Home > Blogs > VMware Security & Compliance Blog > Monthly Archives: February 2016

Monthly Archives: February 2016

New VMware Security Advisory VMSA-2016-0002

Today VMware has released the following new security advisory:

New


VMSA-2016-0002

The advisory documents remediation and workarounds for a critical security issue in the glibc library, CVE-2015-7547.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMware products and CVE-2015-7547, glibc getaddrinfo security issue

Last Tuesday, a stack buffer overflow in the glibc library (CVE-2015-7547) was disclosed.  We have reviewed the issue and determined which products are affected. A workaround that blocks malicious traffic has been identified and is being tested on relevant, affected products.

VMware Knowledge Base article 2144032 lists the affected products and documents the workaround for the products where testing has concluded successfully. Customers are advised to deploy the workarounds. Upcoming releases of our products will include the fix for the issue.

2/22 Update
VMware Knowledge Base article 2144032 continues to be updated when new workarounds, patches, and updated releases for CVE-2015-7547 become available.
In addition, we have released VMware Security Advisory VMware Security Advisory VMSA-2016-0002 to alert customers to the release of a patch that addresses CVE-2015-7547 on ESXi 5.5.

2/23 Update
VMware Security Advisory VMSA-2016-0002 has been updated after the release of a patch that addresses CVE-2015-7547 on ESXi 6.0. We’ve also updated VMware Knowledge Base article 2144032 and added more workarounds, patches, and updated releases for CVE-2015-7547 .

3/29 Update
Today new versions of vCenter Server Appliance (VCSA), 5.0 U3f, 5.1 U3c, and 5.5 U3c, which address CVE-2015-7547 have been released. Earlier in February we released workarounds for VCSA.
As mentioned before, update releases that address this CVE on VMware appliances, along with workarounds and patches, are found in VMware Knowledge Base article 2144032. This KB will continue to be updated on a regular basis.

Additional Patch for JMX RMI Issue (CVE-2015-2342) for vCenter Server 5.x running on Windows

We have discovered that the fix for CVE-2015-2342 documented in VMware Security Advisory VMSA-2015-0007.2 and earlier editions is incomplete for older versions of vCenter Server running on a Windows platform. An additional patch is now available for the following versions of vCenter Server on Windows to complement the earlier fix:

  • vCenter Server Windows 5.0 U3e on Windows
  • vCenter Server Windows 5.1 U3b on Windows
  • vCenter Server Windows 5.5 U3,  5.5 U3a, 5.5 U3b on Windows

The additional patch may be obtained from VMware Knowledge Base article 2144428. Customers running the above versions are strongly advised to apply this patch. Upcoming releases of vCenter Server 5.x on Windows will have a complete fix.

The incomplete fix did not address the remote code execution possibility and the local privilege escalation. In case the Windows Firewall is enabled on the Windows system on which vCenter Server is running, remote code execution is not possible.

The fix for CVE-2015-2342 documented in VMSA-2015-0007 for vCenter Server 6.0.0b and later on Windows and for vCenter Server Appliance is complete. Users of these versions do not need to apply the additional patch.