important reflective cross-site scripting issue
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2016-0009
Synopsis: VMware vCenter Server updates address an important
reflective cross-site scripting issue
Issue date: 2016-06-14
Updated on: 2016-06-14 (Initial Advisory)
CVE number: CVE-2015-6931
- ------------------------------------------------------------------------
1. Summary
VMware vCenter Server updates address an important reflective
cross-site scripting issue.
2. Relevant Releases
vCenter Server 5.5 prior to 5.5 update 2d
vCenter Server 5.1 prior to 5.1 update 3d
vCenter Server 5.0 prior to 5.0 update 3g
3. Problem Description
a. Important vCenter Server reflected cross-site scripting issue
The vSphere Web Client contains a reflected cross-site scripting
vulnerability due to a lack of input sanitization. An attacker can
exploit this issue by tricking a victim into clicking a malicious
link.
VMware would like to thank Matt Schmidt for reporting this issue to
us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2015-6931 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
vCenter Server 6.0 Any not affected
vCenter Server 5.5 Any 5.5 U2d *
vCenter Server 5.1 Any 5.1 U3d *
vCenter Server 5.0 Any 5.0 U3g *
* The client side component of the vSphere Web Client does not need
to be updated to remediate CVE-2015-6931. Updating the vCenter
Server is sufficient to remediate this issue.
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
vCenter Server
--------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6931
- ------------------------------------------------------------------------
6. Change log
2016-06-14 VMSA-2016-0009
Initial security advisory in conjunction with the release of VMware
vCenter Server 5.0 U3g on 2016-06-14.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2016 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFXYODdDEcm8Vbi9kMRAhi/AJ45s8NycL/AbvIawr+DK0QhGq19QwCeIJha
/NW3n6JSlZk+zaj6w33ZLyI=
=CSDo
-----END PGP SIGNATURE-----
UPDATED VMSA-2015-0009.3 VMware product updates address a critical deserialization vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2015-0009.3
Synopsis: VMware product updates address a critical deserialization
vulnerability
Issue date: 2015-12-18
Updated on: 2016-06-14
CVE number: CVE-2015-6934
- ------------------------------------------------------------------------
1. Summary
VMware product updates address a critical deserialization
vulnerability
2. Relevant Releases
vRealize Orchestrator 6.x
vCenter Orchestrator 5.x
vRealize Operations 6.x
vRealize Infrastructure Navigator 5.8.x
3. Problem Description
a. Deserialization vulnerability
A deserialization vulnerability involving Apache Commons-collections
and a specially constructed chain of classes exists. Successful
exploitation could result in remote code execution, with the
permissions of the application using the Commons-collections library.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2015-6934 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
===================== ======= ======= =================
vRealize Orchestrator 7.0 Any Not Affected
vRealize Orchestrator 6.x Any See KB2141244
vCenter Orchestrator 5.x Any See KB2141244
vRealize Operations 6.x Windows 6.2 *
vRealize Operations 6.x Linux Not Affected
vCenter Operations 5.x Any Not Affected
vCenter Application 7.x Any No patch planned *
Discovery Manager (vADM)
vRealize Infrastructure 5.8.x Linux 5.8.5
Navigator
* Exploitation of the issue on vRealize Operations and vCenter
Application Discovery Manager is limited to local privilege
escalation.
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
vRealize Orchestrator 6.x and
vCenter Orchestrator 5.x
Downloads and Documentation:
http://kb.vmware.com/kb/2141244
vRealize Operations 6.x
Release Notes
http://pubs.vmware.com/Release_Notes/en/vrops/62/vrops-62-release-notes.htm
l
vRealize Infrastructure Navigator 5.8.5
Release Notes
http://pubs.vmware.com/Release_Notes/en/vin/585/releasenotes-vin585.html
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6934
- ------------------------------------------------------------------------
6. Change log
2015-12-18 VMSA-2015-0009
Initial security advisory in conjunction with the release of vRealize
Orchestrator 6.x and vCenter Orchestrator 5.x patches on 2015-12-18.
2016-01-29 VMSA-2015-0009.1
Updated security advisory in conjunction with the release of vRealize
Operations 6.2 on 2016-01-28. Added a note below the table in
section 3.a that exploitation of this issue in vCenter Application
Discovery Manager is limited to local privilege escalation.
2016-03-15 VMSA-2015-0009.2
Updated security advisory to reflect the release of vRealize
Infrastructure Navigator 5.8.5, which addresses CVE-2015-6934.
2016-06-14 VMSA-2015-0009.3
Updated security advisory to reflect that vCenter Operations 5.x is
not affected (earlier versions of this advisory said “Patch
Pending”). Added that no patch is planned for vCenter Application
Discovery Manager.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2015 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFXYOHhDEcm8Vbi9kMRAiL6AJ954G5q+cy2y3J6+tfv5DW+fwJ71QCfTXuy
3mud0ovsyCQIhMCfTOjs0Jg=
=r5lg
-----END PGP SIGNATURE-----
UPDATED VMSA-2015-0007.6 VMware vCenter and ESXi updates address critical security issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2015-0007.6
Synopsis: VMware vCenter and ESXi updates address critical security
issues
Issue date: 2015-10-01
Updated on: 2016-06-14
CVE number: CVE-2015-5177 CVE-2015-2342 CVE-2015-1047
- ------------------------------------------------------------------------
1. Summary
VMware vCenter and ESXi updates address critical security issues.
NOTE: See section 3.b for a critical update on an incomplete fix
for the JMX RMI issue.
