Home > Blogs > VMware Security & Compliance Blog

New VMware Security Advisory VMSA-2016-0004

Today VMware has released the following new security advisory:

New


VMSA-2016-0004

The advisory documents a critical security vulnerability in the way the VMware Client Integration Plugin handles session content (CVE-2016-2076). In order to remediate this issue, both server side and client side will need to be updated. On the client side this means that the Client Integration Plugin (in use by the vSphere Web Client) must be updated.
Since vCloud Director 5.5.5 is affected by this issue we want to mention that the version of vCloud Director that is deployed in vCloud Air is not affected.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2016-0002

Today VMware has released the following new security advisory:

New


VMSA-2016-0002

The advisory documents remediation and workarounds for a critical security issue in the glibc library, CVE-2015-7547.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMware products and CVE-2015-7547, glibc getaddrinfo security issue

Last Tuesday, a stack buffer overflow in the glibc library (CVE-2015-7547) was disclosed.  We have reviewed the issue and determined which products are affected. A workaround that blocks malicious traffic has been identified and is being tested on relevant, affected products.

VMware Knowledge Base article 2144032 lists the affected products and documents the workaround for the products where testing has concluded successfully. Customers are advised to deploy the workarounds. Upcoming releases of our products will include the fix for the issue.

2/22 Update
VMware Knowledge Base article 2144032 continues to be updated when new workarounds, patches, and updated releases for CVE-2015-7547 become available.
In addition, we have released VMware Security Advisory VMware Security Advisory VMSA-2016-0002 to alert customers to the release of a patch that addresses CVE-2015-7547 on ESXi 5.5.

2/23 Update
VMware Security Advisory VMSA-2016-0002 has been updated after the release of a patch that addresses CVE-2015-7547 on ESXi 6.0. We’ve also updated VMware Knowledge Base article 2144032 and added more workarounds, patches, and updated releases for CVE-2015-7547 .

3/29 Update
Today new versions of vCenter Server Appliance (VCSA), 5.0 U3f, 5.1 U3c, and 5.5 U3c, which address CVE-2015-7547 have been released. Earlier in February we released workarounds for VCSA.
As mentioned before, update releases that address this CVE on VMware appliances, along with workarounds and patches, are found in VMware Knowledge Base article 2144032. This KB will continue to be updated on a regular basis.

Additional Patch for JMX RMI Issue (CVE-2015-2342) for vCenter Server 5.x running on Windows

We have discovered that the fix for CVE-2015-2342 documented in VMware Security Advisory VMSA-2015-0007.2 and earlier editions is incomplete for older versions of vCenter Server running on a Windows platform. An additional patch is now available for the following versions of vCenter Server on Windows to complement the earlier fix:

  • vCenter Server Windows 5.0 U3e on Windows
  • vCenter Server Windows 5.1 U3b on Windows
  • vCenter Server Windows 5.5 U3,  5.5 U3a, 5.5 U3b on Windows

The additional patch may be obtained from VMware Knowledge Base article 2144428. Customers running the above versions are strongly advised to apply this patch. Upcoming releases of vCenter Server 5.x on Windows will have a complete fix.

The incomplete fix did not address the remote code execution possibility and the local privilege escalation. In case the Windows Firewall is enabled on the Windows system on which vCenter Server is running, remote code execution is not possible.

The fix for CVE-2015-2342 documented in VMSA-2015-0007 for vCenter Server 6.0.0b and later on Windows and for vCenter Server Appliance is complete. Users of these versions do not need to apply the additional patch.

New VMware Security Advisory VMSA-2015-0009

Today VMware has released the following new and updated security advisories:

New
VMSA-2015-0009 : VMware product updates address a critical deserialization vulnerability

Updated

VMSA-2015-0003.15 : VMware product updates address critical information disclosure issue in JRE
VMSA-2015-0008.1 : VMware product updates address information disclosure issue

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2015-0008

Today VMware has released the following new security advisory VMSA-2015-0008 to address a information disclosure issue (CVE-2015-3269).

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisory and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2015-0007

Today VMware has released the following new and updated security advisories:

New
VMSA-2015-0007 for CVE-2015-5177, CVE-2015-2342 and CVE-2015-1047

Updated
VMSA-2015.0006.1 has been updated to clarify the configurations that CVE-2015-6932 applies to.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2015-0006

Today VMware has released the following new advisory

VMSA-2015-0006

This addresses a VMware vCenter Server LDAP certificate validation issue. For more information on setting up certificates with LDAP, please see http://kb.vmware.com/kb/2130915.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-6932 to this issue.

Customers that are looking for updates to open source and/or third party software in a product release should refer to the release notes for the release.

VMware releases CJIS compliance toolkit in VCM for Windows based environments

VMware is pleased to announce the availability of automated compliance assessment toolkit for Criminal Justice Information Services (CJIS) security policy in VMware vRealize Configuration Manager (VCM). The toolkit aligns with CJIS Security Policy version 5.3 and maps to 92 checks on various MS-Windows flavors. Using the toolkit on VCM, various law enforcement agencies such as state, local, federal, and international partners, can quickly assess Windows configuration and compare with CJIS Security Policy requirements. Additionally, you can remediate the infringements with an effort of a few clicks. Get the product sheet!

Continue reading

VMware Products and CVE-2015-1793

On July 9th 2015, the OpenSSL project released a Security Advisory. This advisory contained 1 security issue (CVE-2015-1793), which was given a severity rating of “high”.

The advisory lists OpenSSL 1.0.1n, 1.0.1o, 1.0.2b and 1.0.2c as being affected by this issue. These updates were released in June 2015.

VMware Security Response Center (vSRC) has investigated this issue and we can confirm that we have not shipped any products with these versions of OpenSSL. We can also confirm that our service offerings do not use them.

We have issued VMware Knowledge Base article 2124931 on this.

VMware has put safeguards in place to ensure upcoming product released will not ship with these versions of OpenSSL.