------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2015-0008
Synopsis: VMware product updates address information disclosure
issue
Issue date: 2015-11-18
Updated on: 2015-11-18
CVE number: CVE-2015-3269
------------------------------------------------------------------------
1. Summary
VMware product updates address information disclosure issue.
2. Relevant Releases
VMware vCenter Server 5.5 prior to version 5.5 update 3
VMware vCenter Server 5.1 prior to version 5.1 update u3b
VMware vCenter Server 5.0 prior to version 5.0 update u3e
vCloud Director 5.6 prior to version 5.6.4
vCloud Director 5.5 prior to version 5.5.3
VMware Horizon View 6.0 prior to version 6.1
VMware Horizon View 5.0 prior to version 5.3.4
3. Problem Description
a. vCenter Server, vCloud Director, Horizon View information
disclosure issue.
VMware products that use Flex BlazeDS may be affected by a flaw in
the processing of XML External Entity (XXE) requests. A specially
crafted XML request sent to the server could lead to unintended
information be disclosed.
VMware would like to thank Matthias Kaiser of Code White GmbH for
reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2015-3269 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
==================== ======= =================
vCenter Server 6.0 any not affected
vCenter Server 5.5 any 5.5 update 3
vCenter Server 5.1 any 5.1 update u3b
vCenter Server 5.0 any 5.5 update u3e
vCloud Director 5.6 any 5.6.4
vCloud Director 5.5 any 5.5.3
Horizon View 6.0 any 6.1
Horizon View 5.3 any 5.3.4
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
vCenter Server
--------------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
vCloud Director For Service Providers
--------------------------------
Downloads and Documentation:
https://www.vmware.com/support/pubs/vcd_pubs.html
Horizon View 6.1, 5.3.4:
--------------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productId=492
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&productId=396
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3269
------------------------------------------------------------------------
6. Change log
2015-11-18 VMSA-2015-0008
Initial security advisory
------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2015 VMware Inc. All rights reserved.
_______________________________________________
Security-announce mailing list
Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org
http://lists.vmware.com/mailman/listinfo/security-announce