2. Relevant Releases
VMware ESXi 5.5 without patch ESXi550-201509101-SG
VMware ESXi 5.1 without patch ESXi510-201510101-SG
VMware ESXi 5.0 without patch ESXi500-201510101-SG
VMware vCenter Server 6.0 prior to version 6.0.0b
VMware vCenter Server 5.5 prior to version 5.5 update 3
VMware vCenter Server 5.1 prior to version 5.1 update u3b
VMware vCenter Server 5.0 prior to version 5.0 update u3e
3. Problem Description
a. VMWare ESXi OpenSLP Remote Code Execution
VMware ESXi contains a double free flaw in OpenSLP's
SLPDProcessMessage() function. Exploitation of this issue may
allow an unauthenticated attacker to remotely execute code on
the ESXi host.
VMware would like to thank Qinghao Tang of QIHU 360 for reporting
this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2015-5177 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
ESXi 6.0 ESXi not affected
ESXi 5.5 ESXi ESXi550-201509101-SG*
ESXi 5.1 ESXi ESXi510-201510101-SG
ESXi 5.0 ESXi ESXi500-201510101-SG
* Customers who have installed the complete set of ESXi 5.5 U3
Bulletins, please review VMware KB 2133118. KB 2133118 documents
a known non-security issue and provides a solution.
b. VMware vCenter Server JMX RMI Remote Code Execution
VMware vCenter Server contains a remotely accessible JMX RMI
service that is not securely configured. An unauthenticated remote
attacker who is able to connect to the service may be able to use
it to execute arbitrary code on the vCenter Server. A local attacker
may be able to elevate their privileges on vCenter Server.
vCenter Server Appliance (vCSA) 5.1, 5.5 and 6.0 has remote access
to the JMX RMI service (port 9875) blocked by default.
VMware would like to thank Doug McLeod of 7 Elements Ltd and an
anonymous researcher working through HP's Zero Day Initiative for
reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2015-2342 to this issue.
CRITICAL UPDATE
VMSA-2015-0007.2 and earlier versions of this advisory documented
that CVE-2015-2342 was addressed in vCenter Server 5.0 U3e,
5.1 U3b, and 5.5 U3. Subsequently, it was found that the fix for
CVE-2015-2342 in vCenter Server 5.0 U3e, 5.1 U3b, and
5.5 U3/U3a/U3b running on Windows was incomplete and did not
address the issue.
In order to address the issue on these versions of vCenter Server
Windows, an additional patch must be installed. This additional
patch is available from VMware Knowledge Base (KB) article
2144428. Alternatively, updating to vCenter Server 5.0 U3g,
5.1 U3d, and 5.5 U3d running on Windows will remediate the issue.
In case the Windows Firewall is enabled on the system that has
vCenter Server Windows installed, remote exploitation of
CVE-2015-2342 is not possible. Even if the Windows Firewall is
enabled, users are advised to install the additional patch in
order to remove the local privilege elevation.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= ===============
VMware vCenter Server 6.0 Any 6.0.0b and above
VMware vCenter Server 5.5 Windows (5.5 U3/U3a/U3b + KB*)
or 5.5 U3d
VMware vCenter Server 5.5 Linux 5.5 U3 and above
VMware vCenter Server 5.1 Windows (5.1 U3b + KB*)
or 5.1 U3d
VMware vCenter Server 5.1 Linux 5.1 U3b and above
VMware vCenter Server 5.0 Windows (5.0 U3e + KB*)
or 5.0 U3g
VMware vCenter Server 5.0 Linux 5.0 U3e and above
* An additional patch provided in VMware KB article 2144428 must be
installed on vCenter Server Windows 5.0 U3e, 5.1 U3b, 5.5 U3,
5.5 U3a, and 5.5 U3b in order to remediate CVE-2015-2342.
This patch is not needed when updating to 5.0 U3g, 5.1 U3d or
5.5 U3d, or when installing 5.0 U3g, 5.1 U3d or 5.5 U3d.
c. VMware vCenter Server vpxd denial-of-service vulnerability
VMware vCenter Server does not properly sanitize long heartbeat
messages. Exploitation of this issue may allow an unauthenticated
attacker to create a denial-of-service condition in the vpxd
service.
VMware would like to thank the Google Security Team for reporting
this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2015-1047 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= ==============
VMware vCenter Server 6.0 Any not affected
VMware vCenter Server 5.5 Any 5.5u2
VMware vCenter Server 5.1 Any 5.1u3
VMware vCenter Server 5.0 Any 5.0u3e
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
ESXi
--------------------------------
Downloads:
https://www.vmware.com/patchmgr/findPatch.portal
Documentation:
http://kb.vmware.com/kb/2110247
http://kb.vmware.com/kb/2114875
http://kb.vmware.com/kb/2120209
vCenter Server
--------------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5177
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2342
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1047
VMware Knowledge Base articles
http://kb.vmware.com/kb/2133118
http://kb.vmware.com/kb/2144428
- ------------------------------------------------------------------------
6. Change log
2015-10-01 VMSA-2015-0007
Initial security advisory in conjunction with ESXi 5.0, 5.1 patches
and VMware vCenter Server 5.1 u3b, 5.0 u3e on 2015-10-01.
2015-10-06 VMSA-2015-0007.1
Updated security advisory in conjunction with the release of ESXi 5.5
U3a on 2015-10-06. Added a note to section 3.a to alert customers to
a non-security issue in ESXi 5.5 U3 that is addressed in ESXi 5.5 U3a.
2015-10-20 VMSA-2015-0007.2
Updated security advisory to reflect that CVE-2015-2342 is fixed in
an earlier vCenter Server version (6.0.0b) than originally reported
(6.0 U1) and that the port required to exploit the vulnerability is
blocked in the appliance versions of the software (5.1 and above).
2016-02-12 VMSA-2015-0007.3
Updated security advisory to add that an additional patch is required
on vCenter Server 5.0 U3e, 5.1 U3b and 5.5 U3/U3a/U3b running on
Windows to remediate CVE-2015-2342.
2016-04-27 VMSA-2015-0007.4
Updated security advisory to add that vCenter Server 5.5 U3d running on
Windows addresses CVE-2105-2342 without the need to install the
additional patch.
2016-05-24 VMSA-2015-0007.5
Updated security advisory to add that vCenter Server 5.1 U3d running on
Windows addresses CVE-2105-2342 without the need to install the
additional patch.
2016-06-14 VMSA-2015-0007.6
Updated security advisory to add that vCenter Server 5.0 U3g running on
Windows addresses CVE-2105-2342 without the need to install the
additional patch.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2015 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFXYOI+DEcm8Vbi9kMRAo5NAKDXxOUz7aLdAbLN91d35cTgWjnBUwCgmYEe
UBtln1x1l7M8vaPkawZdpNE=
=c1Np
-----END PGP SIGNATURE-----
New VMSA-2016-0008 VMware vRealize Log Insight addresses important and moderate security issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2016-0008
Synopsis: VMware vRealize Log Insight addresses important and
moderate security issues.
Issue date: 2016-06-09
Updated on: 2016-06-09 (Initial Advisory)
CVE number: CVE-2016-2081, CVE-2016-2082
1. Summary
VMware vRealize Log Insight addresses important and moderate security
issues.
2. Relevant Releases
VMware vRealize Log Insight prior to 3.3.2
3. Problem Description
a. Important stored cross-site scripting issue in VMware vRealize Log
Insight
VMware vRealize Log Insight contains a vulnerability that may
allow for a stored cross-site scripting attack. Exploitation of this
issue may lead to the hijack of an authenticated user's session.
VMware would like to thank Lukasz Plonka for reporting this issue to
us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-2081 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
=========================== ======= ======= =================
VMware vRealize Log Insight 3.x Virtual 3.3.2
Appliance
VMware vRealize Log Insight 2.x Virtual 3.3.2
Appliance
b. Moderate cross-site request forgery issue in VMware vRealize Log
Insight
VMware vRealize Log Insight contains a vulnerability that may
allow for a cross-site request forgery attack. Exploitation of this
issue may lead to an attacker replacing trusted content in the Log
Insight UI without the user's authorization.
VMware would like to thank Lukasz Plonka for reporting this issue to
us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-2082 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
=========================== ======= ======= =================
VMware vRealize Log Insight 3.x Virtual 3.3.2
Appliance
VMware vRealize Log Insight 2.x Virtual 3.3.2
Appliance
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
VMware vRealize Log Insight 3.3.2
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/info/slug/infrastructure_operations_man
agement/vmware_vrealize_log_insight/3_3
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2082
- ------------------------------------------------------------------------
6. Change log
2016-06-09 VMSA-2016-0008 Initial security advisory in conjunction
with the release of VMware vRealize Log Insight 3.3.2 on 2016-06-09.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2016 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 21165)
Charset: utf-8
wj8DBQFXWj/PDEcm8Vbi9kMRAnAIAJ41gvMcGGXT4455eNmt7tR48d8pmgCgun/W
uMHWtNOrpA7NINIY+E8ASpo=
=QmsU
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org
http://lists.vmware.com/mailman/listinfo/security-announce
New VMSA-2016-0007 VMware NSX and vCNS product updates address a critical information disclosure vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Advisory ID: VMSA-2016-0007
Synopsis: VMware NSX and vCNS product updates address a critical
information disclosure vulnerability
Issue date: 2016-06-09
Updated on: 2016-06-09 (Initial Advisory)
CVE number: CVE-2016-2079
1. Summary
VMware NSX and vCNS product updates address a critical information
disclosure vulnerability.
2. Relevant Releases
NSX 6.2 prior to 6.2.3
NSX 6.1 prior to 6.1.7
vCNS 5.5.4 prior to 5.5.4.3
3. Problem Description
a. VMware NSX and vCNS critical information disclosure vulnerability
VMware NSX and vCNS with SSL-VPN enabled contain a critical input
validation vulnerability. This issue may allow a remote attacker
to gain access to sensitive information.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-2079 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============ ========== ========== =============
NSX Edge 6.2 Any 6.2.3
NSX Edge 6.1 Any 6.1.7
vCNS Edge 5.5 Any 5.5.4.3
4. Solution
Please review the patch/release notes for your product and version and
verify
the checksum of your downloaded file.
VMware NSX
Downloads:
https://www.vmware.com/go/download-nsx-vsphere
Documentation:
https://www.vmware.com/support/pubs/nsx_pubs.html
vCNS
Downloads:
https://www.vmware.com/go/download-vcd-ns
Documentation:
https://www.vmware.com/support/pubs/vshield_pubs.html
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2079
- - - -
- - ------------------------------------------------------------------------
6. Change log
2016-06-09 VMSA-2016-0007
Initial security advisory in conjunction with the release of VMware
NSX 6.2.3, 6.1.7 and vCNS 5.5.4.3 on 2016-06-09.
