Home > Blogs > VMware Security & Compliance Blog

New VMware Security Advisory VMSA-2016-0009 and Updated Advisories

Today, VMware has released the following new and updated security advisories:
New
VMSA-2016-0009
Updated
VMSA-2015-0007.6
VMSA-2015-0009.3
VMSA-2016-0005.4

The new advisory addresses an important cross-site scripting issue in the vSphere Web Client, CVE-2015-6931. The issue is present on the server side in vCenter Server running on Windows and in vCenter Server Appliance.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisories VMSA-2016-0007 and VMSA-2016-0008

Today VMware has released the following new security advisories:

VMSA-2016-0007 – VMware NSX and vCNS product updates address a critical information disclosure vulnerability.
VMSA-2016-0008 – VMware vRealize Log Insight addresses important and moderate security issues.

Information disclosure issue (CVE-2016-2079) may allow a remote attacker to gain access to sensitive information on VMware NSX and vCNS with SSL-VPN enabled. By exploiting the stored cross-site scripting issue (CVE-2016-2081) and cross-site request forgery issue (CVE-2016-2082) in VMware vRealize Log Insight, an attacker can hijack an authenticated user’s session and also may replace trusted content in the Log Insight UI without the user’s authorization.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2016-0006 and Updated Advisories

Today VMware has released the following new and updated security advisories:
New
VMSA-2016-0006
Updated
VMSA-2015-0007.5
VMSA-2016-0005.1

The new advisory addresses an important cross-site scripting issue in the vSphere Web Client, CVE-2016-2078. The issue is present on the server side when vCenter Server is running on Windows.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2016-0005

Today VMware has released the following new security advisory:

New


VMSA-2016-0005

The advisory documents remediation for a critical deserialization vulnerability in Oracle JRE, CVE-2016-3427.  VCenter Server is one of the affected products however only the local exploit scenario is relevant if the vCenter server patches and versions listed in VMSA-2015-0007 have been deployed. The advisory also documents a host privilege escalation on Workstation and Player, CVE-2016-2077.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisory and direct any questions to VMware Support.

VMware releases STIG Compliance App for FREE

Hello Everyone,

I am pleased to announce the availability of VMware STIG Compliance App. Using this app, you can assess, remediate and harden remote *NIX machines in line with STIG (Security Technical Implementation Guide) or any other security configuration benchmark. The app is available as a container image.

The app supports and requires configuration benchmark to be in SCAP 1.2 format and is capable of performing XCCDF or OVAL assessments. The app uses OpenSCAP as the assessment engine and Ansible as the action engine for performing remediation and hardening.

Continue reading

New VMware Security Advisory VMSA-2016-0004

Today VMware has released the following new security advisory:

New


VMSA-2016-0004

The advisory documents a critical security vulnerability in the way the VMware Client Integration Plugin handles session content (CVE-2016-2076). In order to remediate this issue, both server side and client side will need to be updated. On the client side this means that the Client Integration Plugin (in use by the vSphere Web Client) must be updated.
Since vCloud Director 5.5.5 is affected by this issue we want to mention that the version of vCloud Director that is deployed in vCloud Air is not affected.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2016-0002

Today VMware has released the following new security advisory:

New


VMSA-2016-0002

The advisory documents remediation and workarounds for a critical security issue in the glibc library, CVE-2015-7547.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMware products and CVE-2015-7547, glibc getaddrinfo security issue

Last Tuesday, a stack buffer overflow in the glibc library (CVE-2015-7547) was disclosed.  We have reviewed the issue and determined which products are affected. A workaround that blocks malicious traffic has been identified and is being tested on relevant, affected products.

VMware Knowledge Base article 2144032 lists the affected products and documents the workaround for the products where testing has concluded successfully. Customers are advised to deploy the workarounds. Upcoming releases of our products will include the fix for the issue.

2/22 Update
VMware Knowledge Base article 2144032 continues to be updated when new workarounds, patches, and updated releases for CVE-2015-7547 become available.
In addition, we have released VMware Security Advisory VMware Security Advisory VMSA-2016-0002 to alert customers to the release of a patch that addresses CVE-2015-7547 on ESXi 5.5.

2/23 Update
VMware Security Advisory VMSA-2016-0002 has been updated after the release of a patch that addresses CVE-2015-7547 on ESXi 6.0. We’ve also updated VMware Knowledge Base article 2144032 and added more workarounds, patches, and updated releases for CVE-2015-7547 .

3/29 Update
Today new versions of vCenter Server Appliance (VCSA), 5.0 U3f, 5.1 U3c, and 5.5 U3c, which address CVE-2015-7547 have been released. Earlier in February we released workarounds for VCSA.
As mentioned before, update releases that address this CVE on VMware appliances, along with workarounds and patches, are found in VMware Knowledge Base article 2144032. This KB will continue to be updated on a regular basis.

Additional Patch for JMX RMI Issue (CVE-2015-2342) for vCenter Server 5.x running on Windows

We have discovered that the fix for CVE-2015-2342 documented in VMware Security Advisory VMSA-2015-0007.2 and earlier editions is incomplete for older versions of vCenter Server running on a Windows platform. An additional patch is now available for the following versions of vCenter Server on Windows to complement the earlier fix:

  • vCenter Server Windows 5.0 U3e on Windows
  • vCenter Server Windows 5.1 U3b on Windows
  • vCenter Server Windows 5.5 U3,  5.5 U3a, 5.5 U3b on Windows

The additional patch may be obtained from VMware Knowledge Base article 2144428. Customers running the above versions are strongly advised to apply this patch. Upcoming releases of vCenter Server 5.x on Windows will have a complete fix.

The incomplete fix did not address the remote code execution possibility and the local privilege escalation. In case the Windows Firewall is enabled on the Windows system on which vCenter Server is running, remote code execution is not possible.

The fix for CVE-2015-2342 documented in VMSA-2015-0007 for vCenter Server 6.0.0b and later on Windows and for vCenter Server Appliance is complete. Users of these versions do not need to apply the additional patch.

New VMware Security Advisory VMSA-2015-0009

Today VMware has released the following new and updated security advisories:

New
VMSA-2015-0009 : VMware product updates address a critical deserialization vulnerability

Updated

VMSA-2015-0003.15 : VMware product updates address critical information disclosure issue in JRE
VMSA-2015-0008.1 : VMware product updates address information disclosure issue

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.