Home > Blogs > VMware Security & Compliance Blog

New VMware Security Advisory VMSA-2016-0012 and Updated Advisory

Today VMware has released the following new and updated security advisories:
New
VMSA-2016-0012
Updated
VMSA-2016-0007.1

The new advisory documents the left-over public ssh key that was used during the development process of VMware Photon OS OVAs 1.0, CVE-2016-5333.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMSA Improvements

Greetings from the VMware Security Response Center!

We’ve made some minor improvements in our latest VMSA based on community feedback and I thought we should share what these changes are and why we’ve made them.

Added an overall severity to the advisory itself in the header section

This is to better inform you, the customer, of the severity level of the VMSA as a whole. The severity level in this field will always be equal to the highest severity of any individual vulnerability mentioned in the VMSA. For details on our severity classifications, please see our VMware Security Response Policy.

Overhauled the ‘Relevant Releases’ section

We have renamed this section ‘Relevant Products’ and simplified it. Previously we would attempt to enumerate all releases of affected products and list them. We have found this section to be somewhat confusing for our customers. The idea of this section was to provide you with a quick reference to determine if the advisory was applicable to your environment. We have further simplified this to simply list product lines rather than versions. If you have a product from this list in your environment, you should definitely read the rest of the advisory.

Added a severity column to the section “3. Problem Description” tables

It is commonplace that a single vulnerability may affect our different products in various ways. This column will allow us to better describe the severity of an issue as it relates to a specific product.

Added a workaround column to the section “3. Problem Description” tables

This column will be used to point to knowledge base articles which describe workarounds that you can perform immediately to mitigate or remove the possibility of exploitation that the vulnerability presents. Please note, we always recommend upgrading to the product versions listed in the table but we also understand this may take time from a practical standpoint. There will not always be a workaround for every issue, but we will provide them whenever they are possible and functionally feasible.

So those are the improvements we have added to the VMSA. We will not be updating previous VMSAs with this information, but these will persist in all future VMSAs. We hope this will help to simplify and clarify the issues we disclose in these advisories.

Please, drop us a line at security@vmware.com if you have any questions, comments, or suggestions.

Don’t Panic. 🙂
————————
Edward Hawkins
Senior Program Manager
VMware Security Response Center
security@vmware.com

New VMware Security Advisory VMSA-2016-0010

Today VMware has released the following new security advisory:

VMSA-2016-0010 – VMware product updates address multiple important security issues

This addresses a DLL hijacking issue in Windows-based VMware Tools “Shared Folders” (HGFS) feature (CVE-2016-5330) and an HTTP Header injection issue in vCenter Server and ESXi (CVE-2016-5331).

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMware releases OVAL content editor open source project

Hello Everyone,

Today, VMware releases SCAP 1.3 draft spec compliant Open Source project for OVAL content editor. A couple of months back VMware released an SCAP compliance assessment and remediation app for FREE. The security and compliance community loved it and came back to us asking for an easier and simpler way to write OVAL assessment rules and generate XCCDF out of it instead of handcrafting the XMLs. We listened and responded!

Continue reading

New VMware Security Advisory VMSA-2016-0009 and Updated Advisories

Today, VMware has released the following new and updated security advisories:
New
VMSA-2016-0009
Updated
VMSA-2015-0007.6
VMSA-2015-0009.3
VMSA-2016-0005.4

The new advisory addresses an important cross-site scripting issue in the vSphere Web Client, CVE-2015-6931. The issue is present on the server side in vCenter Server running on Windows and in vCenter Server Appliance.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisories VMSA-2016-0007 and VMSA-2016-0008

Today VMware has released the following new security advisories:

VMSA-2016-0007 – VMware NSX and vCNS product updates address a critical information disclosure vulnerability.
VMSA-2016-0008 – VMware vRealize Log Insight addresses important and moderate security issues.

Information disclosure issue (CVE-2016-2079) may allow a remote attacker to gain access to sensitive information on VMware NSX and vCNS with SSL-VPN enabled. By exploiting the stored cross-site scripting issue (CVE-2016-2081) and cross-site request forgery issue (CVE-2016-2082) in VMware vRealize Log Insight, an attacker can hijack an authenticated user’s session and also may replace trusted content in the Log Insight UI without the user’s authorization.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2016-0006 and Updated Advisories

Today VMware has released the following new and updated security advisories:
New
VMSA-2016-0006
Updated
VMSA-2015-0007.5
VMSA-2016-0005.1

The new advisory addresses an important cross-site scripting issue in the vSphere Web Client, CVE-2016-2078. The issue is present on the server side when vCenter Server is running on Windows.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2016-0005

Today VMware has released the following new security advisory:

New


VMSA-2016-0005

The advisory documents remediation for a critical deserialization vulnerability in Oracle JRE, CVE-2016-3427.  VCenter Server is one of the affected products however only the local exploit scenario is relevant if the vCenter server patches and versions listed in VMSA-2015-0007 have been deployed. The advisory also documents a host privilege escalation on Workstation and Player, CVE-2016-2077.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisory and direct any questions to VMware Support.

VMware releases STIG Compliance App for FREE

Hello Everyone,

I am pleased to announce the availability of VMware STIG Compliance App. Using this app, you can assess, remediate and harden remote *NIX machines in line with STIG (Security Technical Implementation Guide) or any other security configuration benchmark. The app is available as a container image.

The app supports and requires configuration benchmark to be in SCAP 1.2 format and is capable of performing XCCDF or OVAL assessments. The app uses OpenSCAP as the assessment engine and Ansible as the action engine for performing remediation and hardening.

Continue reading

New VMware Security Advisory VMSA-2016-0004

Today VMware has released the following new security advisory:

New


VMSA-2016-0004

The advisory documents a critical security vulnerability in the way the VMware Client Integration Plugin handles session content (CVE-2016-2076). In order to remediate this issue, both server side and client side will need to be updated. On the client side this means that the Client Integration Plugin (in use by the vSphere Web Client) must be updated.
Since vCloud Director 5.5.5 is affected by this issue we want to mention that the version of vCloud Director that is deployed in vCloud Air is not affected.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.