- - - -
- - ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2016 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 21165)
Charset: utf-8
wj8DBQFXWj8bDEcm8Vbi9kMRAstiAKC5ejIGTYxy1cyZICirCBe7ZZ0qHwCg3ohk
/WKIK9nNhceGenKdZBakL04=
=VsXF
-----END PGP SIGNATURE-----?
_______________________________________________
Security-announce mailing list
Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org
http://lists.vmware.com/mailman/listinfo/security-announce
UPDATE: VMSA-2016-0005.3 – VMware product updates address critical and important security issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2016-0005.3
Synopsis: VMware product updates address critical and important
security issues
Issue date: 2016-05-17
Updated on: 2016-06-03
CVE number: CVE-2016-3427, CVE-2016-2077
- ------------------------------------------------------------------------
1. Summary
VMware product updates address critical and important
security issues.
2. Relevant Releases
vCenter Server 6.0 on Windows without workaround of KB 2145343
vCenter Server 6.0 on Linux (VCSA) prior to 6.0.0b
vCenter Server 5.5 prior to 5.5 U3d (on Windows), 5.5 U3 (VCSA)
vCenter Server 5.1 prior to 5.1 U3b
vCenter Server 5.0 prior to 5.0 U3e
vCloud Director prior to 8.0.1.1
vCloud Director prior to 5.6.5.1
vCloud Director prior to 5.5.6.1
vSphere Replication prior to 6.1.1
vSphere Replication prior to 6.0.0.3
vSphere Replication prior to 5.8.1.2
vSphere Replication prior to 5.6.0.6
vRealize Operations Manager 6.x (non-appliance version)
vRealize Infrastructure Navigator prior to 5.8.6
VMware Workstation prior to 11.1.3
VMware Player prior to 7.1.3
3. Problem Description
a. Critical JMX issue when deserializing authentication credentials
The RMI server of Oracle JRE JMX deserializes any class when
deserializing authentication credentials. This may allow a remote,
unauthenticated attacker to cause deserialization flaws and execute
their commands.
Workarounds CVE-2016-3427
vCenter Server
Apply the steps of VMware Knowledge Base article 2145343 to vCenter
Server 6.0 on Windows. See the table below for the specific vCenter
Server 6.0 versions on Windows this applies to.
vCloud Director
No workaround identified
vSphere Replication
No workaround identified
vRealize Operations Manager (non-appliance)
The non-appliance version of vRealize Operations Manager (vROps),
which can be installed on Windows and Linux has no default
firewall. In order to remove the remote exploitation possibility,
access to the following external ports will need to be blocked on
the system where the non-appliance version of vROps is installed:
- vROps 6.2.x: port 9004, 9005, 9006, 9007, 9008
- vROps 6.1.x: port 9004, 9005, 9007, 9008
- vROps 6.0.x: port 9004, 9005
Note: These ports are already blocked by default in the appliance
version of vROps.
vRealize Infrastructure Navigator
No workaround identified
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-3427 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
====================== ========= ======= =============
vCenter Server 6.0 Windows 6.0.0b + KB 2145343 *
vCenter Server 6.0 Linux 6.0.0b
vCenter Server 5.5 Windows (5.5 U3b + KB 2144428
**)
or 5.5 U3d
vCenter Server 5.5 Linux 5.5 U3
vCenter Server 5.1 Windows (5.1 U3b + KB 2144428
**)
or 5.1U3d
vCenter Server 5.1 Linux 5.1 U3b
vCenter Server 5.0 Windows 5.0 U3e + KB 2144428 **
vCenter Server 5.0 Linux 5.0 U3e
vCloud Director 8.0.x Linux 8.0.1.1
vCloud Director 5.6.x Linux 5.6.5.1
vCloud Director 5.5.x Linux 5.5.6.1
vSphere Replication 6.1.x Linux 6.1.1 ***
vSphere Replication 6.0.x Linux 6.0.0.3 ***
vSphere Replication 5.8.x Linux 5.8.1.2 ***
vSphere Replication 5.6.x Linux 5.6.0.6 ***
vROps (non-appliance) 6.x All Apply workaround
vROps (appliance) 6.x Linux Not affected
vRealize Infrastructure 5.8.x All 5.8.6
Navigator
* Remote and local exploitation is feasible on vCenter Server 6.0 and
6.0.0a for Windows. Remote exploitation is not feasible on vCenter
Server 6.0.0b (and above) for Windows but local exploitation is. The
local exploitation possibility can be removed by applying the steps
of KB 2145343 to vCenter Server 6.0.0b (and above) for Windows.
** See VMSA-2015-0007 for details.
vCenter Server 5.5 U3d and 5.1 U3d running on Windows addresses
CVE-2016-3427 without the need to install the additional patch
of KB 2144428 documented in VMSA-2015-0007.
*** vSphere Replication is affected if its vCloud Tunneling Agent
is running, which is not enabled by default. This agent is used
in environments that replicate data between the cloud and an
on-premise datacenter.
b. Important VMware Workstation and Player for Windows host privilege
escalation vulnerability.
VMware Workstation and Player for Windows do not properly reference
one of their executables. This may allow a local attacker on the host
to elevate their privileges.
