Greetings from the VMware Security Response Center!

Today we released VMSA-2016-0023 and VMSA-2016-0024.

VMSA-2016-0023 – VMware ESXi updates address a cross-site scripting issue

These updates address a stored cross-site scripting vulnerability (CVE-2016-7463) in the ESXi Host Client which we have rated as an Important severity issue. The issue can be introduced by an attacker that has permission to manage virtual machines through ESXi Host Client or by tricking the vSphere administrator to import a specially crafted VM.

Just to clarify, no action is required from organizations who are using ESXi 6.5. Those who are on ESXi 6.0 or 5.5 will need to install the ESXi patches listed in VMSA-2016-0023 to resolve this issue.

In addition to our supported ESXi releases, we also have a ESXi Host Client fling available. Even though flings fall under the Technical Preview License and are not meant to be used in a production environment we have provided a fix for this issue in 1.13.0.

Caleb Watt (@calebwatt15) reported this issue to us – great find Caleb!

VMSA-2016-0024 – vSphere Data Protection (VDP) updates address SSH Key-Based authentication issue

This vulnerability (CVE-2016-7456) is resolved by applying the script found in KB2147069. We have investigated possible workarounds for the issue such as disabling SSH but unfortunately they are not feasible. Because an attacker would need to be able to reach port 22 on the VDP appliance to take advantage of the vulnerability, limiting access to this via perimeter and internal security measures can help to mitigate the issue. However, due to the issue’s Critical severity it is strongly advised that customers using VDP apply the fix for this issue immediately.

Marc Ströbel (aka phroxvs) from HvS-Consulting tipped us off to this issue – thanks Marc!

Please sign up to be notified when new and updated VMSAs are published here.

That’s it for now.

Drop us a line at if you have any questions on these vulnerabilities or advisories.