We have discovered that the fix for CVE-2015-2342 documented in VMware Security Advisory VMSA-2015-0007.2 and earlier editions is incomplete for older versions of vCenter Server running on a Windows platform. An additional patch is now available for the following versions of vCenter Server on Windows to complement the earlier fix:

  • vCenter Server Windows 5.0 U3e on Windows
  • vCenter Server Windows 5.1 U3b on Windows
  • vCenter Server Windows 5.5 U3,  5.5 U3a, 5.5 U3b on Windows

The additional patch may be obtained from VMware Knowledge Base article 2144428. Customers running the above versions are strongly advised to apply this patch. Upcoming releases of vCenter Server 5.x on Windows will have a complete fix.

The incomplete fix did not address the remote code execution possibility and the local privilege escalation. In case the Windows Firewall is enabled on the Windows system on which vCenter Server is running, remote code execution is not possible.

The fix for CVE-2015-2342 documented in VMSA-2015-0007 for vCenter Server 6.0.0b and later on Windows and for vCenter Server Appliance is complete. Users of these versions do not need to apply the additional patch.