VMware would like to thank Andrew Smith of Sword & Shield Enterprise
Security for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2016-2077 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
================== ======= ======= =================
VMware Workstation 12.x any not affected
VMware Workstation 11.x Windows 11.1.3
VMware Workstation 11.x Linux not affected
VMware Player 8.x any not affected
VMware Player 7.x Windows 7.1.3
VMware Player 7.x Linux not affected
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
vCenter Server
--------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
vCloud Director
---------------
Downloads and Documentation:
https://www.vmware.com/go/download/vcloud-director
vSphere Replication
-------------------
Downloads and Documentation:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR611
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR6003
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5812
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5606
https://www.vmware.com/support/pubs/vsphere-replication-pubs.html
vRealize Infrastructure Navigator
---------------------------------
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VIN_586&productId=54
2&rPId=11127
VMware Workstation
-------------------------
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
VMware Player
-------------
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2077
VMware Security Advisory VMSA-2015-0007
http://www.vmware.com/security/advisories/VMSA-2015-0007.html
VMware Knowledge Base article 2145343
kb.vmware.com/kb/2145343
VMware Knowledge Base article 2144428
kb.vmware.com/kb/2144428
- ------------------------------------------------------------------------
6. Change log
2016-05-17 VMSA-2016-0005
Initial security advisory in conjunction with the release of VMware
vCloud Director 8.0.1.1, 5.6.5.1, and 5.5.6.1, and vSphere
Replication 6.0.0.3, 5.8.1.2, and 5.6.0.6 on 2016-05-17.
2016-05-24 VMSA-2016-0005.1
Updated security advisory in conjunction with the release of vSphere
5.1 U3d on 2016-05-24. vCenter Server 5.1 U3d running on
Windows addresses CVE-2016-3427 without the need to install the
additional patch.
2016-05-27 VMSA-2016-0005.2
Updated security advisory in conjunction with the release of vSphere
Replication 6.1.1 on 2016-05-26.
2016-06-03 VMSA-2016-0005.3
Updated security advisory in conjunction with the release of vRealize
Infrastructure Navigator 5.8.6 on 2016-06-02
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2016 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFXUfNgDEcm8Vbi9kMRAuQ8AJsFuZLqvbAgpSDEku8sccEQvTQTewCg6ZeQ
OPEXvu2rnhSu/qqOfWvgpsw=
=+1IH
-----END PGP SIGNATURE-----
UPDATE: VMSA-2016-0005.2 – VMware product updates address critical and important security issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2016-0005.2
Synopsis: VMware product updates address critical and important
security issues
Issue date: 2016-05-17
Updated on: 2016-05-27
CVE number: CVE-2016-3427, CVE-2016-2077
- ------------------------------------------------------------------------
1. Summary
VMware product updates address critical and important
security issues.
2. Relevant Releases
vCenter Server 6.0 on Windows without workaround of KB 2145343
vCenter Server 6.0 on Linux (VCSA) prior to 6.0.0b
vCenter Server 5.5 prior to 5.5 U3d (on Windows), 5.5 U3 (VCSA)
vCenter Server 5.1 prior to 5.1 U3b
vCenter Server 5.0 prior to 5.0 U3e
vCloud Director prior to 8.0.1.1
vCloud Director prior to 5.6.5.1
vCloud Director prior to 5.5.6.1
vSphere Replication prior to 6.1.1
vSphere Replication prior to 6.0.0.3
vSphere Replication prior to 5.8.1.2
vSphere Replication prior to 5.6.0.6
vRealize Operations Manager 6.x (non-appliance version)
VMware Workstation prior to 11.1.3
VMware Player prior to 7.1.3
3. Problem Description
a. Critical JMX issue when deserializing authentication credentials
The RMI server of Oracle JRE JMX deserializes any class when
deserializing authentication credentials. This may allow a remote,
unauthenticated attacker to cause deserialization flaws and execute
their commands.
Workarounds CVE-2016-3427
vCenter Server
Apply the steps of VMware Knowledge Base article 2145343 to vCenter
Server 6.0 on Windows. See the table below for the specific vCenter
Server 6.0 versions on Windows this applies to.
vCloud Director
No workaround identified
vSphere Replication
No workaround identified
vRealize Operations Manager (non-appliance)
The non-appliance version of vRealize Operations Manager (vROps),
which can be installed on Windows and Linux has no default
firewall. In order to remove the remote exploitation possibility,
access to the following external ports will need to be blocked on
the system where the non-appliance version of vROps is installed:
- vROps 6.2.x: port 9004, 9005, 9006, 9007, 9008
- vROps 6.1.x: port 9004, 9005, 9007, 9008
- vROps 6.0.x: port 9004, 9005
Note: These ports are already blocked by default in the appliance
version of vROps.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-3427 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
====================== ========= ======= =============
vCenter Server 6.0 Windows 6.0.0b + KB 2145343 *
vCenter Server 6.0 Linux 6.0.0b
vCenter Server 5.5 Windows (5.5 U3b + KB 2144428
**)
or 5.5 U3d
vCenter Server 5.5 Linux 5.5 U3
vCenter Server 5.1 Windows (5.1 U3b + KB 2144428
**)
or 5.1U3d
vCenter Server 5.1 Linux 5.1 U3b
vCenter Server 5.0 Windows 5.0 U3e + KB 2144428 **
vCenter Server 5.0 Linux 5.0 U3e
vCloud Director 8.0.x Linux 8.0.1.1
vCloud Director 5.6.x Linux 5.6.5.1
vCloud Director 5.5.x Linux 5.5.6.1
vSphere Replication 6.1.x Linux 6.1.1 ***
vSphere Replication 6.0.x Linux 6.0.0.3 ***
vSphere Replication 5.8.x Linux 5.8.1.2 ***
vSphere Replication 5.6.x Linux 5.6.0.6 ***
vROps (non-appliance) 6.x All Apply workaround
vROps (appliance) 6.x Linux Not affected
* Remote and local exploitation is feasible on vCenter Server 6.0 and
6.0.0a for Windows. Remote exploitation is not feasible on vCenter
Server 6.0.0b (and above) for Windows but local exploitation is. The
local exploitation possibility can be removed by applying the steps
of KB 2145343 to vCenter Server 6.0.0b (and above) for Windows.
