UPDATE : VMSA-2015-0008.1 – VMware product updates address information disclosure issue

------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2015-0008.1
Synopsis:    VMware product updates address information disclosure
             issue

Issue date:  2015-11-18
Updated on:  2015-12-18
CVE number:  CVE-2015-3269 CVE-2015-5255
------------------------------------------------------------------------

1. Summary

  VMware product updates address information disclosure issue.


2. Relevant Releases

  VMware vCenter Server 5.5 prior to version 5.5 update 3
  VMware vCenter Server 5.1 prior to version 5.1 update u3b
  VMware vCenter Server 5.0 prior to version 5.0 update u3e

  vCloud Director 5.6 prior to version 5.6.4
  vCloud Director 5.5 prior to version 5.5.3

  VMware Horizon View 6.0 prior to version 6.1
  VMware Horizon View 5.0 prior to version 5.3.4



3. Problem Description

   a. vCenter Server, vCloud Director, Horizon View information
      disclosure issue.

     VMware products that use Flex BlazeDS may be affected by a flaw in
     the processing of XML External Entity (XXE) requests. A specially
     crafted XML request sent to the server could lead to unintended
     information be disclosed.

     VMware would like to thank Matthias Kaiser of Code White GmbH for
     reporting this issue to us.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the identifier CVE-2015-3269 to this issue.

     The product updates listed in the table below have also been
     determined to address a XML External Entity (XXE) Processing and
     Server Side Request Forgery vulnerability in Flex BlazeDS.

     VMware would like to thank James Kettle of PortSwigger Web Security
     for reporting these issues to us.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the identifier CVE-2015-5255 to these issues.

     Column 4 of the following table lists the action required to
     remediate the vulnerability in each release, if a solution is
     available.

        VMware          Product  Running   Replace with/
        Product         Version  on        Apply Patch
        ====================  =======   =================
        vCenter Server    6.0      any      not affected
        vCenter Server    5.5      any      5.5 update 3
        vCenter Server    5.1      any      5.1 update u3b
        vCenter Server    5.0      any      5.5 update u3e

        vCloud Director   5.6      any      5.6.4
        vCloud Director   5.5      any      5.5.3

        Horizon View      6.0      any      6.1
        Horizon View      5.3      any      5.3.4


4. Solution

   Please review the patch/release notes for your product and version
   and verify the checksum of your downloaded file.


   vCenter Server
   --------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   vCloud Director For Service Providers
   --------------------------------
   Downloads and Documentation:
   https://www.vmware.com/support/pubs/vcd_pubs.html

   Horizon View 6.1, 5.3.4:
   --------------------------------
   Downloads:
   https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productId=492
   https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&productId=396


5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3269
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5255

------------------------------------------------------------------------

6. Change log

   2015-11-18 VMSA-2015-0008
   Initial security advisory

   2015-12-18 VMSA-2015-0008.1
   Updated advisory to note these updates also address CVE-2015-5255

------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2015 VMware Inc.  All rights reserved.
_______________________________________________
Security-announce mailing list
Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org
http://lists.vmware.com/mailman/listinfo/security-announce

Leave a Reply