------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0007 Synopsis: VMware vCenter and ESXi updates address critical security issues Issue date: 2015-10-01 Updated on: 2015-10-01 CVE number: CVE-2015-5177 CVE-2015-2342 CVE-2015-1047 ------------------------------------------------------------------------ 1. Summary VMware vCenter and ESXi updates address critical security issues. 2. Relevant Releases VMware ESXi 5.5 without patch ESXi550-201509101 VMware ESXi 5.1 without patch ESXi510-201510101 VMware ESXi 5.0 without patch ESXi500-201510101 VMware vCenter Server 6.0 prior to version 6.0 update 1 VMware vCenter Server 5.5 prior to version 5.5 update 3 VMware vCenter Server 5.1 prior to version 5.1 update u3b VMware vCenter Server 5.0 prior to version 5.u update u3e 3. Problem Description a. VMWare ESXi OpenSLP Remote Code Execution VMware ESXi contains a double free flaw in OpenSLP's SLPDProcessMessage() function. Exploitation of this issue may allow an unauthenticated attacker to execute code remotely on the ESXi host. VMware would like to thank Qinghao Tang of QIHU 360 for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-5177 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ==================== ======= ================= ESXi 6.0 ESXi not affected ESXi 5.5 ESXi ESXi550-201509101 ESXi 5.1 ESXi ESXi510-201510101 ESXi 5.0 ESXi ESXi500-201510101 b. VMware vCenter Server JMX RMI Remote Code Execution VMware vCenter Server contains a remotely accessible JMX RMI service that is not securely configured. An unauthenticated remote attacker that is able to connect to the service may be able use it to execute arbitrary code on the vCenter server. VMware would like to thank Doug McLeod of 7 Elements Ltd and an anonymous researcher working through HP's Zero Day Initiative for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-2342 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= =============== VMware vCenter Server 6.0 Any 6.0 u1 VMware vCenter Server 5.5 Any 5.5 u3 VMware vCenter Server 5.1 Any 5.1 u3b VMware vCenter Server 5.0 Any 5.0 u3e c. VMware vCenter Server vpxd denial-of-service vulnerability VMware vCenter Server does not properly sanitize long heartbeat messages. Exploitation of this issue may allow an unauthenticated attacker to create a denial-of-service condition in the vpxd service. VMware would like to thank the Google Security Team for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-1047 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ============== VMware vCenter Server 6.0 Any not affected VMware vCenter Server 5.5 Any 5.5u2 VMware vCenter Server 5.1 Any 5.1u3 VMware vCenter Server 5.0 Any 5.0u3e 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. ESXi -------------------------------- Downloads: https://www.vmware.com/patchmgr/findPatch.portal Documentation: http://kb.vmware.com/kb/2110247 http://kb.vmware.com/kb/2114875 http://kb.vmware.com/kb/2120209 vCenter Server -------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5177 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2342 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1047 ------------------------------------------------------------------------ 6. Change log 2015-10-01 VMSA-2015-0007 Initial security advisory in conjunction with ESXi 5.0, 5.1 patches and VMware vCenter Server 5.1 u3b, 5.0 u3e on 2015-10-01. ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. _______________________________________________ Security-announce mailing list Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org http://lists.vmware.com/mailman/listinfo/security-announce
Category Archives: VMWare
VMWare
NEW VMSA-2015-0006 – VMware vCenter Server updates address a LDAP certificate validation issue
------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0006 Synopsis: VMware vCenter Server updates address a LDAP certificate validation issue Issue date: 2015-09-16 Updated on: 2015-09-16 CVE number: CVE-2015-6932 ------------------------------------------------------------------------ 1. Summary VMware vCenter Server updates address a LDAP certificate validation issue. 2. Relevant Releases VMware vCenter Server prior to version 6.0 update 1 VMware vCenter Server prior to version 5.5 update 3 3. Problem Description VMware vCenter Server LDAP certificate validation vulnerability VMware vCenter Server does not validate the certificate when binding to an LDAP server using TLS. Exploitation of this vulnerability may allow an attacker that is able to intercept traffic between vCenter Server and the LDAP server to capture sensitive information. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-6932 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= =============== VMware vCenter Server 6.0 Any 6.0 u1 VMware vCenter Server 5.5 Any 5.5 u3 VMware vCenter Server 5.1 Any not affected VMware vCenter Server 5.0 Any not affected 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Server -------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6932 ------------------------------------------------------------------------ 6. Change log 2015-09-16 VMSA-2015-0006 Initial security advisory. ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. _______________________________________________ Security-announce mailing list Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org http://lists.vmware.com/mailman/listinfo/security-announce
UPDATE : VMSA-2015-0003.11 – VMware product updates address critical information disclosure issue in JRE.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0003.11 Synopsis: VMware product updates address critical information disclosure issue in JRE. Issue date: 2015-04-02 Updated on: 2015-09-10 CVE number: CVE-2014-6593, for other CVEs see JRE reference - ------------------------------------------------------------------------ 1. Summary VMware product updates address critical information disclosure issue in JRE. 2. Relevant Releases Horizon View 6.x or 5.x Horizon Workspace Portal Server 2.1 or 2.0 Horizon DaaS Platform 6.1.4 or 5.4.5 vCloud Networking and Security prior to 5.5.4.1 vCloud Connector 2.7 vCloud Usage Meter 3.3 vCenter Site Recovery Manager prior to 5.5.1.5 vCenter Server 6.0, 5.5, 5.1 or 5.0 vRealize Operations Manager 6.0 vCenter Operations Manager 5.8.x or 5.7.x vCenter Support Assistant 5.5.1.x vRealize Application Services 6.2 or 6.1 vCloud Application Director 6.0 vRealize Automation 6.2 or 6.1 vCloud Automation Center 6.0.1 vSphere Replication prior to 5.8.0.2, 5.6.0.3 or 5.5.1.5 vRealize Automation 6.2.x or 6.1.x vRealize Code Stream 1.1 or 1.0 vFabric Postgres 9.3.6.0, 9.2.10.0 or 9.1.15.0 vRealize Hyperic 5.8.x, 5.7.x or 5.0.x vSphere AppHA Prior to 1.1.x vSphere Big Data Extensions 2.1 and 2.0 vSphere Data Protection 6.0 vCenter Chargeback Manager 2.7 or 2.6 vRealize Business Adv/Ent 8.1 or 8.0 vRealize Business Standard prior to 1.1.x or 1.0.x NSX for vSphere 6.1 NSX for Multi-Hypervisor prior to 4.2.4 vCloud Director prior to 5.5.3 vCloud Director Service Providers prior to 5.6.4.1 vCenter Application Discovery Manager 7.0 vRealize Configuration Manager 5.7.x or 5.6.x vRealize Infrastructure 5.8 or 5.7 vRealize Orchestrator 6.0, 5.5 or 5.1.3.1 vRealize Log Insight 2.5, 2.0, 1.5 or 1.0 vSphere Management Assistant 5.5 or 5.1 vSphere Update Manager 6.0, 5.5, 5.1 or 5.0 EVO:RAIL prior to 1.2.1 3. Problem Description a. Oracle JRE Update Oracle JRE is updated in VMware products to address a critical security issue that existed in earlier releases of Oracle JRE. VMware products running JRE 1.7 Update 75 or newer and JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593, as documented in the Oracle Java SE Critical Patch Update Advisory of January 2015. This advisory also includes the other security issues that are addressed in JRE 1.7 Update 75 and JRE 1.6 Update 91. The References section provides a link to the JRE advisory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-6593 to this issue. This issue is also known as "SKIP" or "SKIP-TLS". Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch** ============= ======= ======= ================= Horizon View 6.x any 6.1 Horizon View 5.x any 5.3.4 Horizon Workspace Portal 2.1 ,2.0 any 2.1.1 Server Horizon DaaS Platform 6.1 any 6.1.4 Horizon DaaS Platform 5.4 any 5.4.5 vCloud Networking and Security 5.5 any 5.5.4.1* vCloud Connector 2.7 any 2.7.1* vCloud Usage Meter 3.3 any 3.3.3* vCenter Site Recovery Manager 5.5.x any 5.5.1.5*** vCenter Site Recovery Manager 5.1.x any patch pending*** vCenter Site Recovery Manager 5.0.x any patch pending*** vCenter Server 6.0 any 6.0.0a vCenter Server 5.5 any Update 2e vCenter Server 5.1 any Update 3a vCenter Server 5.0 any Update 3d vRealize Operations Manager 6.0 any KB2111898 vCenter Operations Manager 5.8.x any KB2111172 vCenter Operations Manager 5.7.x any KB2111172 vCenter Support Assistant 5.5.1.x any 6.0 vRealize Application Services 6.2 any KB2111981 vRealize Application Services 6.1 any KB2111981 vCloud Application Director 6.0 any KB2111981 vCloud Application Director 5.2 any KB2111981 vRealize Automation 6.2 any KB2111658 vRealize Automation 6.1 any KB2111658 vCloud Automation Center 6.0.1 any KB2111658 vRealize Code Stream 1.1 any KB2111658 vRealize Code Stream 1.0 any KB2111658 vPostgres 9.3.x any 9.3.6.0 vPostgres 9.2.x any 9.2.10.0 vPostgres 9.1.x any 9.1.15.0 vSphere Replication 5.8.0 any 5.8.0.2 vSphere Replication 5.6.0 any 5.6.0.3 vSphere Replication 5.5.0 any 5.5.1.5 vSphere Replication 5.1 any patch pending vRealize Hyperic 5.8 any KB2111337 vRealize Hyperic 5.7 any KB2111337 vRealize Hyperic 5.0 any KB2111337 vSphere AppHA 1.1 any KB2111336 vSphere Big Data Extensions 2.1 any KB2116604* vSphere Big Data Extensions 2.0 any KB2116604* vSphere Data Protection 6.0 any 6.1* vSphere Data Protection 5.8 any patch pending* vSphere Data Protection 5.5 any patch pending* vSphere Data Protection 5.1 any patch pending* vCenter Chargeback Manager 2.7 any KB2112011* vCenter Chargeback Manager 2.6 any KB2113178* vRealize Business Adv/Ent 8.1 any KB2112258* vRealize Business Adv/Ent 8.0 any KB2112258* vRealize Business Standard 6.0 any KB2111802 vRealize Business Standard 1.1 any KB2111802 vRealize Business Standard 1.0 any KB2111802 NSX for vSphere 6.1 any 6.1.4* NSX for Multi-Hypervisor 4.2 any 4.2.4* vCloud Director 5.5.x any 5.5.3* vCloud Director For 5.6.4 any 5.6.4.1* Service Providers vCenter Application Discovery 7.0 any 7.1* Manager vRealize Configuration Manager 5.7.x any KB2111670 vRealize Configuration Manager 5.6 any KB2111670 vRealize Infrastructure 5.8 any 5.8.4 Navigator vRealize Infrastructure 5.7 any KB2111334* Navigator vRealize Orchestrator 6.0 any KB2112028* vRealize Orchestrator 5.5 any KB2112028* vRealize Orchestrator 5.1 any 5.1.3.1* vRealize Log Insight 2.5 any KB2113235* vRealize Log Insight 2.0 any KB2113235* vRealize Log Insight 1.5 any KB2113235* vRealize Log Insight 1.0 any KB2113235* vSphere Management Assistant 5.5.x any 5.5.0.4 vSphere Management Assistant 5.1.x any 5.1.0.3 vSphere Update Manager 6.0 any 6.0.0a* vSphere Update Manager 5.5 any Update 2e* vSphere Update Manager 5.1 any Update 3a* vSphere Update Manager 5.0 any Update 3d* EVO:RAIL 1.2.0 any 1.2.1* * The severity of critical is lowered to important for this product as is not considered Internet facing ** Knowledge Base (KB) articles provides details of the patches and how to install them. *** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not include JRE but they include the vSphere Replication appliance which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include JRE nor the vSphere Replication appliance. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. Horizon View 6.1, 5.3.4: ======================== Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productI d=492 https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&pro ductId=396 VMware Workspace Portal 2.1.1 ============================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=5 01&rPId=7586 Documentation: https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.h tml Horizon DaaS Platform 6.1.4 =========================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN &productId=405&rPId=6527 Horizon DaaS Platform 5.4.5 =========================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM- 540&productId=398&rPId=5214 vCloud Networking and Security 5.5.4.1 ====================================== Download: https://my.vmware.com/web/vmware/details?productId=360&rPId=7625&downloadGr oup=VCNS5541 Documentation: https://www.vmware.com/support/vshield/doc/releasenotes_vshield_5541.html vCloud Connector 2.7.1 ====================== Downloads and Documentation: http://www.vmware.com/support/hybridcloud/doc/hybridcloud_271_rel_notes.htm l vCloud Usage Meter 3.3.3 ======================== Downloads: https://my.vmware.com/en/group/vmware/get-download?downloadGroup=UMSV333 vCenter Application Discovery Manager 7.1 ========================================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=VADM-710-VA&productI d=300&rPId=8646 Documentation: https://www.vmware.com/support/adm/doc/vcenter-application-discovery-manage r-71-release-notes.html vCenter Site Recovery Manager 5.5.1.5 ====================================== Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=SRM5515&productId=35 7&rPId=7774 Documentation: https://www.vmware.com/support/srm/srm-releasenotes-5-5-1.html vCenter Server 6.0, 5.5, 5.1, 5.0 ================================= Downloads and Documentation: https://www.vmware.com/go/download-vsphere vRealize Operations Manager 6.0.1 ================================= Downloads and Documentation: http://kb.vmware.com/kb/2111898 vCenter Support Assistant 6.0 ============================= Downloads and Documentation: https://my.vmware.com/web/vmware/details?downloadGroup=VCSA600&productId=49 1 vRealize Application Services 6.2, 6.1 ====================================== Downloads and Documentation: http://kb.vmware.com/kb/2111981 NSX for vSphere 6.1.4 ===================== Downloads and Documentation: https://my.vmware.com/web/vmware/details?productId=417&downloadGroup=NSX-V- 614 NSX for Multi-Hypervisor 4.2.4 ============================== Downloads and Documentation: https://my.vmware.com/web/vmware/info/slug/networking_security/vmware_nsx/4 _x vCloud Application Director 6.0 ====================================== Downloads and Documentation: http://kb.vmware.com/kb/2111981 vCloud Director for Service Providers 5.6.4.1 ============================================= Downloads and Documentation: https://www.vmware.com/support/pubs/vcd_sp_pubs.html vCenter Operations Manager 5.8.5, 5.7.4 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111172 vCloud Automation Center 6.0.1.2 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111685 vSphere Replication 5.8.0.2, 5.6.0.3, 5.5.1.5 ============================================= Downloads: https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5515 Documentation: http://kb.vmware.com/kb/2112025 http://kb.vmware.com/kb/2112022 vRealize Automation 6.2.1, 6.1.1 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111658 vRealize Code Stream 1.1, 1.0 ============================= Downloads and Documentation: http://kb.vmware.com/kb/2111685 vFabric Postgres ================ Downloads https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_936&productId =373&rPId=7787 https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_92_10&product Id=325&rPId=7788 https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_91_15&product Id=274&rPId=7789 vRealize Hyperic 5.8.4, 5.7.2, 5.0.3 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/KB2111337 vSphere AppHA 1.1.1 =================== Downloads and Documentation: http://kb.vmware.com/kb/2111336 vSphere Big Data Extensions 2.1 and 2.0 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2116604 vSphere Data Protection 6.1 =========================== Downloads: https://my.vmware.com/web/vmware/details?productId=491&downloadGroup=VDP61 Documentation: http://pubs.vmware.com/Release_Notes/en/vdp/61/vdp_610_releasenotes.html vCenter Chargeback Manager 2.7 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2112011 vCenter Chargeback Manager 2.6 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2113178 vRealize Business Adv/Ent 8.1, 8.0 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2112258 vRealize Business Standard 6.0, 1.1 , 1.0 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111802 vRealize Configuration Manager 5.7.3 =================================== Downloads and Documentation: http://kb.vmware.com/kb/2111670 vRealize Infrastructure Navigator 5.8.4 ======================================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=47 6 vRealize Infrastructure Navigator 5.7 ===================================== Downloads and Documentation: http://kb.vmware.com/kb/2111334 vRealize Orchestrator 6.0, 5.5 ===================================== Downloads and Documentation: http://kb.vmware.com/kb/2112028 vRealize Orchestrator 5.1.3.1 ============================= Download: https://my.vmware.com/group/vmware/get-download?downloadGroup=VSP51-VCL-VCO VA-51U3A Documentation: https://www.vmware.com/support/pubs/orchestrator_pubs.html vSphere Management Assistant 5.5.0.4 ==================================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=VMA550&productId=352 Documentation: http://kb.vmware.com/kb/2112648 vSphere Management Assistant 5.1.0.3 ==================================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=VSP510-VMA-510&produ ctId=285 Documentation: http://kb.vmware.com/kb/2112647 vSphere Update Manager 6.0, 5.5, 5.1, 5.0 ========================================= Downloads and Documentation: https://www.vmware.com/go/download-vsphere EVO:RAIL ======== Downloads and Documentation: https://my.vmware.com/group/vmware/details?productId=442&downloadGroup=EVOR AIL1_2_1 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593 JRE Oracle Java SE Critical Patch Update Advisory of January 2015 http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html - ------------------------------------------------------------------------ 6. Change log 2015-04-02 VMSA-2015-0003 Initial security advisory in conjunction with the release of VMware Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5; vCenter Operations Manager 5.7.4; vCloud Automation Center 6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0; vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1; vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches released on 2015-04-02. 2015-04-09 VMSA-2015-0003.1 Updated Security advisory in conjunction with the release of VMware Horizon DaaS Platform 6.1.4, 5.4.5; vRealize Operations Manager 6.0; vRealize Application Services 6.2; vRealize Application Services 6.1; vCloud Application Director 6.0; vCenter Chargeback Manager 2.7, 2.6; vCloud Director For Service Providers 5.6.4.1; vRealize Log Insight 2.5, 2.0, 1.5, 1.0 Patches released on 2015-04-09. 2015-04-13 VMSA-2015-0003.2 Updated Security advisory in conjunction with the release of vRealize Business Adv/Ent 8.1, 8.0 Patches released on 2015-04-13. 2015-04-16 VMSA-2015-0003.3 Updated Security advisory in conjunction with the release of vCloud Connector 2.7.1; vCloud Usage Meter 3.3.3; vCenter Server 6.0, 5.5; vSphere Update Manager 6.0, 5.5 patches released on 2015-04-16. 2015-04-17 VMSA-2015-0003.4 Updated Security advisory in conjunction with the release of vCenter Site Recovery Manager 5.5.1.5 patches released on 2015-04-16. 2015-04-23 VMSA-2015-0003.5 Updated Security advisory in conjunction with the release of NSX for Multi-Hypervisor 4.2.4 and vFabric Postgres 9.3.6.0, 9.2.10.0 or 9.1.15.0 patches released on 2015-04-23. 2015-04-30 VMSA-2015-0003.6 Updated Security advisory in conjunction with the release of vCloud Networking and Security 5.5.4.1, vCenter Server 5.1 Update 3a, vCenter Server 5.0 Update 3d, vRealize Orchestrator 5.1.3.1, vSphere Update Manager 5.1 Update 3a and vSphere Update Manager 5.0 Update 3d patches released on 2015-04-30. 2015-05-07 VMSA-2015-0003.7 Updated Security advisory in conjunction with the release of vCenter Support Assistant 6.0, vSphere Big Data Extensions 2.1 and 2.0, NSX for vSphere 6.1.4 patches released on 2015-05-07. 2015-05-08 VMSA-2015-0003.8 Updated Security advisory in conjunction with the release of vSphere Management Assistant 5.5 and 5.1 patches released on 2015-05-08. 2015-07-02 VMSA-2015-0003.9 Updated Security advisory in conjunction with the release of EVO:Rail 1.2.1 patches released on 2015-07-02. 2015-08-14 VMSA-2015-0003.10 Updated Security advisory in conjunction with the release of vCenter Application Discovery Manager 7.1.0 patches released on 2015-08-13. 2015-09-10 VMSA-2015-0003.11 Updated Security advisory in conjunction with the release of VMware vSphere Data Protection 6.1 released on 2015-09-10. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 16127) Charset: utf-8 wj8DBQFV8bX8DEcm8Vbi9kMRAsssAKDLHTQ7u9w9VsBTV7Cii3UBV6wAoACgqzsB /HyXmj5Y/VbDq/q8xaxqH5w= =vtQn -----END PGP SIGNATURE-----
UPDATE : VMSA-2015-0003.10 – VMware product updates address critical information disclosure issue in JRE.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0003.10 Synopsis: VMware product updates address critical information disclosure issue in JRE. Issue date: 2015-04-02 Updated on: 2015-08-14 CVE number: CVE-2014-6593, for other CVEs see JRE reference - ------------------------------------------------------------------------ 1. Summary VMware product updates address critical information disclosure issue in JRE. 2. Relevant Releases Horizon View 6.x or 5.x Horizon Workspace Portal Server 2.1 or 2.0 Horizon DaaS Platform 6.1.4 or 5.4.5 vCloud Networking and Security prior to 5.5.4.1 vCloud Connector 2.7 vCloud Usage Meter 3.3 vCenter Site Recovery Manager prior to 5.5.1.5 vCenter Server 6.0, 5.5, 5.1 or 5.0 vRealize Operations Manager 6.0 vCenter Operations Manager 5.8.x or 5.7.x vCenter Support Assistant 5.5.1.x vRealize Application Services 6.2 or 6.1 vCloud Application Director 6.0 vRealize Automation 6.2 or 6.1 vCloud Automation Center 6.0.1 vSphere Replication prior to 5.8.0.2, 5.6.0.3 or 5.5.1.5 vRealize Automation 6.2.x or 6.1.x vRealize Code Stream 1.1 or 1.0 vFabric Postgres 9.3.6.0, 9.2.10.0 or 9.1.15.0 vRealize Hyperic 5.8.x, 5.7.x or 5.0.x vSphere AppHA Prior to 1.1.x vSphere Big Data Extensions 2.1 and 2.0 vCenter Chargeback Manager 2.7 or 2.6 vRealize Business Adv/Ent 8.1 or 8.0 vRealize Business Standard prior to 1.1.x or 1.0.x NSX for vSphere 6.1 NSX for Multi-Hypervisor prior to 4.2.4 vCloud Director prior to 5.5.3 vCloud Director Service Providers prior to 5.6.4.1 vCenter Application Discovery Manager 7.0 vRealize Configuration Manager 5.7.x or 5.6.x vRealize Infrastructure 5.8 or 5.7 vRealize Orchestrator 6.0, 5.5 or 5.1.3.1 vRealize Log Insight 2.5, 2.0, 1.5 or 1.0 vSphere Management Assistant 5.5 or 5.1 vSphere Update Manager 6.0, 5.5, 5.1 or 5.0 EVO:RAIL prior to 1.2.1 3. Problem Description a. Oracle JRE Update Oracle JRE is updated in VMware products to address a critical security issue that existed in earlier releases of Oracle JRE. VMware products running JRE 1.7 Update 75 or newer and JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593, as documented in the Oracle Java SE Critical Patch Update Advisory of January 2015. This advisory also includes the other security issues that are addressed in JRE 1.7 Update 75 and JRE 1.6 Update 91. The References section provides a link to the JRE advisory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-6593 to this issue. This issue is also known as "SKIP" or "SKIP-TLS". Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch** ============= ======= ======= ================= Horizon View 6.x any 6.1 Horizon View 5.x any 5.3.4 Horizon Workspace Portal 2.1 ,2.0 any 2.1.1 Server Horizon DaaS Platform 6.1 any 6.1.4 Horizon DaaS Platform 5.4 any 5.4.5 vCloud Networking and Security 5.5 any 5.5.4.1* vCloud Connector 2.7 any 2.7.1* vCloud Usage Meter 3.3 any 3.3.3* vCenter Site Recovery Manager 5.5.x any 5.5.1.5*** vCenter Site Recovery Manager 5.1.x any patch pending*** vCenter Site Recovery Manager 5.0.x any patch pending*** vCenter Server 6.0 any 6.0.0a vCenter Server 5.5 any Update 2e vCenter Server 5.1 any Update 3a vCenter Server 5.0 any Update 3d vRealize Operations Manager 6.0 any KB2111898 vCenter Operations Manager 5.8.x any KB2111172 vCenter Operations Manager 5.7.x any KB2111172 vCenter Support Assistant 5.5.1.x any 6.0 vRealize Application Services 6.2 any KB2111981 vRealize Application Services 6.1 any KB2111981 vCloud Application Director 6.0 any KB2111981 vCloud Application Director 5.2 any KB2111981 vRealize Automation 6.2 any KB2111658 vRealize Automation 6.1 any KB2111658 vCloud Automation Center 6.0.1 any KB2111658 vRealize Code Stream 1.1 any KB2111658 vRealize Code Stream 1.0 any KB2111658 vPostgres 9.3.x any 9.3.6.0 vPostgres 9.2.x any 9.2.10.0 vPostgres 9.1.x any 9.1.15.0 vSphere Replication 5.8.0 any 5.8.0.2 vSphere Replication 5.6.0 any 5.6.0.3 vSphere Replication 5.5.0 any 5.5.1.5 vSphere Replication 5.1 any patch pending vRealize Hyperic 5.8 any KB2111337 vRealize Hyperic 5.7 any KB2111337 vRealize Hyperic 5.0 any KB2111337 vSphere AppHA 1.1 any KB2111336 vSphere Big Data Extensions 2.1 any KB2116604* vSphere Big Data Extensions 2.0 any KB2116604* vSphere Data Protection 6.0 any patch pending* vSphere Data Protection 5.8 any patch pending* vSphere Data Protection 5.5 any patch pending* vSphere Data Protection 5.1 any patch pending* vCenter Chargeback Manager 2.7 any KB2112011* vCenter Chargeback Manager 2.6 any KB2113178* vRealize Business Adv/Ent 8.1 any KB2112258* vRealize Business Adv/Ent 8.0 any KB2112258* vRealize Business Standard 6.0 any KB2111802 vRealize Business Standard 1.1 any KB2111802 vRealize Business Standard 1.0 any KB2111802 NSX for vSphere 6.1 any 6.1.4* NSX for Multi-Hypervisor 4.2 any 4.2.4* vCloud Director 5.5.x any 5.5.3* vCloud Director For 5.6.4 any 5.6.4.1* Service Providers vCenter Application Discovery 7.0 any 7.1* Manager vRealize Configuration Manager 5.7.x any KB2111670 vRealize Configuration Manager 5.6 any KB2111670 vRealize Infrastructure 5.8 any 5.8.4 Navigator vRealize Infrastructure 5.7 any KB2111334* Navigator vRealize Orchestrator 6.0 any KB2112028* vRealize Orchestrator 5.5 any KB2112028* vRealize Orchestrator 5.1 any 5.1.3.1* vRealize Log Insight 2.5 any KB2113235* vRealize Log Insight 2.0 any KB2113235* vRealize Log Insight 1.5 any KB2113235* vRealize Log Insight 1.0 any KB2113235* vSphere Management Assistant 5.5.x any 5.5.0.4 vSphere Management Assistant 5.1.x any 5.1.0.3 vSphere Update Manager 6.0 any 6.0.0a* vSphere Update Manager 5.5 any Update 2e* vSphere Update Manager 5.1 any Update 3a* vSphere Update Manager 5.0 any Update 3d* EVO:RAIL 1.2.0 any 1.2.1* * The severity of critical is lowered to important for this product as is not considered Internet facing ** Knowledge Base (KB) articles provides details of the patches and how to install them. *** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not include JRE but they include the vSphere Replication appliance which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include JRE nor the vSphere Replication appliance. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. Horizon View 6.1, 5.3.4: ======================== Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productI d=492 https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&pro ductId=396 VMware Workspace Portal 2.1.1 ============================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=5 01&rPId=7586 Documentation: https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.h tml Horizon DaaS Platform 6.1.4 =========================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN &productId=405&rPId=6527 Horizon DaaS Platform 5.4.5 =========================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM- 540&productId=398&rPId=5214 vCloud Networking and Security 5.5.4.1 ====================================== Download: https://my.vmware.com/web/vmware/details?productId=360&rPId=7625&downloadGr oup=VCNS5541 Documentation: https://www.vmware.com/support/vshield/doc/releasenotes_vshield_5541.html vCloud Connector 2.7.1 ====================== Downloads and Documentation: http://www.vmware.com/support/hybridcloud/doc/hybridcloud_271_rel_notes.htm l vCloud Usage Meter 3.3.3 ======================== Downloads: https://my.vmware.com/en/group/vmware/get-download?downloadGroup=UMSV333 vCenter Application Discovery Manager 7.1 ========================================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=VADM-710-VA&productI d=300&rPId=8646 Documentation: https://www.vmware.com/support/adm/doc/vcenter-application-discovery-manage r-71-release-notes.html vCenter Site Recovery Manager 5.5.1.5 ====================================== Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=SRM5515&productId=35 7&rPId=7774 Documentation: https://www.vmware.com/support/srm/srm-releasenotes-5-5-1.html vCenter Server 6.0, 5.5, 5.1, 5.0 ================================= Downloads and Documentation: https://www.vmware.com/go/download-vsphere vRealize Operations Manager 6.0.1 ================================= Downloads and Documentation: http://kb.vmware.com/kb/2111898 vCenter Support Assistant 6.0 ============================= Downloads and Documentation: https://my.vmware.com/web/vmware/details?downloadGroup=VCSA600&productId=49 1 vRealize Application Services 6.2, 6.1 ====================================== Downloads and Documentation: http://kb.vmware.com/kb/2111981 NSX for vSphere 6.1.4 ===================== Downloads and Documentation: https://my.vmware.com/web/vmware/details?productId=417&downloadGroup=NSX-V- 614 NSX for Multi-Hypervisor 4.2.4 ============================== Downloads and Documentation: https://my.vmware.com/web/vmware/info/slug/networking_security/vmware_nsx/4 _x vCloud Application Director 6.0 ====================================== Downloads and Documentation: http://kb.vmware.com/kb/2111981 vCloud Director for Service Providers 5.6.4.1 ============================================= Downloads and Documentation: https://www.vmware.com/support/pubs/vcd_sp_pubs.html vCenter Operations Manager 5.8.5, 5.7.4 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111172 vCloud Automation Center 6.0.1.2 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111685 vSphere Replication 5.8.0.2, 5.6.0.3, 5.5.1.5 ============================================= Downloads: https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5515 Documentation: http://kb.vmware.com/kb/2112025 http://kb.vmware.com/kb/2112022 vRealize Automation 6.2.1, 6.1.1 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111658 vRealize Code Stream 1.1, 1.0 ============================= Downloads and Documentation: http://kb.vmware.com/kb/2111685 vFabric Postgres ================ Downloads https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_936&productId =373&rPId=7787 https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_92_10&product Id=325&rPId=7788 https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_91_15&product Id=274&rPId=7789 vRealize Hyperic 5.8.4, 5.7.2, 5.0.3 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/KB2111337 vSphere AppHA 1.1.1 =================== Downloads and Documentation: http://kb.vmware.com/kb/2111336 vSphere Big Data Extensions 2.1 and 2.0 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2116604 vCenter Chargeback Manager 2.7 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2112011 vCenter Chargeback Manager 2.6 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2113178 vRealize Business Adv/Ent 8.1, 8.0 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2112258 vRealize Business Standard 6.0, 1.1 , 1.0 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111802 vRealize Configuration Manager 5.7.3 =================================== Downloads and Documentation: http://kb.vmware.com/kb/2111670 vRealize Infrastructure Navigator 5.8.4 ======================================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=47 6 vRealize Infrastructure Navigator 5.7 ===================================== Downloads and Documentation: http://kb.vmware.com/kb/2111334 vRealize Orchestrator 6.0, 5.5 ===================================== Downloads and Documentation: http://kb.vmware.com/kb/2112028 vRealize Orchestrator 5.1.3.1 ============================= Download: https://my.vmware.com/group/vmware/get-download?downloadGroup=VSP51-VCL-VCO VA-51U3A Documentation: https://www.vmware.com/support/pubs/orchestrator_pubs.html vSphere Management Assistant 5.5.0.4 ==================================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=VMA550&productId=352 Documentation: http://kb.vmware.com/kb/2112648 vSphere Management Assistant 5.1.0.3 ==================================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=VSP510-VMA-510&produ ctId=285 Documentation: http://kb.vmware.com/kb/2112647 vSphere Update Manager 6.0, 5.5, 5.1, 5.0 ========================================= Downloads and Documentation: https://www.vmware.com/go/download-vsphere EVO:RAIL ======== Downloads and Documentation: https://my.vmware.com/group/vmware/details?productId=442&downloadGroup=EVOR AIL1_2_1 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593 JRE Oracle Java SE Critical Patch Update Advisory of January 2015 http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html - ------------------------------------------------------------------------ 6. Change log 2015-04-02 VMSA-2015-0003 Initial security advisory in conjunction with the release of VMware Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5; vCenter Operations Manager 5.7.4; vCloud Automation Center 6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0; vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1; vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches released on 2015-04-02. 2015-04-09 VMSA-2015-0003.1 Updated Security advisory in conjunction with the release of VMware Horizon DaaS Platform 6.1.4, 5.4.5; vRealize Operations Manager 6.0; vRealize Application Services 6.2; vRealize Application Services 6.1; vCloud Application Director 6.0; vCenter Chargeback Manager 2.7, 2.6; vCloud Director For Service Providers 5.6.4.1; vRealize Log Insight 2.5, 2.0, 1.5, 1.0 Patches released on 2015-04-09. 2015-04-13 VMSA-2015-0003.2 Updated Security advisory in conjunction with the release of vRealize Business Adv/Ent 8.1, 8.0 Patches released on 2015-04-13. 2015-04-16 VMSA-2015-0003.3 Updated Security advisory in conjunction with the release of vCloud Connector 2.7.1; vCloud Usage Meter 3.3.3; vCenter Server 6.0, 5.5; vSphere Update Manager 6.0, 5.5 patches released on 2015-04-16. 2015-04-17 VMSA-2015-0003.4 Updated Security advisory in conjunction with the release of vCenter Site Recovery Manager 5.5.1.5 patches released on 2015-04-16. 2015-04-23 VMSA-2015-0003.5 Updated Security advisory in conjunction with the release of NSX for Multi-Hypervisor 4.2.4 and vFabric Postgres 9.3.6.0, 9.2.10.0 or 9.1.15.0 patches released on 2015-04-23. 2015-04-30 VMSA-2015-0003.6 Updated Security advisory in conjunction with the release of vCloud Networking and Security 5.5.4.1, vCenter Server 5.1 Update 3a, vCenter Server 5.0 Update 3d, vRealize Orchestrator 5.1.3.1, vSphere Update Manager 5.1 Update 3a and vSphere Update Manager 5.0 Update 3d patches released on 2015-04-30. 2015-05-07 VMSA-2015-0003.7 Updated Security advisory in conjunction with the release of vCenter Support Assistant 6.0, vSphere Big Data Extensions 2.1 and 2.0, NSX for vSphere 6.1.4 patches released on 2015-05-07. 2015-05-08 VMSA-2015-0003.8 Updated Security advisory in conjunction with the release of vSphere Management Assistant 5.5 and 5.1 patches released on 2015-05-08. 2015-07-02 VMSA-2015-0003.9 Updated Security advisory in conjunction with the release of EVO:Rail 1.2.1 patches released on 2015-07-02. 2015-08-14 VMSA-2015-0003.10 Updated Security advisory in conjunction with the release of vCenter Application Discovery Manager 7.1.0 patches released on 2015-08-13. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 16127) Charset: utf-8 wj8DBQFVzh9nDEcm8Vbi9kMRAvu9AJ9VS9NOKPw6L8VM+EPQ36SDCJ9n1gCgoIrc abTD+Cc0IlDu0w+DbXESO0o= =aywq -----END PGP SIGNATURE-----
NEW VMSA-2015-0005 "VMware Workstation, Player and Horizon View Client for Windows updates address a host privilege escalation vulnerability"