** See VMSA-2015-0007 for details.
vCenter Server 5.5 U3d and 5.1 U3d running on Windows addresses
CVE-2016-3427 without the need to install the additional patch
of KB 2144428 documented in VMSA-2015-0007.
*** vSphere Replication is affected if its vCloud Tunneling Agent
is running, which is not enabled by default. This agent is used
in environments that replicate data between the cloud and an
on-premise datacenter.
b. Important VMware Workstation and Player for Windows host privilege
escalation vulnerability.
VMware Workstation and Player for Windows do not properly reference
one of their executables. This may allow a local attacker on the host
to elevate their privileges.
VMware would like to thank Andrew Smith of Sword & Shield Enterprise
Security for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2016-2077 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
================== ======= ======= =================
VMware Workstation 12.x any not affected
VMware Workstation 11.x Windows 11.1.3
VMware Workstation 11.x Linux not affected
VMware Player 8.x any not affected
VMware Player 7.x Windows 7.1.3
VMware Player 7.x Linux not affected
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
vCenter Server
--------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
vCloud Director
---------------
Downloads and Documentation:
https://www.vmware.com/go/download/vcloud-director
vSphere Replication
-------------------
Downloads and Documentation:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR611
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR6003
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5812
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5606
https://www.vmware.com/support/pubs/vsphere-replication-pubs.html
VMware Workstation
-------------------------
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
VMware Player
-------------
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2077
VMware Security Advisory VMSA-2015-0007
http://www.vmware.com/security/advisories/VMSA-2015-0007.html
VMware Knowledge Base article 2145343
kb.vmware.com/kb/2145343
VMware Knowledge Base article 2144428
kb.vmware.com/kb/2144428
- ------------------------------------------------------------------------
6. Change log
2016-05-17 VMSA-2016-0005
Initial security advisory in conjunction with the release of VMware
vCloud Director 8.0.1.1, 5.6.5.1, and 5.5.6.1, and vSphere
Replication 6.0.0.3, 5.8.1.2, and 5.6.0.6 on 2016-05-17.
2016-05-24 VMSA-2016-0005.1
Updated security advisory in conjunction with the release of vSphere
5.1 U3d on 2016-05-24. vCenter Server 5.1 U3d running on
Windows addresses CVE-2016-3427 without the need to install the
additional patch.
2016-05-27 VMSA-2016-0005.2
Updated security advisory in conjunction with the release of vSphere
Replication 6.1.1 on 2016-05-26.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2016 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFXSJIHDEcm8Vbi9kMRAt8oAJ9cSrgfC5OlS+lgV8O+6uxcGt5CdQCggsNB
iQZm8gTv4gEEKxa2Af9YbSQ=
=8szQ
-----END PGP SIGNATURE-----
UPDATED VMSA-2015-0007.5 – VMware vCenter and ESXi updates address critical security issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2015-0007.5
Synopsis: VMware vCenter and ESXi updates address critical security
issues
Issue date: 2015-10-01
Updated on: 2016-05-24
CVE number: CVE-2015-5177 CVE-2015-2342 CVE-2015-1047
- ------------------------------------------------------------------------
1. Summary
VMware vCenter and ESXi updates address critical security issues.
NOTE: See section 3.b for a critical update on an incomplete fix
for the JMX RMI issue.
2. Relevant Releases
VMware ESXi 5.5 without patch ESXi550-201509101-SG
VMware ESXi 5.1 without patch ESXi510-201510101-SG
VMware ESXi 5.0 without patch ESXi500-201510101-SG
VMware vCenter Server 6.0 prior to version 6.0.0b
VMware vCenter Server 5.5 prior to version 5.5 update 3
VMware vCenter Server 5.1 prior to version 5.1 update u3b
VMware vCenter Server 5.0 prior to version 5.0 update u3e
3. Problem Description
a. VMWare ESXi OpenSLP Remote Code Execution
VMware ESXi contains a double free flaw in OpenSLP's
SLPDProcessMessage() function. Exploitation of this issue may
allow an unauthenticated attacker to remotely execute code on
the ESXi host.
VMware would like to thank Qinghao Tang of QIHU 360 for reporting
this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2015-5177 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
ESXi 6.0 ESXi not affected
ESXi 5.5 ESXi ESXi550-201509101-SG*
ESXi 5.1 ESXi ESXi510-201510101-SG
ESXi 5.0 ESXi ESXi500-201510101-SG
* Customers who have installed the complete set of ESXi 5.5 U3
Bulletins, please review VMware KB 2133118. KB 2133118 documents
a known non-security issue and provides a solution.
b. VMware vCenter Server JMX RMI Remote Code Execution
VMware vCenter Server contains a remotely accessible JMX RMI
service that is not securely configured. An unauthenticated remote
attacker who is able to connect to the service may be able to use
it to execute arbitrary code on the vCenter Server. A local attacker
may be able to elevate their privileges on vCenter Server.
vCenter Server Appliance (vCSA) 5.1, 5.5 and 6.0 has remote access
to the JMX RMI service (port 9875) blocked by default.
VMware would like to thank Doug McLeod of 7 Elements Ltd and an
anonymous researcher working through HP's Zero Day Initiative for
reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2015-2342 to this issue.
