Author Archives: Kieron Shorrock

VMware Products and CVE-2015-1793

On July 9th 2015, the OpenSSL project released a Security Advisory. This advisory contained 1 security issue (CVE-2015-1793), which was given a severity rating of “high”.

The advisory lists OpenSSL 1.0.1n, 1.0.1o, 1.0.2b and 1.0.2c as being affected by this issue. These updates were released in June 2015.

VMware Security Response Center (vSRC) has investigated this issue and we can confirm that we have not shipped any products with these versions of OpenSSL. We can also confirm that our service offerings do not use them.

We have issued VMware Knowledge Base article 2124931 on this.

VMware has put safeguards in place to ensure upcoming product released will not ship with these versions of OpenSSL.

VMSA-2015-0003 (SKIP-TLS)

New VMware security advisory VMSA-2015-0003 (SKIP-TLS)

Today VMware has released the following new security advisory,

VMSA-2015-0003

The advisory documents CVE-2014-6593, which was issued for the incorrect handling of the ChangeCipherSpec in Oracle JRE also known as “SKIP” or “SKIP-TLS”. The issue allows a Man-in-the Middle to manipulate the SSL handshake which may result in impersonation of the server or in communication over plaintext between client and server.

We have reviewed CVE-2014-6593 and determined that it is a critical security issue if an application initiates communication over an untrusted network. Because of this, VMware is updating JRE in products that may face the Internet first, followed by updating JRE in products that are typically deployed in a datacenter but don’t communicate outside. The advisory will be republished when JRE is updated in VMware products through new patches or product releases.

Customers should review the advisory and direct any question to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories

Consolidated list of VMware Security Advisories

Today (8/21/2014) VMware Security Response Center is releasing a consolidated list, in the form of an Excel file (see below) of VMware Security Advisories. The list provides a single source of Security Advisories since 2012.

The list contains all affected products, versions, fix details, known workarounds, VMware Knowledge Base articles, and release notes or KBs for each CVE. This is provided so customers can import Security Advisory details into their security management systems or for patch management.

We plan to update the list each time a new or updated VMware Security Advisory is released.

Details of the contents can be found in VMware Knowledge Base article:

http://kb.vmware.com/kb/2078735

You can download the consolidated list here:

https://www.vmware.com/files/xls/security/VMWareSecurityAdvisoryList.xlsx

This document provides the following information about the affected product(s) for each Security Advisory:
  • Vulnerability Title
  • Vulnerability Description
  • Advisory Name
  • Advisory URL
  • CVE(s)
  • Affected Product
  • Affected Version
  • Affected Running on
  • Fixed Patch Release Number
  • Fixed Bulletin ID
  • Fixed Build No.
  • Knowledge Base Article associated with fix
  • Workarounds
  • Reporting Company
  • Reporting Individual
  • CVSS v2*
  • CVSS*
  • First Published Date
  • Last Update Date

Note: * CVSS details have been sourced from NIST for consistency.

 

New VMware Security Advisory VMSA-2014-0006

Today VMware has released the following new security advisory:

VMSA-2014-0006 – Link
VMware product updates address OpenSSL security vulnerabilities

Please sign up to the Security-Announce mailing list to recieve new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.