------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0005 Synopsis: VMware Workstation, Player and Horizon View Client for Windows updates address a host privilege escalation vulnerability Issue date: 2015-07-09 Updated on: 2015-07-09 CVE number: CVE-2015-3650 ------------------------------------------------------------------------ 1. Summary VMware Workstation, Player and Horizon View Client for Windows updates address a host privilege escalation vulnerability. 2. Relevant Releases VMware Workstation for Windows 11.x prior to version 11.1.1 VMware Workstation for Windows 10.x prior to version 10.0.7 VMware Player for Windows 7.x prior to version 7.1.1 VMware Player for Windows 6.x prior to version 6.0.7 VMware Horizon Client for Windows (with Local Mode Option) prior to version 5.4.2 3. Problem Description a. VMware Workstation, Player and Horizon View Client for Windows host privilege escalation vulnerability. VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes. This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process. VMware would like to thank Kyriakos Economou of Nettitude for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-3650 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= =============== VMware Workstation 11.x Windows 11.1.1 VMware Workstation 10.x Windows 10.0.7 VMware Player 7.x Windows 7.1.1 VMware Player 6.x Windows 6.0.7 VMware Horizon Client for 5.x Windows 5.4.2 Windows (with Local Mode Option) VMware Horizon Client for 3.x any not affected Windows 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware Workstation -------------------------------- https://www.vmware.com/go/downloadworkstation VMware Player -------------------------------- https://www.vmware.com/go/downloadplayer VMware Horizon Clients -------------------------------- https://www.vmware.com/go/viewclients 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3650 ------------------------------------------------------------------------ 6. Change log 2015-07-09 VMSA-2015-0005 Initial security advisory. ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. _______________________________________________ Security-announce mailing list Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org http://lists.vmware.com/mailman/listinfo/security-announce
UPDATE : VMSA-2015-0003.9 – VMware product updates address critical information disclosure issue in JRE.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0003.9 Synopsis: VMware product updates address critical information disclosure issue in JRE. Issue date: 2015-04-02 Updated on: 2015-07-02 CVE number: CVE-2014-6593, for other CVEs see JRE reference - ------------------------------------------------------------------------ 1. Summary VMware product updates address critical information disclosure issue in JRE. 2. Relevant Releases Horizon View 6.x or 5.x Horizon Workspace Portal Server 2.1 or 2.0 Horizon DaaS Platform 6.1.4 or 5.4.5 vCloud Networking and Security prior to 5.5.4.1 vCloud Connector 2.7 vCloud Usage Meter 3.3 vCenter Site Recovery Manager prior to 5.5.1.5 vCenter Server 6.0, 5.5, 5.1 or 5.0 vRealize Operations Manager 6.0 vCenter Operations Manager 5.8.x or 5.7.x vCenter Support Assistant 5.5.1.x vRealize Application Services 6.2 or 6.1 vCloud Application Director 6.0 vRealize Automation 6.2 or 6.1 vCloud Automation Center 6.0.1 vSphere Replication prior to 5.8.0.2, 5.6.0.3 or 5.5.1.5 vRealize Automation 6.2.x or 6.1.x vRealize Code Stream 1.1 or 1.0 vFabric Postgres 9.3.6.0, 9.2.10.0 or 9.1.15.0 vRealize Hyperic 5.8.x, 5.7.x or 5.0.x vSphere AppHA Prior to 1.1.x vSphere Big Data Extensions 2.1 and 2.0 vCenter Chargeback Manager 2.7 or 2.6 vRealize Business Adv/Ent 8.1 or 8.0 vRealize Business Standard prior to 1.1.x or 1.0.x NSX for vSphere 6.1 NSX for Multi-Hypervisor prior to 4.2.4 vCloud Director prior to 5.5.3 vCloud Director Service Providers prior to 5.6.4.1 vRealize Configuration Manager 5.7.x or 5.6.x vRealize Infrastructure 5.8 or 5.7 vRealize Orchestrator 6.0, 5.5 or 5.1.3.1 vRealize Log Insight 2.5, 2.0, 1.5 or 1.0 vSphere Management Assistant 5.5 or 5.1 vSphere Update Manager 6.0, 5.5, 5.1 or 5.0 EVO:RAIL prior to 1.2.1 3. Problem Description a. Oracle JRE Update Oracle JRE is updated in VMware products to address a critical security issue that existed in earlier releases of Oracle JRE. VMware products running JRE 1.7 Update 75 or newer and JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593, as documented in the Oracle Java SE Critical Patch Update Advisory of January 2015. This advisory also includes the other security issues that are addressed in JRE 1.7 Update 75 and JRE 1.6 Update 91. The References section provides a link to the JRE advisory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-6593 to this issue. This issue is also known as "SKIP" or "SKIP-TLS". Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch** ============= ======= ======= ================= Horizon View 6.x any 6.1 Horizon View 5.x any 5.3.4 Horizon Workspace Portal 2.1 ,2.0 any 2.1.1 Server Horizon DaaS Platform 6.1 any 6.1.4 Horizon DaaS Platform 5.4 any 5.4.5 vCloud Networking and Security 5.5 any 5.5.4.1* vCloud Connector 2.7 any 2.7.1* vCloud Usage Meter 3.3 any 3.3.3* vCenter Site Recovery Manager 5.5.x any 5.5.1.5*** vCenter Site Recovery Manager 5.1.x any patch pending*** vCenter Site Recovery Manager 5.0.x any patch pending*** vCenter Server 6.0 any 6.0.0a vCenter Server 5.5 any Update 2e vCenter Server 5.1 any Update 3a vCenter Server 5.0 any Update 3d vRealize Operations Manager 6.0 any KB2111898 vCenter Operations Manager 5.8.x any KB2111172 vCenter Operations Manager 5.7.x any KB2111172 vCenter Support Assistant 5.5.1.x any 6.0 vRealize Application Services 6.2 any KB2111981 vRealize Application Services 6.1 any KB2111981 vCloud Application Director 6.0 any KB2111981 vCloud Application Director 5.2 any KB2111981 vRealize Automation 6.2 any KB2111658 vRealize Automation 6.1 any KB2111658 vCloud Automation Center 6.0.1 any KB2111658 vRealize Code Stream 1.1 any KB2111658 vRealize Code Stream 1.0 any KB2111658 vPostgres 9.3.x any 9.3.6.0 vPostgres 9.2.x any 9.2.10.0 vPostgres 9.1.x any 9.1.15.0 vSphere Replication 5.8.0 any 5.8.0.2 vSphere Replication 5.6.0 any 5.6.0.3 vSphere Replication 5.5.0 any 5.5.1.5 vSphere Replication 5.1 any patch pending vRealize Hyperic 5.8 any KB2111337 vRealize Hyperic 5.7 any KB2111337 vRealize Hyperic 5.0 any KB2111337 vSphere AppHA 1.1 any KB2111336 vSphere Big Data Extensions 2.1 any KB2116604* vSphere Big Data Extensions 2.0 any KB2116604* vSphere Data Protection 6.0 any patch pending* vSphere Data Protection 5.8 any patch pending* vSphere Data Protection 5.5 any patch pending* vSphere Data Protection 5.1 any patch pending* vCenter Chargeback Manager 2.7 any KB2112011* vCenter Chargeback Manager 2.6 any KB2113178* vRealize Business Adv/Ent 8.1 any KB2112258* vRealize Business Adv/Ent 8.0 any KB2112258* vRealize Business Standard 6.0 any KB2111802 vRealize Business Standard 1.1 any KB2111802 vRealize Business Standard 1.0 any KB2111802 NSX for vSphere 6.1 any 6.1.4* NSX for Multi-Hypervisor 4.2 any 4.2.4* vCloud Director 5.5.x any 5.5.3* vCloud Director For 5.6.4 any 5.6.4.1* Service Providers vCenter Application Discovery 7.0 any patch pending* Manager vRealize Configuration Manager 5.7.x any KB2111670 vRealize Configuration Manager 5.6 any KB2111670 vRealize Infrastructure 5.8 any 5.8.4 Navigator vRealize Infrastructure 5.7 any KB2111334* Navigator vRealize Orchestrator 6.0 any KB2112028* vRealize Orchestrator 5.5 any KB2112028* vRealize Orchestrator 5.1 any 5.1.3.1* vRealize Log Insight 2.5 any KB2113235* vRealize Log Insight 2.0 any KB2113235* vRealize Log Insight 1.5 any KB2113235* vRealize Log Insight 1.0 any KB2113235* vSphere Management Assistant 5.5.x any 5.5.0.4 vSphere Management Assistant 5.1.x any 5.1.0.3 vSphere Update Manager 6.0 any 6.0.0a* vSphere Update Manager 5.5 any Update 2e* vSphere Update Manager 5.1 any Update 3a* vSphere Update Manager 5.0 any Update 3d* EVO:RAIL 1.2.0 any 1.2.1* * The severity of critical is lowered to important for this product as is not considered Internet facing ** Knowledge Base (KB) articles provides details of the patches and how to install them. *** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not include JRE but they include the vSphere Replication appliance which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include JRE nor the vSphere Replication appliance. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. Horizon View 6.1, 5.3.4: ======================== Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productI d=492 https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&pro ductId=396 VMware Workspace Portal 2.1.1 ============================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=5 01&rPId=7586 Documentation: https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.h tml Horizon DaaS Platform 6.1.4 =========================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN &productId=405&rPId=6527 Horizon DaaS Platform 5.4.5 =========================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM- 540&productId=398&rPId=5214 vCloud Networking and Security 5.5.4.1 ====================================== Download: https://my.vmware.com/web/vmware/details?productId=360&rPId=7625&downloadGr oup=VCNS5541 Documentation: https://www.vmware.com/support/vshield/doc/releasenotes_vshield_5541.html vCloud Connector 2.7.1 ====================== Downloads and Documentation: http://www.vmware.com/support/hybridcloud/doc/hybridcloud_271_rel_notes.htm l vCloud Usage Meter 3.3.3 ======================== Downloads: https://my.vmware.com/en/group/vmware/get-download?downloadGroup=UMSV333 vCenter Site Recovery Manager 5.5.1.5 ====================================== Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=SRM5515&productId=35 7&rPId=7774 Documentation: https://www.vmware.com/support/srm/srm-releasenotes-5-5-1.html vCenter Server 6.0, 5.5, 5.1, 5.0 ================================= Downloads and Documentation: https://www.vmware.com/go/download-vsphere vRealize Operations Manager 6.0.1 ================================= Downloads and Documentation: http://kb.vmware.com/kb/2111898 vCenter Support Assistant 6.0 ============================= Downloads and Documentation: https://my.vmware.com/web/vmware/details?downloadGroup=VCSA600&productId=49 1 vRealize Application Services 6.2, 6.1 ====================================== Downloads and Documentation: http://kb.vmware.com/kb/2111981 NSX for vSphere 6.1.4 ===================== Downloads and Documentation: https://my.vmware.com/web/vmware/details?productId=417&downloadGroup=NSX-V- 614 NSX for Multi-Hypervisor 4.2.4 ============================== Downloads and Documentation: https://my.vmware.com/web/vmware/info/slug/networking_security/vmware_nsx/4 _x vCloud Application Director 6.0 ====================================== Downloads and Documentation: http://kb.vmware.com/kb/2111981 vCloud Director for Service Providers 5.6.4.1 ============================================= Downloads and Documentation: https://www.vmware.com/support/pubs/vcd_sp_pubs.html vCenter Operations Manager 5.8.5, 5.7.4 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111172 vCloud Automation Center 6.0.1.2 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111685 vSphere Replication 5.8.0.2, 5.6.0.3, 5.5.1.5 ============================================= Downloads: https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5515 Documentation: http://kb.vmware.com/kb/2112025 http://kb.vmware.com/kb/2112022 vRealize Automation 6.2.1, 6.1.1 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111658 vRealize Code Stream 1.1, 1.0 ============================= Downloads and Documentation: http://kb.vmware.com/kb/2111685 vFabric Postgres ================ Downloads https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_936&productId =373&rPId=7787 https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_92_10&product Id=325&rPId=7788 https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_91_15&product Id=274&rPId=7789 vRealize Hyperic 5.8.4, 5.7.2, 5.0.3 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/KB2111337 vSphere AppHA 1.1.1 =================== Downloads and Documentation: http://kb.vmware.com/kb/2111336 vSphere Big Data Extensions 2.1 and 2.0 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2116604 vCenter Chargeback Manager 2.7 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2112011 vCenter Chargeback Manager 2.6 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2113178 vRealize Business Adv/Ent 8.1, 8.0 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2112258 vRealize Business Standard 6.0, 1.1 , 1.0 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111802 vRealize Configuration Manager 5.7.3 =================================== Downloads and Documentation: http://kb.vmware.com/kb/2111670 vRealize Infrastructure Navigator 5.8.4 ======================================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=47 6 vRealize Infrastructure Navigator 5.7 ===================================== Downloads and Documentation: http://kb.vmware.com/kb/2111334 vRealize Orchestrator 6.0, 5.5 ===================================== Downloads and Documentation: http://kb.vmware.com/kb/2112028 vRealize Orchestrator 5.1.3.1 ============================= Download: https://my.vmware.com/group/vmware/get-download?downloadGroup=VSP51-VCL-VCO VA-51U3A Documentation: https://www.vmware.com/support/pubs/orchestrator_pubs.html vSphere Management Assistant 5.5.0.4 ==================================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=VMA550&productId=352 Documentation: http://kb.vmware.com/kb/2112648 vSphere Management Assistant 5.1.0.3 ==================================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=VSP510-VMA-510&produ ctId=285 Documentation: http://kb.vmware.com/kb/2112647 vSphere Update Manager 6.0, 5.5, 5.1, 5.0 ========================================= Downloads and Documentation: https://www.vmware.com/go/download-vsphere EVO:RAIL ======== Downloads and Documentation: https://my.vmware.com/group/vmware/details?productId=442&downloadGroup=EVOR AIL1_2_1 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593 JRE Oracle Java SE Critical Patch Update Advisory of January 2015 http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html - ------------------------------------------------------------------------ 6. Change log 2015-04-02 VMSA-2015-0003 Initial security advisory in conjunction with the release of VMware Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5; vCenter Operations Manager 5.7.4; vCloud Automation Center 6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0; vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1; vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches released on 2015-04-02. 2015-04-09 VMSA-2015-0003.1 Updated Security advisory in conjunction with the release of VMware Horizon DaaS Platform 6.1.4, 5.4.5; vRealize Operations Manager 6.0; vRealize Application Services 6.2; vRealize Application Services 6.1; vCloud Application Director 6.0; vCenter Chargeback Manager 2.7, 2.6; vCloud Director For Service Providers 5.6.4.1; vRealize Log Insight 2.5, 2.0, 1.5, 1.0 Patches released on 2015-04-09. 2015-04-13 VMSA-2015-0003.2 Updated Security advisory in conjunction with the release of vRealize Business Adv/Ent 8.1, 8.0 Patches released on 2015-04-13. 2015-04-16 VMSA-2015-0003.3 Updated Security advisory in conjunction with the release of vCloud Connector 2.7.1; vCloud Usage Meter 3.3.3; vCenter Server 6.0, 5.5; vSphere Update Manager 6.0, 5.5 patches released on 2015-04-16. 2015-04-17 VMSA-2015-0003.4 Updated Security advisory in conjunction with the release of vCenter Site Recovery Manager 5.5.1.5 patches released on 2015-04-16. 2015-04-23 VMSA-2015-0003.5 Updated Security advisory in conjunction with the release of NSX for Multi-Hypervisor 4.2.4 and vFabric Postgres 9.3.6.0, 9.2.10.0 or 9.1.15.0 patches released on 2015-04-23. 2015-04-30 VMSA-2015-0003.6 Updated Security advisory in conjunction with the release of vCloud Networking and Security 5.5.4.1, vCenter Server 5.1 Update 3a, vCenter Server 5.0 Update 3d, vRealize Orchestrator 5.1.3.1, vSphere Update Manager 5.1 Update 3a and vSphere Update Manager 5.0 Update 3d patches released on 2015-04-30. 2015-05-07 VMSA-2015-0003.7 Updated Security advisory in conjunction with the release of vCenter Support Assistant 6.0, vSphere Big Data Extensions 2.1 and 2.0, NSX for vSphere 6.1.4 patches released on 2015-05-07. 2015-05-08 VMSA-2015-0003.8 Updated Security advisory in conjunction with the release of vSphere Management Assistant 5.5 and 5.1 patches released on 2015-05-08. 2015-07-02 VMSA-2015-0003.9 Updated Security advisory in conjunction with the release of EVO:Rail 1.2.1 patches released on 2015-07-02. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 16127) Charset: utf-8 wj8DBQFVlfoQDEcm8Vbi9kMRAokcAKDkt3KQ3wAuD89hJfxTtNuffr9zMgCgsw5w cBJzO1tmcqDQi+c4m8WsSbc= =58EN -----END PGP SIGNATURE-----
NEW VMSA-2015-0004 – VMware Workstation, Fusion and Horizon View Client updates address critical security issues
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0004 Synopsis: VMware Workstation, Fusion and Horizon View Client updates address critical security issues Issue Date: 2015-06-09 Updated on: 2015-06-09 (Initial Advisory) CVE number: CVE-2012-0897, CVE-2015-2336, CVE-2015-2337, CVE-2015-2338, CVE-2015-2339, CVE-2015-2340, CVE-2015-2341 1. Summary VMware Workstation, Fusion and Horizon View Client updates address critical security issues. 2. Relevant Releases VMware Workstation prior to version 11.1.1 VMware Workstation prior to version 10.0.6 VMware Player prior to version 7.1.1 VMware Player prior to version 6.0.6 VMware Fusion prior to version 7.0.1 VMware Fusion prior to version 6.0.6 VMware Horizon Client for Windows prior to version 3.4.0 VMware Horizon Client for Windows prior to version 3.2.1 VMware Horizon Client for Windows (with local mode) prior to version 5.4.1 3. Problem Description a. VMware Workstation and Horizon Client memory manipulation issues VMware Workstation and Horizon Client TPView.ddl and TPInt.dll incorrectly handle memory allocation. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon Client. VMware would like to thank Kostya Kortchinsky of the Google Security Team for reporting these issues to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2012-0897 and CVE-2015-2336 (TPView.dll Code Execution), CVE-2015-2338 and CVE-2015-2339 (TPview.dll DoS), CVE-2015-2337 (TPInt.dll Code Execution), and CVE-2015-2340 (TPInt.dll DoS) to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch** ============= ======= ======= ================= VMware Workstation 11.x Windows 11.1.1 VMware Workstation 10.x Windows 10.0.6 VMware Player 7.x Windows 7.1.1 VMware Player 6.x Windows 6.0.6 VMware Horizon Client for 3.3.x Windows 3.4.0 Windows VMware Horizon Client for 3.2.x Windows 3.2.1 Windows VMware Horizon Client for 5.x Windows 5.4.2 Windows (with local mode) b. VMware Workstation, Player, and Fusion Denial of Service vulnerability VMware Workstation, Player, and Fusion contain an input validation issue on an RPC command. This issue may allow for a Denial of Service of the Guest Operating System (32-bit) or a Denial of Service of the Host Operating System (64-bit). VMware would like to thank Peter Kamensky from Digital Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-2341 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= Workstation 11.x any not affected Workstation 10.x any 10.0.5 Player 7.x any not affected Player 6.x any 6.0.6 Fusion 7.x OSX 7.0.1 Fusion 6.x OSX 6.0.6 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware Workstation 11.1.1, 10.0.6 Downloads and Documentation: https://www.vmware.com/go/downloadworkstation VMware Player 7.1.1, 6.0.6 Downloads and Documentation: https://www.vmware.com/go/downloadplayer VMware Fusion 7.0.1, 6.0.6 https://www.vmware.com/go/downloadfusion VMware Horizon Clients 5.4.2, 3.4.0, and 3.2.1 Downloads and Documentation: https://www.vmware.com/go/viewclients 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0897 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2336 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2337 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2338 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2339 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2340 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2341 - ------------------------------------------------------------------------ 6. Change log 2015-06-09 VMSA-2015-0004 Initial security advisory in conjunction with the release of VMware Workstation 11.1.1 and Horizon Client for Windows 3.2.1 on 2015-06-09. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15337) Charset: utf-8 wj8DBQFVdx3oDEcm8Vbi9kMRAngXAKClezVd4z7zQSx7oN2sY/e4xL2yQACfdjgt xZFTQoodunKFGfkCMqJ13M8= =z/Tn -----END PGP SIGNATURE-----
UPDATE : VMSA-2015-0003.8 – VMware product updates address critical information disclosure issue in JRE.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0003.8 Synopsis: VMware product updates address critical information disclosure issue in JRE. Issue date: 2015-04-02 Updated on: 2015-05-08 CVE number: CVE-2014-6593, for other CVEs see JRE reference - ------------------------------------------------------------------------ 1. Summary VMware product updates address critical information disclosure issue in JRE. 2. Relevant Releases Horizon View 6.x or 5.x Horizon Workspace Portal Server 2.1 or 2.0 Horizon DaaS Platform 6.1.4 or 5.4.5 vCloud Networking and Security prior to 5.5.4.1 vCloud Connector 2.7 vCloud Usage Meter 3.3 vCenter Site Recovery Manager prior to 5.5.1.5 vCenter Server 6.0, 5.5, 5.1 or 5.0 vRealize Operations Manager 6.0 vCenter Operations Manager 5.8.x or 5.7.x vCenter Support Assistant 5.5.1.x vRealize Application Services 6.2 or 6.1 vCloud Application Director 6.0 vRealize Automation 6.2 or 6.1 vCloud Automation Center 6.0.1 vSphere Replication prior to 5.8.0.2, 5.6.0.3 or 5.5.1.5 vRealize Automation 6.2.x or 6.1.x vRealize Code Stream 1.1 or 1.0 vFabric Postgres 9.3.6.0, 9.2.10.0 or 9.1.15.0 vRealize Hyperic 5.8.x, 5.7.x or 5.0.x vSphere AppHA Prior to 1.1.x vSphere Big Data Extensions 2.1 and 2.0 vCenter Chargeback Manager 2.7 or 2.6 vRealize Business Adv/Ent 8.1 or 8.0 vRealize Business Standard prior to 1.1.x or 1.0.x NSX for vSphere 6.1 NSX for Multi-Hypervisor prior to 4.2.4 vCloud Director prior to 5.5.3 vCloud Director Service Providers prior to 5.6.4.1 vRealize Configuration Manager 5.7.x or 5.6.x vRealize Infrastructure 5.8 or 5.7 vRealize Orchestrator 6.0, 5.5 or 5.1.3.1 vRealize Log Insight 2.5, 2.0, 1.5 or 1.0 vSphere Management Assistant 5.5 or 5.1 vSphere Update Manager 6.0, 5.5, 5.1 or 5.0 3. Problem Description a. Oracle JRE Update Oracle JRE is updated in VMware products to address a critical security issue that existed in earlier releases of Oracle JRE. VMware products running JRE 1.7 Update 75 or newer and JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593, as documented in the Oracle Java SE Critical Patch Update Advisory of January 2015. This advisory also includes the other security issues that are addressed in JRE 1.7 Update 75 and JRE 1.6 Update 91. The References section provides a link to the JRE advisory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-6593 to this issue. This issue is also known as "SKIP" or "SKIP-TLS". Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch** ============= ======= ======= ================= Horizon View 6.x any 6.1 Horizon View 5.x any 5.3.4 Horizon Workspace Portal 2.1 ,2.0 any 2.1.1 Server Horizon DaaS Platform 6.1 any 6.1.4 Horizon DaaS Platform 5.4 any 5.4.5 vCloud Networking and Security 5.5 any 5.5.4.1* vCloud Connector 2.7 any 2.7.1* vCloud Usage Meter 3.3 any 3.3.3* vCenter Site Recovery Manager 5.5.x any 5.5.1.5*** vCenter Site Recovery Manager 5.1.x any patch pending*** vCenter Site Recovery Manager 5.0.x any patch pending*** vCenter Server 6.0 any 6.0.0a vCenter Server 5.5 any Update 2e vCenter Server 5.1 any Update 3a vCenter Server 5.0 any Update 3d vRealize Operations Manager 6.0 any KB2111898 vCenter Operations Manager 5.8.x any KB2111172 vCenter Operations Manager 5.7.x any KB2111172 vCenter Support Assistant 5.5.1.x any 6.0 vRealize Application Services 6.2 any KB2111981 vRealize Application Services 6.1 any KB2111981 vCloud Application Director 6.0 any KB2111981 vCloud Application Director 5.2 any KB2111981 vRealize Automation 6.2 any KB2111658 vRealize Automation 6.1 any KB2111658 vCloud Automation Center 6.0.1 any KB2111658 vRealize Code Stream 1.1 any KB2111658 vRealize Code Stream 1.0 any KB2111658 vPostgres 9.3.x any 9.3.6.0 vPostgres 9.2.x any 9.2.10.0 vPostgres 9.1.x any 9.1.15.0 vSphere Replication 5.8.0 any 5.8.0.2 vSphere Replication 5.6.0 any 5.6.0.3 vSphere Replication 5.5.0 any 5.5.1.5 vSphere Replication 5.1 any patch pending vRealize Hyperic 5.8 any KB2111337 vRealize Hyperic 5.7 any KB2111337 vRealize Hyperic 5.0 any KB2111337 vSphere AppHA 1.1 any KB2111336 vSphere Big Data Extensions 2.1 any KB2116604* vSphere Big Data Extensions 2.0 any KB2116604* vSphere Data Protection 6.0 any patch pending* vSphere Data Protection 5.8 any patch pending* vSphere Data Protection 5.5 any patch pending* vSphere Data Protection 5.1 any patch pending* vCenter Chargeback Manager 2.7 any KB2112011* vCenter Chargeback Manager 2.6 any KB2113178* vRealize Business Adv/Ent 8.1 any KB2112258* vRealize Business Adv/Ent 8.0 any KB2112258* vRealize Business Standard 6.0 any KB2111802 vRealize Business Standard 1.1 any KB2111802 vRealize Business Standard 1.0 any KB2111802 NSX for vSphere 6.1 any 6.1.4* NSX for Multi-Hypervisor 4.2 any 4.2.4* vCloud Director 5.5.x any 5.5.3* vCloud Director For 5.6.4 any 5.6.4.1* Service Providers vCenter Application Discovery 7.0 any patch pending* Manager vRealize Configuration Manager 5.7.x any KB2111670 vRealize Configuration Manager 5.6 any KB2111670 vRealize Infrastructure 5.8 any 5.8.4 Navigator vRealize Infrastructure 5.7 any KB2111334* Navigator vRealize Orchestrator 6.0 any KB2112028* vRealize Orchestrator 5.5 any KB2112028* vRealize Orchestrator 5.1 any 5.1.3.1* vRealize Log Insight 2.5 any KB2113235* vRealize Log Insight 2.0 any KB2113235* vRealize Log Insight 1.5 any KB2113235* vRealize Log Insight 1.0 any KB2113235* vSphere Management Assistant 5.5.x any 5.5.0.4 vSphere Management Assistant 5.1.x any 5.1.0.3 vSphere Update Manager 6.0 any 6.0.0a* vSphere Update Manager 5.5 any Update 2e* vSphere Update Manager 5.1 any Update 3a* vSphere Update Manager 5.0 any Update 3d* * The severity of critical is lowered to important for this product as is not considered Internet facing ** Knowledge Base (KB) articles provides details of the patches and how to install them. *** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not include JRE but they include the vSphere Replication appliance which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include JRE nor the vSphere Replication appliance. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. Horizon View 6.1, 5.3.4: ======================== Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productI d=492 https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&pro ductId=396 VMware Workspace Portal 2.1.1 ============================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=5 01&rPId=7586 Documentation: https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.h tml Horizon DaaS Platform 6.1.4 =========================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN &productId=405&rPId=6527 Horizon DaaS Platform 5.4.5 =========================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM- 540&productId=398&rPId=5214 vCloud Networking and Security 5.5.4.1 ====================================== Download: https://my.vmware.com/web/vmware/details?productId=360&rPId=7625&downloadGr oup=VCNS5541 Documentation: https://www.vmware.com/support/vshield/doc/releasenotes_vshield_5541.html vCloud Connector 2.7.1 ====================== Downloads and Documentation: http://www.vmware.com/support/hybridcloud/doc/hybridcloud_271_rel_notes.htm l vCloud Usage Meter 3.3.3 ======================== Downloads: https://my.vmware.com/en/group/vmware/get-download?downloadGroup=UMSV333 vCenter Site Recovery Manager 5.5.1.5 ====================================== Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=SRM5515&productId=35 7&rPId=7774 Documentation: https://www.vmware.com/support/srm/srm-releasenotes-5-5-1.html vCenter Server 6.0, 5.5, 5.1, 5.0 ================================= Downloads and Documentation: https://www.vmware.com/go/download-vsphere vRealize Operations Manager 6.0.1 ================================= Downloads and Documentation: http://kb.vmware.com/kb/2111898 vCenter Support Assistant 6.0 ============================= Downloads and Documentation: https://my.vmware.com/web/vmware/details?downloadGroup=VCSA600&productId=49 1 vRealize Application Services 6.2, 6.1 ====================================== Downloads and Documentation: http://kb.vmware.com/kb/2111981 NSX for vSphere 6.1.4 ===================== Downloads and Documentation: https://my.vmware.com/web/vmware/details?productId=417&downloadGroup=NSX-V- 614 NSX for Multi-Hypervisor 4.2.4 ============================== Downloads and Documentation: https://my.vmware.com/web/vmware/info/slug/networking_security/vmware_nsx/4 _x vCloud Application Director 6.0 ====================================== Downloads and Documentation: http://kb.vmware.com/kb/2111981 vCloud Director for Service Providers 5.6.4.1 ============================================= Downloads and Documentation: https://www.vmware.com/support/pubs/vcd_sp_pubs.html vCenter Operations Manager 5.8.5, 5.7.4 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111172 vCloud Automation Center 6.0.1.2 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111685 vSphere Replication 5.8.0.2, 5.6.0.3, 5.5.1.5 ============================================= Downloads: https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5515 Documentation: http://kb.vmware.com/kb/2112025 http://kb.vmware.com/kb/2112022 vRealize Automation 6.2.1, 6.1.1 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111658 vRealize Code Stream 1.1, 1.0 ============================= Downloads and Documentation: http://kb.vmware.com/kb/2111685 vFabric Postgres ================ Downloads https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_936&productId =373&rPId=7787 https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_92_10&product Id=325&rPId=7788 https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_91_15&product Id=274&rPId=7789 vRealize Hyperic 5.8.4, 5.7.2, 5.0.3 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/KB2111337 vSphere AppHA 1.1.1 =================== Downloads and Documentation: http://kb.vmware.com/kb/2111336 vSphere Big Data Extensions 2.1 and 2.0 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2116604 vCenter Chargeback Manager 2.7 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2112011 vCenter Chargeback Manager 2.6 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2113178 vRealize Business Adv/Ent 8.1, 8.0 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2112258 vRealize Business Standard 6.0, 1.1 , 1.0 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111802 vRealize Configuration Manager 5.7.3 =================================== Downloads and Documentation: http://kb.vmware.com/kb/2111670 vRealize Infrastructure Navigator 5.8.4 ======================================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=47 6 vRealize Infrastructure Navigator 5.7 ===================================== Downloads and Documentation: http://kb.vmware.com/kb/2111334 vRealize Orchestrator 6.0, 5.5 ===================================== Downloads and Documentation: http://kb.vmware.com/kb/2112028 vRealize Orchestrator 5.1.3.1 ============================= Download: https://my.vmware.com/group/vmware/get-download?downloadGroup=VSP51-VCL-VCO VA-51U3A Documentation: https://www.vmware.com/support/pubs/orchestrator_pubs.html vSphere Management Assistant 5.5.0.4 ==================================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=VMA550&productId=352 Documentation: http://kb.vmware.com/kb/2112648 vSphere Management Assistant 5.1.0.3 ==================================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=VSP510-VMA-510&produ ctId=285 Documentation: http://kb.vmware.com/kb/2112647 vSphere Update Manager 6.0, 5.5, 5.1, 5.0 ========================================= Downloads and Documentation: https://www.vmware.com/go/download-vsphere 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593 JRE Oracle Java SE Critical Patch Update Advisory of January 2015 http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html - ------------------------------------------------------------------------ 6. Change log 2015-04-02 VMSA-2015-0003 Initial security advisory in conjunction with the release of VMware Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5; vCenter Operations Manager 5.7.4; vCloud Automation Center 6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0; vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1; vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches released on 2015-04-02. 2015-04-09 VMSA-2015-0003.1 Updated Security advisory in conjunction with the release of VMware Horizon DaaS Platform 6.1.4, 5.4.5; vRealize Operations Manager 6.0; vRealize Application Services 6.2; vRealize Application Services 6.1; vCloud Application Director 6.0; vCenter Chargeback Manager 2.7, 2.6; vCloud Director For Service Providers 5.6.4.1; vRealize Log Insight 2.5, 2.0, 1.5, 1.0 Patches released on 2015-04-09. 2015-04-13 VMSA-2015-0003.2 Updated Security advisory in conjunction with the release of vRealize Business Adv/Ent 8.1, 8.0 Patches released on 2015-04-13. 2015-04-16 VMSA-2015-0003.3 Updated Security advisory in conjunction with the release of vCloud Connector 2.7.1; vCloud Usage Meter 3.3.3; vCenter Server 6.0, 5.5; vSphere Update Manager 6.0, 5.5 patches released on 2015-04-16. 2015-04-17 VMSA-2015-0003.4 Updated Security advisory in conjunction with the release of vCenter Site Recovery Manager 5.5.1.5 patches released on 2015-04-16. 2015-04-23 VMSA-2015-0003.5 Updated Security advisory in conjunction with the release of NSX for Multi-Hypervisor 4.2.4 and vFabric Postgres 9.3.6.0, 9.2.10.0 or 9.1.15.0 patches released on 2015-04-23. 2015-04-30 VMSA-2015-0003.6 Updated Security advisory in conjunction with the release of vCloud Networking and Security 5.5.4.1, vCenter Server 5.1 Update 3a, vCenter Server 5.0 Update 3d, vRealize Orchestrator 5.1.3.1, vSphere Update Manager 5.1 Update 3a and vSphere Update Manager 5.0 Update 3d patches released on 2015-04-30. 2015-05-07 VMSA-2015-0003.7 Updated Security advisory in conjunction with the release of vCenter Support Assistant 6.0, vSphere Big Data Extensions 2.1 and 2.0, NSX for vSphere 6.1.4 patches released on 2015-05-07. 2015-05-08 VMSA-2015-0003.8 Updated Security advisory in conjunction with the release of vSphere Management Assistant 5.5 and 5.1 patches released on 2015-05-08. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFVTPO+DEcm8Vbi9kMRAhIQAJ4yOIl3dlj8iB3JoCAlDvgplufUsgCeNJfw XfyxJ+rzppkn9vWJKJ4X5Q0= =AMuh -----END PGP SIGNATURE-----
UPDATE : VMSA-2015-0003.7 – VMware product updates address critical information disclosure issue in JRE.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0003.7 Synopsis: VMware product updates address critical information disclosure issue in JRE. Issue date: 2015-04-02 Updated on: 2015-05-07 CVE number: CVE-2014-6593, for other CVEs see JRE reference - ------------------------------------------------------------------------ 1. Summary VMware product updates address critical information disclosure issue in JRE. 2. Relevant Releases Horizon View 6.x or 5.x Horizon Workspace Portal Server 2.1 or 2.0 Horizon DaaS Platform 6.1.4 or 5.4.5 vCloud Networking and Security prior to 5.5.4.1 vCloud Connector 2.7 vCloud Usage Meter 3.3 vCenter Site Recovery Manager prior to 5.5.1.5 vCenter Server 6.0, 5.5, 5.1 or 5.0 vRealize Operations Manager 6.0 vCenter Operations Manager 5.8.x or 5.7.x vCenter Support Assistant 5.5.1.x vRealize Application Services 6.2 or 6.1 vCloud Application Director 6.0 vRealize Automation 6.2 or 6.1 vCloud Automation Center 6.0.1 vSphere Replication prior to 5.8.0.2, 5.6.0.3 or 5.5.1.5 vRealize Automation 6.2.x or 6.1.x vRealize Code Stream 1.1 or 1.0 vFabric Postgres 9.3.6.0, 9.2.10.0 or 9.1.15.0 vRealize Hyperic 5.8.x, 5.7.x or 5.0.x vSphere AppHA Prior to 1.1.x vSphere Big Data Extensions 2.1 and 2.0 vCenter Chargeback Manager 2.7 or 2.6 vRealize Business Adv/Ent 8.1 or 8.0 vRealize Business Standard prior to 1.1.x or 1.0.x NSX for vSphere 6.1 NSX for Multi-Hypervisor prior to 4.2.4 vCloud Director prior to 5.5.3 vCloud Director Service Providers prior to 5.6.4.1 vRealize Configuration Manager 5.7.x or 5.6.x vRealize Infrastructure 5.8 or 5.7 vRealize Orchestrator 6.0, 5.5 or 5.1.3.1 vRealize Log Insight 2.5, 2.0, 1.5 or 1.0 vSphere Update Manager 6.0, 5.5, 5.1 or 5.0 3. Problem Description a. Oracle JRE Update Oracle JRE is updated in VMware products to address a critical security issue that existed in earlier releases of Oracle JRE. VMware products running JRE 1.7 Update 75 or newer and JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593, as documented in the Oracle Java SE Critical Patch Update Advisory of January 2015. This advisory also includes the other security issues that are addressed in JRE 1.7 Update 75 and JRE 1.6 Update 91. The References section provides a link to the JRE advisory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-6593 to this issue. This issue is also known as "SKIP" or "SKIP-TLS". Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch** ============= ======= ======= ================= Horizon View 6.x any 6.1 Horizon View 5.x any 5.3.4 Horizon Workspace Portal 2.1 ,2.0 any 2.1.1 Server Horizon DaaS Platform 6.1 any 6.1.4 Horizon DaaS Platform 5.4 any 5.4.5 vCloud Networking and Security 5.5 any 5.5.4.1* vCloud Connector 2.7 any 2.7.1* vCloud Usage Meter 3.3 any 3.3.3* vCenter Site Recovery Manager 5.5.x any 5.5.1.5*** vCenter Site Recovery Manager 5.1.x any patch pending*** vCenter Site Recovery Manager 5.0.x any patch pending*** vCenter Server 6.0 any 6.0.0a vCenter Server 5.5 any Update 2e vCenter Server 5.1 any Update 3a vCenter Server 5.0 any Update 3d vRealize Operations Manager 6.0 any KB2111898 vCenter Operations Manager 5.8.x any KB2111172 vCenter Operations Manager 5.7.x any KB2111172 vCenter Support Assistant 5.5.1.x any 6.0 vRealize Application Services 6.2 any KB2111981 vRealize Application Services 6.1 any KB2111981 vCloud Application Director 6.0 any KB2111981 vCloud Application Director 5.2 any KB2111981 vRealize Automation 6.2 any KB2111658 vRealize Automation 6.1 any KB2111658 vCloud Automation Center 6.0.1 any KB2111658 vRealize Code Stream 1.1 any KB2111658 vRealize Code Stream 1.0 any KB2111658 vPostgres 9.3.x any 9.3.6.0 vPostgres 9.2.x any 9.2.10.0 vPostgres 9.1.x any 9.1.15.0 vSphere Replication 5.8.0 any 5.8.0.2 vSphere Replication 5.6.0 any 5.6.0.3 vSphere Replication 5.5.0 any 5.5.1.5 vSphere Replication 5.1 any patch pending vRealize Hyperic 5.8 any KB2111337 vRealize Hyperic 5.7 any KB2111337 vRealize Hyperic 5.0 any KB2111337 vSphere AppHA 1.1 any KB2111336 vSphere Big Data Extensions 2.1 any KB2116604* vSphere Big Data Extensions 2.0 any KB2116604* vSphere Data Protection 6.0 any patch pending* vSphere Data Protection 5.8 any patch pending* vSphere Data Protection 5.5 any patch pending* vSphere Data Protection 5.1 any patch pending* vCenter Chargeback Manager 2.7 any KB2112011* vCenter Chargeback Manager 2.6 any KB2113178* vRealize Business Adv/Ent 8.1 any KB2112258* vRealize Business Adv/Ent 8.0 any KB2112258* vRealize Business Standard 6.0 any KB2111802 vRealize Business Standard 1.1 any KB2111802 vRealize Business Standard 1.0 any KB2111802 NSX for vSphere 6.1 any 6.1.4* NSX for Multi-Hypervisor 4.2 any 4.2.4* vCloud Director 5.5.x any 5.5.3* vCloud Director For 5.6.4 any 5.6.4.1* Service Providers vCenter Application Discovery 7.0 any patch pending* Manager vRealize Configuration Manager 5.7.x any KB2111670 vRealize Configuration Manager 5.6 any KB2111670 vRealize Infrastructure 5.8 any 5.8.4 Navigator vRealize Infrastructure 5.7 any KB2111334* Navigator vRealize Orchestrator 6.0 any KB2112028* vRealize Orchestrator 5.5 any KB2112028* vRealize Orchestrator 5.1 any 5.1.3.1* vRealize Log Insight 2.5 any KB2113235* vRealize Log Insight 2.0 any KB2113235* vRealize Log Insight 1.5 any KB2113235* vRealize Log Insight 1.0 any KB2113235* vSphere Management Assistant 5.x any patch pending vSphere Update Manager 6.0 any 6.0.0a* vSphere Update Manager 5.5 any Update 2e* vSphere Update Manager 5.1 any Update 3a* vSphere Update Manager 5.0 any Update 3d* * The severity of critical is lowered to important for this product as is not considered Internet facing ** Knowledge Base (KB) articles provides details of the patches and how to install them. *** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not include JRE but they include the vSphere Replication appliance which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include JRE nor the vSphere Replication appliance. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. Horizon View 6.1, 5.3.4: ======================== Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productI d=492 https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&pro ductId=396 VMware Workspace Portal 2.1.1 ============================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=5 01&rPId=7586 Documentation: https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.h tml Horizon DaaS Platform 6.1.4 =========================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN &productId=405&rPId=6527 Horizon DaaS Platform 5.4.5 =========================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM- 540&productId=398&rPId=5214 vCloud Networking and Security 5.5.4.1 ====================================== Download: https://my.vmware.com/web/vmware/details?productId=360&rPId=7625&downloadGr oup=VCNS5541 Documentation: https://www.vmware.com/support/vshield/doc/releasenotes_vshield_5541.html vCloud Connector 2.7.1 ====================== Downloads and Documentation: http://www.vmware.com/support/hybridcloud/doc/hybridcloud_271_rel_notes.htm l vCloud Usage Meter 3.3.3 ======================== Downloads: https://my.vmware.com/en/group/vmware/get-download?downloadGroup=UMSV333 vCenter Site Recovery Manager 5.5.1.5 ====================================== Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=SRM5515&productId=35 7&rPId=7774 Documentation: https://www.vmware.com/support/srm/srm-releasenotes-5-5-1.html vCenter Server 6.0, 5.5, 5.1, 5.0 ================================= Downloads and Documentation: https://www.vmware.com/go/download-vsphere vRealize Operations Manager 6.0.1 ================================= Downloads and Documentation: http://kb.vmware.com/kb/2111898 vCenter Support Assistant 6.0 ============================= Downloads and Documentation: https://my.vmware.com/web/vmware/details?downloadGroup=VCSA600&productId=49 1 vRealize Application Services 6.2, 6.1 ====================================== Downloads and Documentation: http://kb.vmware.com/kb/2111981 NSX for vSphere 6.1.4 ===================== Downloads and Documentation: https://my.vmware.com/web/vmware/details?productId=417&downloadGroup=NSX-V- 614 NSX for Multi-Hypervisor 4.2.4 ============================== Downloads and Documentation: https://my.vmware.com/web/vmware/info/slug/networking_security/vmware_nsx/4 _x vCloud Application Director 6.0 ====================================== Downloads and Documentation: http://kb.vmware.com/kb/2111981 vCloud Director for Service Providers 5.6.4.1 ============================================= Downloads and Documentation: https://www.vmware.com/support/pubs/vcd_sp_pubs.html vCenter Operations Manager 5.8.5, 5.7.4 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111172 vCloud Automation Center 6.0.1.2 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111685 vSphere Replication 5.8.0.2, 5.6.0.3, 5.5.1.5 ============================================= Downloads: https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5515 Documentation: http://kb.vmware.com/kb/2112025 http://kb.vmware.com/kb/2112022 vRealize Automation 6.2.1, 6.1.1 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111658 vRealize Code Stream 1.1, 1.0 ============================= Downloads and Documentation: http://kb.vmware.com/kb/2111685 vFabric Postgres ================ Downloads https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_936&productId =373&rPId=7787 https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_92_10&product Id=325&rPId=7788 https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_91_15&product Id=274&rPId=7789 vRealize Hyperic 5.8.4, 5.7.2, 5.0.3 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/KB2111337 vSphere AppHA 1.1.1 =================== Downloads and Documentation: http://kb.vmware.com/kb/2111336 vSphere Big Data Extensions 2.1 and 2.0 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2116604 vCenter Chargeback Manager 2.7 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2112011 vCenter Chargeback Manager 2.6 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2113178 vRealize Business Adv/Ent 8.1, 8.0 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2112258 vRealize Business Standard 6.0, 1.1 , 1.0 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111802 vRealize Configuration Manager 5.7.3 =================================== Downloads and Documentation: http://kb.vmware.com/kb/2111670 vRealize Infrastructure Navigator 5.8.4 ======================================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=47 6 vRealize Infrastructure Navigator 5.7 ===================================== Downloads and Documentation: http://kb.vmware.com/kb/2111334 vRealize Orchestrator 6.0, 5.5 ===================================== Downloads and Documentation: http://kb.vmware.com/kb/2112028 vRealize Orchestrator 5.1.3.1 ============================= Download: https://my.vmware.com/group/vmware/get-download?downloadGroup=VSP51-VCL-VCO VA-51U3A Documentation: https://www.vmware.com/support/pubs/orchestrator_pubs.html vSphere Update Manager 6.0, 5.5, 5.1, 5.0 ========================================= Downloads and Documentation: https://www.vmware.com/go/download-vsphere 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593 JRE Oracle Java SE Critical Patch Update Advisory of January 2015 http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html - ------------------------------------------------------------------------ 6. Change log 2015-04-02 VMSA-2015-0003 Initial security advisory in conjunction with the release of VMware Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5; vCenter Operations Manager 5.7.4; vCloud Automation Center 6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0; vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1; vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches released on 2015-04-02. 2015-04-09 VMSA-2015-0003.1 Updated Security advisory in conjunction with the release of VMware Horizon DaaS Platform 6.1.4, 5.4.5; vRealize Operations Manager 6.0; vRealize Application Services 6.2; vRealize Application Services 6.1; vCloud Application Director 6.0; vCenter Chargeback Manager 2.7, 2.6; vCloud Director For Service Providers 5.6.4.1; vRealize Log Insight 2.5, 2.0, 1.5, 1.0 Patches released on 2015-04-09. 2015-04-13 VMSA-2015-0003.2 Updated Security advisory in conjunction with the release of vRealize Business Adv/Ent 8.1, 8.0 Patches released on 2015-04-13. 2015-04-16 VMSA-2015-0003.3 Updated Security advisory in conjunction with the release of vCloud Connector 2.7.1; vCloud Usage Meter 3.3.3; vCenter Server 6.0, 5.5; vSphere Update Manager 6.0, 5.5 patches released on 2015-04-16. 2015-04-17 VMSA-2015-0003.4 Updated Security advisory in conjunction with the release of vCenter Site Recovery Manager 5.5.1.5 patches released on 2015-04-16. 2015-04-23 VMSA-2015-0003.5 Updated Security advisory in conjunction with the release of NSX for Multi-Hypervisor 4.2.4 and vFabric Postgres 9.3.6.0, 9.2.10.0 or 9.1.15.0 patches released on 2015-04-23. 2015-04-30 VMSA-2015-0003.6 Updated Security advisory in conjunction with the release of vCloud Networking and Security 5.5.4.1, vCenter Server 5.1 Update 3a, vCenter Server 5.0 Update 3d, vRealize Orchestrator 5.1.3.1, vSphere Update Manager 5.1 Update 3a and vSphere Update Manager 5.0 Update 3d patches released on 2015-04-30. 2015-05-07 VMSA-2015-0003.7 Updated Security advisory in conjunction with the release of vCenter Support Assistant 6.0, vSphere Big Data Extensions 2.1 and 2.0, NSX for vSphere 6.1.4 patches released on 2015-05-07. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFVTCc4DEcm8Vbi9kMRAtXvAKCzEtGSoJPM5RkrRN5eRRAfM/d07wCfZGGz kWnQbLXP6Dgil5vyAPrV9Ow= =m/0+ -----END PGP SIGNATURE-----