CRITICAL UPDATE
VMSA-2015-0007.2 and earlier versions of this advisory documented
that CVE-2015-2342 was addressed in vCenter Server 5.0 U3e,
5.1 U3b, and 5.5 U3. Subsequently, it was found that the fix for
CVE-2015-2342 in vCenter Server 5.0 U3e, 5.1 U3b, and
5.5 U3/U3a/U3b running on Windows was incomplete and did not
address the issue.
In order to address the issue on these versions of vCenter Server
Windows, an additional patch must be installed. This additional
patch is available from VMware Knowledge Base (KB) article
2144428. Alternatively, on vSphere 5.5 updating to vCenter Server
5.5 U3d running on Windows will remediate the issue.
In case the Windows Firewall is enabled on the system that has
vCenter Server Windows installed, remote exploitation of
CVE-2015-2342 is not possible. Even if the Windows Firewall is
enabled, users are advised to install the additional patch in
order to remove the local privilege elevation.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= ===============
VMware vCenter Server 6.0 Any 6.0.0b and above
VMware vCenter Server 5.5 Windows (5.5 U3/U3a/U3b + KB*)
or 5.5 U3d
VMware vCenter Server 5.5 Linux 5.5 U3 and above
VMware vCenter Server 5.1 Windows (5.1 U3b + KB*)
or 5.1 U3d
VMware vCenter Server 5.1 Linux 5.1 U3b
VMware vCenter Server 5.0 Windows 5.0 U3e + KB*
VMware vCenter Server 5.0 Linux 5.0 U3e
* An additional patch provided in VMware KB article 2144428 must be
installed on vCenter Server Windows 5.0 U3e, 5.1 U3b, 5.5 U3,
5.5 U3a, and 5.5 U3b in order to remediate CVE-2015-2342.
This patch is not needed when updating to 5.1 U3d or 5.5 U3d,
or when installing 5.1 U3d or 5.5 U3d.
c. VMware vCenter Server vpxd denial-of-service vulnerability
VMware vCenter Server does not properly sanitize long heartbeat
messages. Exploitation of this issue may allow an unauthenticated
attacker to create a denial-of-service condition in the vpxd
service.
VMware would like to thank the Google Security Team for reporting
this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2015-1047 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= ==============
VMware vCenter Server 6.0 Any not affected
VMware vCenter Server 5.5 Any 5.5u2
VMware vCenter Server 5.1 Any 5.1u3
VMware vCenter Server 5.0 Any 5.0u3e
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
ESXi
--------------------------------
Downloads:
https://www.vmware.com/patchmgr/findPatch.portal
Documentation:
http://kb.vmware.com/kb/2110247
http://kb.vmware.com/kb/2114875
http://kb.vmware.com/kb/2120209
vCenter Server
--------------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5177
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2342
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1047
VMware Knowledge Base articles
http://kb.vmware.com/kb/2133118
http://kb.vmware.com/kb/2144428
- ------------------------------------------------------------------------
6. Change log
2015-10-01 VMSA-2015-0007
Initial security advisory in conjunction with ESXi 5.0, 5.1 patches
and VMware vCenter Server 5.1 u3b, 5.0 u3e on 2015-10-01.
2015-10-06 VMSA-2015-0007.1
Updated security advisory in conjunction with the release of ESXi 5.5
U3a on 2015-10-06. Added a note to section 3.a to alert customers to
a non-security issue in ESXi 5.5 U3 that is addressed in ESXi 5.5 U3a.
2015-10-20 VMSA-2015-0007.2
Updated security advisory to reflect that CVE-2015-2342 is fixed in
an earlier vCenter Server version (6.0.0b) than originally reported
(6.0 U1) and that the port required to exploit the vulnerability is
blocked in the appliance versions of the software (5.1 and above).
2016-02-12 VMSA-2015-0007.3
Updated security advisory to add that an additional patch is required
on vCenter Server 5.0 U3e, 5.1 U3b and 5.5 U3/U3a/U3b running on
Windows to remediate CVE-2015-2342.
2016-04-27 VMSA-2015-0007.4
Updated security advisory to add that vCenter Server 5.5 U3d running on
Windows addresses CVE-2105-2342 without the need to install the
additional patch.
2016-05-24 VMSA-2015-0007.5
Updated security advisory to add that vCenter Server 5.1 U3d running on
Windows addresses CVE-2105-2342 without the need to install the
additional patch.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2015 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFXRByjDEcm8Vbi9kMRAsoKAKC9iaRAMLJetgtRzBCU2cIehlGbbgCgys8M
T/+fEa9BVET8o1dbp8MPwqQ=
=SJBs
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org
http://lists.vmware.com/mailman/listinfo/security-announce
UPDATED VMSA-2016-0005.1 VMware product updates address critical and important security issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
--------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2016-0005.1
Synopsis: VMware product updates address critical and important
security issues
Issue date: 2016-05-17
Updated on: 2016-05-24
CVE number: CVE-2016-3427, CVE-2016-2077
- ------------------------------------------------------------------------
1. Summary
VMware product updates address critical and important
security issues.
2. Relevant Releases
vCenter Server 6.0 on Windows without workaround of KB 2145343
vCenter Server 6.0 on Linux (VCSA) prior to 6.0.0b
vCenter Server 5.5 prior to 5.5 U3d (on Windows), 5.5 U3 (VCSA)
vCenter Server 5.1 prior to 5.1 U3b
vCenter Server 5.0 prior to 5.0 U3e
vCloud Director prior to 8.0.1.1
vCloud Director prior to 5.6.5.1
vCloud Director prior to 5.5.6.1
vSphere Replication prior to 6.0.0.3
vSphere Replication prior to 5.8.1.2
vSphere Replication prior to 5.6.0.6
vRealize Operations Manager 6.x (non-appliance version)
VMware Workstation prior to 11.1.3
VMware Player prior to 7.1.3
3. Problem Description
a. Critical JMX issue when deserializing authentication credentials
The RMI server of Oracle JRE JMX deserializes any class when
deserializing authentication credentials. This may allow a remote,
unauthenticated attacker to cause deserialization flaws and execute
their commands.
Workarounds CVE-2016-3427
vCenter Server
Apply the steps of VMware Knowledge Base article 2145343 to vCenter
Server 6.0 on Windows. See the table below for the specific vCenter
Server 6.0 versions on Windows this applies to.
vCloud Director
No workaround identified
vSphere Replication
No workaround identified
vRealize Operations Manager (non-appliance)
The non-appliance version of vRealize Operations Manager (vROps),
which can be installed on Windows and Linux has no default
firewall. In order to remove the remote exploitation possibility,
access to the following external ports will need to be blocked on
the system where the non-appliance version of vROps is installed:
- vROps 6.2.x: port 9004, 9005, 9006, 9007, 9008
- vROps 6.1.x: port 9004, 9005, 9007, 9008
- vROps 6.0.x: port 9004, 9005
Note: These ports are already blocked by default in the appliance
version of vROps.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-3427 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
====================== ========= ======= =============
vCenter Server 6.0 Windows 6.0.0b + KB 2145343 *
vCenter Server 6.0 Linux 6.0.0b
vCenter Server 5.5 Windows (5.5 U3b + KB 2144428
**)
or 5.5 U3d
vCenter Server 5.5 Linux 5.5 U3
vCenter Server 5.1 Windows (5.1 U3b + KB 2144428
**)
or 5.1U3d
vCenter Server 5.1 Linux 5.1 U3b
vCenter Server 5.0 Windows 5.0 U3e + KB 2144428 **
vCenter Server 5.0 Linux 5.0 U3e
vCloud Director 8.0.x Linux 8.0.1.1
vCloud Director 5.6.x Linux 5.6.5.1
vCloud Director 5.5.x Linux 5.5.6.1
vSphere Replication 6.1.x Linux patch pending ***
vSphere Replication 6.0.x Linux 6.0.0.3 ***
vSphere Replication 5.8.x Linux 5.8.1.2 ***
vSphere Replication 5.6.x Linux 5.6.0.6 ***
vROps (non-appliance) 6.x All Apply workaround
vROps (appliance) 6.x Linux Not affected
* Remote and local exploitation is feasible on vCenter Server 6.0 and
6.0.0a for Windows. Remote exploitation is not feasible on vCenter
Server 6.0.0b (and above) for Windows but local exploitation is. The
local exploitation possibility can be removed by applying the steps
of KB 2145343 to vCenter Server 6.0.0b (and above) for Windows.
** See VMSA-2015-0007 for details.
vCenter Server 5.5 U3d and 5.1 U3d running on Windows addresses
CVE-2016-3427 without the need to install the additional patch
of KB 2144428 documented in VMSA-2015-0007.
*** vSphere Replication is affected if its vCloud Tunneling Agent
is running, which is not enabled by default. This agent is used
in environments that replicate data between the cloud and an
on-premise datacenter.
b. Important VMware Workstation and Player for Windows host privilege
escalation vulnerability.
VMware Workstation and Player for Windows do not properly reference
one of their executables. This may allow a local attacker on the host
to elevate their privileges.
VMware would like to thank Andrew Smith of Sword & Shield Enterprise
Security for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2016-2077 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
================== ======= ======= =================
VMware Workstation 12.x any not affected
VMware Workstation 11.x Windows 11.1.3
VMware Workstation 11.x Linux not affected
VMware Player 8.x any not affected
VMware Player 7.x Windows 7.1.3
VMware Player 7.x Linux not affected
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
vCenter Server
--------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
vCloud Director
---------------
Downloads and Documentation:
https://www.vmware.com/go/download/vcloud-director
vSphere Replication
-------------------
Downloads and Documentation:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR6003
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5812
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5606
https://www.vmware.com/support/pubs/vsphere-replication-pubs.html
VMware Workstation
-------------------------
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
VMware Player
-------------
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2077
VMware Security Advisory VMSA-2015-0007
http://www.vmware.com/security/advisories/VMSA-2015-0007.html
VMware Knowledge Base article 2145343
kb.vmware.com/kb/2145343
VMware Knowledge Base article 2144428
kb.vmware.com/kb/2144428
- ------------------------------------------------------------------------
6. Change log
2016-05-17 VMSA-2016-0005
Initial security advisory in conjunction with the release of VMware
vCloud Director 8.0.1.1, 5.6.5.1, and 5.5.6.1, and vSphere
Replication 6.0.0.3, 5.8.1.2, and 5.6.0.6 on 2016-05-17.
2016-05-24 VMSA-2016-0005.1
Updated security advisory in conjunction with the release of vSphere
5.1 U3d on 2016-05-24. vCenter Server 5.1 U3d running on
Windows addresses CVE-2016-3427 without the need to install the
additional patch.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2016 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFXRBrxDEcm8Vbi9kMRArdBAJ9folVLwEJ96XeQYcXgYZVhb91muQCgrCgl
6lMvZLSvXOxYO8jc6xakF5o=
=sGc+
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org
http://lists.vmware.com/mailman/listinfo/security-announce