Greetings from the VMware Security Response Center!

Today we released VMSA-2016-0021 which documents a Moderate severity issue in Vmware Identity Manager (vIDM) tracked by CVE-2016-5334.

This issue is similar to a directory traversal (def: OWASP) but based on our analysis the only data you can access are files in the /SAAS/WEB-INF and /SAAS/META-INF directories. While these directories have not been found to contain sensitive data, reading them directly is unintended and warranted a fix.

In addition, we would like to clarify that vRealize Automation (vRA) is also called out in this advisory because it consumes vIDM as an RPM and required a fix as well.

We also published VMSA-2016-0022 which documents several issues. While most of the items are straight forward, we would like to clarify the following from issue a:

1. vSphere 6.5 does not ship with a vSphere Client (aka. C# or ‘Thick’ Client).
2. To be safe, we recommend first removing and then reinstalling a fixed version of the vSphere Client.
3. Knowledge Base Article 2089791 is a great resource for directly downloading fixed versions of the vSphere Client.

We have classified the severity of the issues as either ‘Important’ or ‘Moderate’ in accordance with our Security Response Policy.

We also updated VMSA-2016-0005.5 and VMSA-2016-0018.3. Please see section ‘6. Change Log’ in the advisories for details.

Please sign up to be notified when new and updated VMSAs are released here.

That’s it for now.

Drop us a line at if you have any questions on these vulnerabilities or advisories.