UPDATE : VMSA-2015-0003.6 – VMware product updates address critical information disclosure issue in JRE.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0003.6 Synopsis: VMware product updates address critical information disclosure issue in JRE. Issue date: 2015-04-02 Updated on: 2015-04-30 CVE number: CVE-2014-6593, for other CVEs see JRE reference - ------------------------------------------------------------------------ 1. Summary VMware product updates address critical information disclosure issue in JRE. 2. Relevant Releases Horizon View 6.x or 5.x Horizon Workspace Portal Server 2.1 or 2.0 Horizon DaaS Platform 6.1.4 or 5.4.5 vCloud Networking and Security prior to 5.5.4.1 vCloud Connector 2.7 vCloud Usage Meter 3.3 vCenter Site Recovery Manager prior to 5.5.1.5 vCenter Server 6.0, 5.5, 5.1 or 5.0 vRealize Operations Manager 6.0 vCenter Operations Manager 5.8.x or 5.7.x vRealize Application Services 6.2 or 6.1 vCloud Application Director 6.0 vRealize Automation 6.2 or 6.1 vCloud Automation Center 6.0.1 vSphere Replication prior to 5.8.0.2, 5.6.0.3 or 5.5.1.5 vRealize Automation 6.2.x or 6.1.x vRealize Code Stream 1.1 or 1.0 vFabric Postgres 9.3.6.0, 9.2.10.0 or 9.1.15.0 vRealize Hyperic 5.8.x, 5.7.x or 5.0.x vSphere AppHA Prior to 1.1.x vCenter Chargeback Manager 2.7 or 2.6 vRealize Business Adv/Ent 8.1 or 8.0 vRealize Business Standard prior to 1.1.x or 1.0.x NSX for Multi-Hypervisor prior to 4.2.4 vCloud Director prior to 5.5.3 vCloud Director Service Providers prior to 5.6.4.1 vRealize Configuration Manager 5.7.x or 5.6.x vRealize Infrastructure 5.8 or 5.7 vRealize Orchestrator 6.0, 5.5 or 5.1.3.1 vRealize Log Insight 2.5, 2.0, 1.5 or 1.0 vSphere Update Manager 6.0, 5.5, 5.1 or 5.0 3. Problem Description a. Oracle JRE Update Oracle JRE is updated in VMware products to address a critical security issue that existed in earlier releases of Oracle JRE. VMware products running JRE 1.7 Update 75 or newer and JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593, as documented in the Oracle Java SE Critical Patch Update Advisory of January 2015. This advisory also includes the other security issues that are addressed in JRE 1.7 Update 75 and JRE 1.6 Update 91. The References section provides a link to the JRE advisory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-6593 to this issue. This issue is also known as "SKIP" or "SKIP-TLS". Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch** ============= ======= ======= ================= Horizon View 6.x any 6.1 Horizon View 5.x any 5.3.4 Horizon Workspace Portal 2.1 ,2.0 any 2.1.1 Server Horizon DaaS Platform 6.1 any 6.1.4 Horizon DaaS Platform 5.4 any 5.4.5 vCloud Networking and Security 5.5 any 5.5.4.1* vCloud Connector 2.7 any 2.7.1* vCloud Usage Meter 3.3 any 3.3.3* vCenter Site Recovery Manager 5.5.x any 5.5.1.5*** vCenter Site Recovery Manager 5.1.x any patch pending*** vCenter Site Recovery Manager 5.0.x any patch pending*** vCenter Server 6.0 any 6.0.0a vCenter Server 5.5 any Update 2e vCenter Server 5.1 any Update 3a vCenter Server 5.0 any Update 3d vRealize Operations Manager 6.0 any KB2111898 vCenter Operations Manager 5.8.x any KB2111172 vCenter Operations Manager 5.7.x any KB2111172 vCenter Support Assistant 5.5.1.x any patch pending vRealize Application Services 6.2 any KB2111981 vRealize Application Services 6.1 any KB2111981 vCloud Application Director 6.0 any KB2111981 vCloud Application Director 5.2 any KB2111981 vRealize Automation 6.2 any KB2111658 vRealize Automation 6.1 any KB2111658 vCloud Automation Center 6.0.1 any KB2111658 vRealize Code Stream 1.1 any KB2111658 vRealize Code Stream 1.0 any KB2111658 vPostgres 9.3.x any 9.3.6.0 vPostgres 9.2.x any 9.2.10.0 vPostgres 9.1.x any 9.1.15.0 vSphere Replication 5.8.0 any 5.8.0.2 vSphere Replication 5.6.0 any 5.6.0.3 vSphere Replication 5.5.0 any 5.5.1.5 vSphere Replication 5.1 any patch pending vSphere Storage Appliance 5.x any patch pending* vRealize Hyperic 5.8 any KB2111337 vRealize Hyperic 5.7 any KB2111337 vRealize Hyperic 5.0 any KB2111337 vSphere AppHA 1.1 any KB2111336 vSphere Big Data Extensions 2.1 any patch pending* vSphere Big Data Extensions 2.0 any patch pending* vSphere Data Protection 6.0 any patch pending* vSphere Data Protection 5.8 any patch pending* vSphere Data Protection 5.5 any patch pending* vSphere Data Protection 5.1 any patch pending* vCenter Chargeback Manager 2.7 any KB2112011* vCenter Chargeback Manager 2.6 any KB2113178* vRealize Business Adv/Ent 8.1 any KB2112258* vRealize Business Adv/Ent 8.0 any KB2112258* vRealize Business Standard 6.0 any KB2111802 vRealize Business Standard 1.1 any KB2111802 vRealize Business Standard 1.0 any KB2111802 NSX for vSphere 6.1 any patch pending* NSX for Multi-Hypervisor 4.2 any 4.2.4* vCloud Director 5.5.x any 5.5.3* vCloud Director For 5.6.4 any 5.6.4.1* Service Providers vCenter Application Discovery 7.0 any patch pending* Manager vRealize Configuration Manager 5.7.x any KB2111670 vRealize Configuration Manager 5.6 any KB2111670 vRealize Infrastructure 5.8 any 5.8.4 Navigator vRealize Infrastructure 5.7 any KB2111334* Navigator vRealize Orchestrator 6.0 any KB2112028* vRealize Orchestrator 5.5 any KB2112028* vRealize Orchestrator 5.1 any 5.1.3.1* vRealize Log Insight 2.5 any KB2113235* vRealize Log Insight 2.0 any KB2113235* vRealize Log Insight 1.5 any KB2113235* vRealize Log Insight 1.0 any KB2113235* vSphere Management Assistant 5.x any patch pending vSphere Update Manager 6.0 any 6.0.0a* vSphere Update Manager 5.5 any Update 2e* vSphere Update Manager 5.1 any Update 3a* vSphere Update Manager 5.0 any Update 3d* * The severity of critical is lowered to important for this product as is not considered Internet facing ** Knowledge Base (KB) articles provides details of the patches and how to install them. *** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not include JRE but they include the vSphere Replication appliance which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include JRE nor the vSphere Replication appliance. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. Horizon View 6.1, 5.3.4: ======================== Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productI d=492 https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&pro ductId=396 VMware Workspace Portal 2.1.1 ============================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=5 01&rPId=7586 Documentation: https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.h tml Horizon DaaS Platform 6.1.4 =========================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN &productId=405&rPId=6527 Horizon DaaS Platform 5.4.5 =========================== Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM- 540&productId=398&rPId=5214 vCloud Networking and Security 5.5.4.1 ====================================== Download: https://my.vmware.com/web/vmware/details?productId=360&rPId=7625&downloadGr oup=VCNS5541 Documentation: https://www.vmware.com/support/vshield/doc/releasenotes_vshield_5541.html vCloud Connector 2.7.1 ====================== Downloads and Documentation: http://www.vmware.com/support/hybridcloud/doc/hybridcloud_271_rel_notes.htm l vCloud Usage Meter 3.3.3 ======================== Downloads: https://my.vmware.com/en/group/vmware/get-download?downloadGroup=UMSV333 vCenter Site Recovery Manager 5.5.1.5 ====================================== Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=SRM5515&productId=35 7&rPId=7774 Documentation: https://www.vmware.com/support/srm/srm-releasenotes-5-5-1.html vCenter Server 6.0, 5.5, 5.1, 5.0 ================================= Downloads and Documentation: https://www.vmware.com/go/download-vsphere vRealize Operations Manager 6.0.1 ================================= Downloads and Documentation: http://kb.vmware.com/kb/2111898 vRealize Application Services 6.2, 6.1 ====================================== Downloads and Documentation: http://kb.vmware.com/kb/2111981 NSX for Multi-Hypervisor 4.2.4 ============================== Downloads and Documentation: https://my.vmware.com/web/vmware/info/slug/networking_security/vmware_nsx/4 _x vCloud Application Director 6.0 ====================================== Downloads and Documentation: http://kb.vmware.com/kb/2111981 vCloud Director for Service Providers 5.6.4.1 ============================================= Downloads and Documentation: https://www.vmware.com/support/pubs/vcd_sp_pubs.html vCenter Operations Manager 5.8.5, 5.7.4 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111172 vCloud Automation Center 6.0.1.2 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111685 vSphere Replication 5.8.0.2, 5.6.0.3, 5.5.1.5 ============================================= Downloads: https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5515 Documentation: http://kb.vmware.com/kb/2112025 http://kb.vmware.com/kb/2112022 vRealize Automation 6.2.1, 6.1.1 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111658 vRealize Code Stream 1.1, 1.0 ============================= Downloads and Documentation: http://kb.vmware.com/kb/2111685 vFabric Postgres ================ Downloads https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_936&productId =373&rPId=7787 https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_92_10&product Id=325&rPId=7788 https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_91_15&product Id=274&rPId=7789 vRealize Hyperic 5.8.4, 5.7.2, 5.0.3 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/KB2111337 vSphere AppHA 1.1.1 =================== Downloads and Documentation: http://kb.vmware.com/kb/2111336 vCenter Chargeback Manager 2.7 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2112011 vCenter Chargeback Manager 2.6 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2113178 vRealize Business Adv/Ent 8.1, 8.0 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/2112258 vRealize Business Standard 6.0, 1.1 , 1.0 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111802 vRealize Configuration Manager 5.7.3 =================================== Downloads and Documentation: http://kb.vmware.com/kb/2111670 vRealize Infrastructure Navigator 5.8.4 ======================================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=47 6 vRealize Infrastructure Navigator 5.7 ===================================== Downloads and Documentation: http://kb.vmware.com/kb/2111334 vRealize Orchestrator 6.0, 5.5 ===================================== Downloads and Documentation: http://kb.vmware.com/kb/2112028 vRealize Orchestrator 5.1.3.1 ============================= Download: https://my.vmware.com/group/vmware/get-download?downloadGroup=VSP51-VCL-VCO VA-51U3A Documentation: https://www.vmware.com/support/pubs/orchestrator_pubs.html vSphere Update Manager 6.0, 5.5, 5.1, 5.0 ========================================= Downloads and Documentation: https://www.vmware.com/go/download-vsphere 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593 JRE Oracle Java SE Critical Patch Update Advisory of January 2015 http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html - ------------------------------------------------------------------------ 6. Change log 2015-04-02 VMSA-2015-0003 Initial security advisory in conjunction with the release of VMware Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5; vCenter Operations Manager 5.7.4; vCloud Automation Center 6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0; vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1; vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches released on 2015-04-02. 2015-04-09 VMSA-2015-0003.1 Updated Security advisory in conjunction with the release of VMware Horizon DaaS Platform 6.1.4, 5.4.5; vRealize Operations Manager 6.0; vRealize Application Services 6.2; vRealize Application Services 6.1; vCloud Application Director 6.0; vCenter Chargeback Manager 2.7, 2.6; vCloud Director For Service Providers 5.6.4.1; vRealize Log Insight 2.5, 2.0, 1.5, 1.0 Patches released on 2015-04-09. 2015-04-13 VMSA-2015-0003.2 Updated Security advisory in conjunction with the release of vRealize Business Adv/Ent 8.1, 8.0 Patches released on 2015-04-13. 2015-04-16 VMSA-2015-0003.3 Updated Security advisory in conjunction with the release of vCloud Connector 2.7.1; vCloud Usage Meter 3.3.3; vCenter Server 6.0, 5.5; vSphere Update Manager 6.0, 5.5 patches released on 2015-04-16. 2015-04-17 VMSA-2015-0003.4 Updated Security advisory in conjunction with the release of vCenter Site Recovery Manager 5.5.1.5 patches released on 2015-04-16. 2015-04-23 VMSA-2015-0003.5 Updated Security advisory in conjunction with the release of NSX for Multi-Hypervisor 4.2.4 and vFabric Postgres 9.3.6.0, 9.2.10.0 or 9.1.15.0 patches released on 2015-04-23. 2015-04-30 VMSA-2015-0003.6 Updated Security advisory in conjunction with the release of vCloud Networking and Security 5.5.4.1, vCenter Server 5.1 Update 3a, vCenter Server 5.0 Update 3d, vRealize Orchestrator 5.1.3.1, vSphere Update Manager 5.1 Update 3a and vSphere Update Manager 5.0 Update 3d patches released on 2015-04-30. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFVQnBODEcm8Vbi9kMRApVjAKC3591xg9sQeZGcrmwvuAibXKvGvQCdHXW8 PWe0y+KdFC6kKtnzUcd8kYo= =B00k -----END PGP SIGNATURE-----