New VMware security advisory VMSA-2015-0003 (SKIP-TLS)

Today VMware has released the following new security advisory,


The advisory documents CVE-2014-6593, which was issued for the incorrect handling of the ChangeCipherSpec in Oracle JRE also known as “SKIP” or “SKIP-TLS”. The issue allows a Man-in-the Middle to manipulate the SSL handshake which may result in impersonation of the server or in communication over plaintext between client and server.

We have reviewed CVE-2014-6593 and determined that it is a critical security issue if an application initiates communication over an untrusted network. Because of this, VMware is updating JRE in products that may face the Internet first, followed by updating JRE in products that are typically deployed in a datacenter but don’t communicate outside. The advisory will be republished when JRE is updated in VMware products through new patches or product releases.

Customers should review the advisory and direct any question to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories