181 replies to this topic

[AplusWebMaster]

FYI...

VMSA-2013-0016 - VMware ESXi and ESX unauthorized file access through vCenter Server and ESX
- http://www.vmware.co...-2013-0016.html
2013-12-22
Summary: VMware ESXi and ESX unauthorized file access through vCenter Server and ESX  
Relevant releases:
VMware ESXi 5.5 without patch ESXi550-201312001
VMware ESXi 5.1 without patch ESXi510-201310001
VMware ESXi 5.0 without patch update-from-esxi5.0-5.0_update03
VMware ESXi 4.1 without patch ESXi410-201312001
VMware ESXi 4.0 without patch ESXi400-201310001
VMware ESX 4.1 without patch ESX410-201312001
VMware ESX 4.0 without patch ESX400-201310001
Problem Description:
VMware ESXi and ESX unauthorized file access through vCenter Server and ESX
Workaround: A workaround is provided in VMware Knowledge Base article 2066856*...
* http://kb.vmware.com/kb/2066856

- http://www.securityt....com/id/1029529
CVE Reference: https://web.nvd.nist...d=CVE-2013-5973
Dec 23 2013
Impact: Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): ESX/ESXi 4.0, 4.1, ESXi 5.0, 5.1, 5.5
Solution:   The vendor has issued a fix.
ESXi 5.5: ESXi550-201312101-SG
ESXi 5.1: ESXi510-201310101-SG
ESXi 5.0: ESXi500-201310101-SG
ESXi 4.1: ESXi410-201312401-SG
ESXi 4.0: ESXi400-201310401-SG
ESX 4.1: ESX410-201312401-SG
ESX 4.0: ESX400-201310401-SG
The vendor's advisory is available at:
- http://www.vmware.co...-2013-0016.html
 

Edited by AplusWebMaster, 23 December 2013 - 12:44 PM.

[AplusWebMaster]

FYI...

VMSA-2014-0001 - VMware Workstation, Player, Fusion, ESXi, ESX and vCloud Director
- http://www.vmware.co...-2014-0001.html
2014-01-16
CVE numbers: CVE-2014-1207, CVE-2014-1208, CVE-2014-1211
Summary: VMware Workstation, Player, Fusion, ESXi, ESX and vCloud Director address several security issues.
Relevant releases:
VMware Workstation 9.x prior to version 9.0
VMware Player 5.x prior to version 5.0
VMware Fusion 5.x prior to version 5.0
VMware ESXi 5.1 without patch ESXi510-201401101
VMware ESXi 5.0 without patch ESXi500-201310101
VMware ESXi 4.1 without patch ESXi410-201312401
VMware ESXi 4.0 without patch ESXi400-201310401
VMware ESX 4.1 without patch ESX410-201312401
VMware ESX 4.0 without patch ESX400-201310401
vCloud Director 5.1.x prior to version 5.1.3 ...
 

[AplusWebMaster]

FYI...

VMSA-2014-0002 - VMware vSphere updates - third party libraries
- http://www.vmware.co...-2014-0002.html
2014-03-11 - "Summary: VMware has updated vSphere third party libraries... The NTP daemon has a DDoS vulnerability in the handling of the "monlist" command. An attacker may send a forged request to a vulnerable NTP server resulting in an amplified response to the intended target of the DDoS attack... Mitigation for this issue is documented in VMware Knowledge Base article 2070193*...
* http://kb.vmware.com/kb/2070193

vCenter Server 5.5 - Release Notes:
- https://www.vmware.c...ease-notes.html

ESXi 5.5
- http://kb.vmware.com/kb/2065826
___

- https://secunia.com/advisories/57388/
Release Date: 2014-03-12
Criticality: Highly Critical
Where: From remote
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access...

- https://secunia.com/advisories/57393/
Release Date: 2014-03-12
Criticality: Highly Critical
Where: From remote
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access...
 

Edited by AplusWebMaster, 12 March 2014 - 10:13 AM.

[AplusWebMaster]

FYI...

VMSA-2014-0003 - VMware vSphere Client updates address security vulns
- http://www.vmware.co...-2014-0003.html
2014-04-10
Synopsis: VMware vSphere Client updates address security vulnerabilities
CVE numbers: CVE-2014-1209, CVE-2014-1210
Summary: VMware vSphere Client updates address security vulnerabilities
Relevant Releases: vSphere Client 5.1, 5.0, 4.1, 4.0
Problem Description: vSphere Client Insecure Client Download
vSphere Client contains a vulnerability in accepting an updated vSphere Client file from an untrusted source. The vulnerability may allow a host to direct vSphere Client to download and execute an arbitrary file from any URI. This issue can be exploited if the host has been compromised or if a user has been tricked into clicking a malicious link... table lists the action required to remediate the vulnerability in each release, if a solution is available...
(More detail available at the vmware URL above.)
___

- http://www.securityt....com/id/1030055
CVE Reference: CVE-2014-1209, CVE-2014-1210
Apr 11 2014
Impact: Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): vSphere Client 4.0, 4.1, 5.0, 5.1 ...
Solution: The vendor has issued a fix (5.0 Update 3, 5.1 Update 2; For versions 4.x, use vSphere Client 4.0 or 4.1 from ESX/EXSi)...
The vendor's advisory is available at:
- http://www.vmware.co...-2014-0003.html
 

Edited by AplusWebMaster, 12 April 2014 - 08:03 PM.

[AplusWebMaster]

FYI...

VMSA-2014-0004.6 - VMware product updates address OpenSSL security vulnerabilities
- http://www.vmware.co...-2014-0004.html
Updated on: 2014-04-20
... Change Log:
2014-04-14 VMSA-2014-0004
Initial security advisory in conjunction with the release of Horizon Workspace Server 1.8 and 1.5 updates on 2014-04-14
2014-04-15 VMSA-2014-0004.1
Updated security advisory in conjunction with the release of Horizon Mirage Edge Gateway 4.4.2 patch on 2014-04-15
2014-04-16 VMSA-2014-0004.2
Updated security advisory in conjunction with the release of vCloud Networking and Security 5.5.2 and 5.1.4 on 2014-04-16
2014-04-17 VMSA-2014-0004.3
Updated security advisory in conjunction with the release of Workstation 10.0.2, Fusion 6.0.3, Player 6.0.2 and Horizon Workspace Client 1.8.1 on 2014-04-17
2014-04-18 VMSA-2014-0004.4
Updated security advisory in conjunction with the release of NSX 6.0.4 for vSphere, Horizon View 5.3 Feature Pack 2 and Horizon View Clients 2.3.3 on 2014-04-18
2014-04-19 VMSA-2014-0004.5
Updated security advisory in conjunction with the release of vCenter Server 5.5.0c, vCenter Server 5.5 Update 1a, ESXi 5.5, Horizon Workspace Server 1.8.1, NSX for Multi-Hypervisor 4.0.2 and 4.1.1, NSX 3.2.2, OVF Tool 3.5.1, vCloud Automation Center (vCAC) 6.0.1, vSphere Big Data Extensions 1.1 and Client Integration Plug-In 5.5 on 2014-04-19
2014-04-20 VMSA-2014-0004.6
Updated security advisory in conjunction with the release of vCloud Director 5.5.1.1 on 2014-04-20

- https://web.nvd.nist...d=CVE-2014-0076 - 4.3
- https://web.nvd.nist...d=CVE-2014-0160 - 5.0
___

VMware OpenSSL TLS/DTLS Heartbeat Vulnerabilities - Multiple Products ...
- https://secunia.com/advisories/57770/
Last Update:  2014-04-21
Criticality: Moderately Critical
Where: From remote
Impact: Exposure of sensitive information ...
Original Advisory:
 -http://kb.vmware.com...ernalId=2076225
Purpose: The VMware Security Engineering, Communications, and Response group (vSECR) is investigating the OpenSSL issue dubbed "Heartbleed" (CVE-2014-0160).
This article reflects the status of the ongoing investigation.
Resolution: The following is a response to the current situation with the software security vulnerability dubbed Heartbleed:
The VMware Security and Engineering teams are working on remediation for the VMware products that have been impacted. VMware is acutely aware of the seriousness of the Heartbleed vulnerability, and all available resources are being directed toward a resolution amidst this industry-wide situation. VMware plans to release updated products and patches for all affected products in this article by April 19th. Please check this article for any updates or exceptions to this timeframe. See the lists below for affected products, and refer to the Resolution/mitigation section for steps to protect your systems while updates are being prepared...

 

- http://blog.socialca...-cve-2014-0160/
Apr 9, 2014
 

Edited by AplusWebMaster, 21 April 2014 - 07:45 AM.

[AplusWebMaster]

FYI...

VMSA-2014-0005 - VMware Workstation, Player, Fusion, and ESXi patches
- http://www.vmware.co...-2014-0005.html
2014-05-29
Synopsis: VMware Workstation, Player, Fusion, and ESXi patches address a guest privilege escalation
CVE numbers: CVE-2014-3793
Relevant Releases:
VMware Workstation 10.x prior to version 10.0.2
VMware Player 6.x prior to version 6.0.2
VMware Fusion 6.x prior to version 6.0.3
ESXi 5.5 without patch ESXi550-201403102-SG
ESXi 5.1 without patch ESXi510-201404102-SG
ESXi 5.0 without patch ESXi500-201405102-SG
Problem Description:
Guest privilege escalation in VMware Tools: A kernel NULL dereference vulnerability was found in VMware Tools running on Microsoft Windows 8.1. Successful exploitation of this issue could lead to an escalation of privilege in the guest operating system...

- http://www.securityt....com/id/1030310
CVE Reference: CVE-2014-3793
May 30 2014
Impact:   User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Workstation 10.x prior to 10.0.2, Player 6.x prior to 6.0.2, Fusion 6.x prior to 6.0.3
Solution: The vendor has issued a fix (Workstation 10.0.2; Player 6.0.2; Fusion 6.0.3)...

- http://www.securityt....com/id/1030311
CVE Reference: CVE-2014-3793
May 30 2014
Impact:   User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): ESXi 5.0, 5.1, 5.5
Solution: The vendor has issued a fix.
ESXi 5.0: ESXi500-201405102-SG
ESXi 5.1: ESXi510-201404102-SG
ESXi 5.5: ESXi550-201403102-SG ...
 

[AplusWebMaster]

FYI...

VMSA-2014-0006 - VMware updates - OpenSSL security vulns
- http://www.vmware.co...-2014-0006.html
2014-06-10
CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470
Relevant Releases: ESXi 5.5 prior to ESXi550-201406401-SG
Change Log: 2014-06-10 VMSA-2014-0006 - Initial security advisory in conjunction with the release of ESXi 5.5 updates on 2014-06-10
Download: https://www.vmware.c...download.portal
Release Notes and Remediation Instructions:
- http://kb.vmware.com/kb/2077359
 

[AplusWebMaster]

FYI...

VMSA-2014-0006.1 - VMware product updates address OpenSSL security vulns
- http://www.vmware.co...-2014-0006.html
Updated on: 2014-06-12
CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470
Relevant Releases:
Big Data Extensions prior to 2.0.0
ESXi 5.5 prior to ESXi550-201406401-SG
Horizon Mirage Edge Gateway prior to 4.4.3
vCD prior to 5.5.1.2
vCenter prior to 5.5u1b
vCSA prior to 5.5u1b
Update Manager prior to 5.5u1b
Change Log: 2014-06-12 VMSA-2014-0006.1
Updated security advisory in conjunction with the release of Big Data Extensions 2.0.0, Horizon Mirage Edge Gateway 4.4.3, vCD 5.5.1.2, vCenter Server 5.5u1b, vCSA 5.5u1b, and Update Manager 5.5u1b on 2014-06-12..
More at: http://www.vmware.co...-2014-0006.html
 

[AplusWebMaster]

FYI...

VMSA-2014-0006.2 - VMware product updates address OpenSSL security vulnerabilities
- http://www.vmware.co...-2014-0006.html
Updated on: 2014-06-17
CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470
Relevant Releases:
Big Data Extensions prior to 2.0.0
ESXi 5.5 without patch ESXi550-201406401-SG
ESXi 5.1 without patch ESXi510-201406401-SG
Horizon Mirage Edge Gateway prior to 4.4.3
vCD prior to 5.5.1.2
vCenter prior to 5.5u1b
vCSA prior to 5.5u1b
Update Manager prior to 5.5u1b
VDDK prior to 5.0.4
VDDK prior to 5.1.3
VDDK prior to 5.5.2 ...
 

[AplusWebMaster]

FYI...

VMSA-2014-0007 - VMware product updates - Apache Struts library
- http://www.vmware.co...-2014-0007.html
2014-06-24
CVE numbers:
- https://web.nvd.nist...d=CVE-2014-0050 - 5.0
- https://web.nvd.nist...d=CVE-2014-0094 - 5.0
- https://web.nvd.nist...d=CVE-2014-0112 - 7.5 (HIGH)
Relevant releases: VMware vCenter Operations Management Suite prior to 5.8.2
Problem Description: The Apache Struts library is updated to version 2.3.16.2 to address multiple security issues.
Solution: Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
vCenter Operations Management Suite 5.8.2 / Downloads and Documentation:
- https://www.vmware.c.../download-vcops
Change log: 2014-06-24 VMSA-2014-0007 Initial security advisory in conjunction with the release of vCenter Operations Management Suite 5.8.2 on 2014-06-24...
 

Edited by AplusWebMaster, 25 June 2014 - 12:56 PM.

[AplusWebMaster]

FYI...

VMSA-2014-0008 - VMware vSphere product updates to 3rd party libraries
- http://www.vmware.co...-2014-0008.html
Sep 9, 2014
Summary: VMware has updated vSphere third party libraries
- Relevant releases:
VMware vCenter Server 5.5 prior to Update 2
VMware vCenter Update Manager 5.5 prior to Update 2
VMware ESXi 5.5 without patch ESXi550-201409101-SG
Problem Description:
a. vCenter Server Apache Struts Update
b. vCenter Server tc-server 2.9.5 / Apache Tomcat 7.0.52 updates
c. Update to ESXi glibc package
d. vCenter and Update Manager, Oracle JRE 1.7 Update 55
Change log:
VMSA-2014-0008 Initial security advisory in conjunction with the release of vSphere 5.5 Update 2 on 2014-09-09...
 

[AplusWebMaster]

FYI...

VMSA-2014-0009 - VMware NSX and vCNS product updates ...
- http://www.vmware.co...-2014-0009.html
2014-09-11
Summary: VMware NSX and vCloud Networking and Security (vCNS) product updates address a vulnerability that could lead to critical information disclosure.
Relevant releases:
NSX 6.0 prior to 6.0.6
vCNS 5.5 prior to 5.5.3
vCNS 5.1.4 prior to 5.1.4.2
Problem Description:
a. VMware NSX and vCNS information disclosure vulnerability
VMware NSX and vCNS contain an input validation vulnerability. This issue may allow for critical information disclosure...
- https://web.nvd.nist...d=CVE-2014-3796 - 5.0

- http://www.securityt....com/id/1030835
CVE Reference: CVE-2014-3796
Sep 11 2014
Impact: Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): vCNS 5.1.4 prior to 5.1.4.2, 5.5 prior to 5.5.3 ...
Solution: The vendor has issued a fix (5.1.4.2, 5.5.3)...
 

Edited by AplusWebMaster, 18 September 2014 - 09:49 AM.

[AplusWebMaster]

FYI...

VMSA-2014-0010.13 - VMware product updates address critical Bash security vulns
- http://www.vmware.co...-2014-0010.html
Updated on: 2014-10-17
CVE numbers: CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
Summary: VMware product updates address Bash security vulnerabilities.
Problem Description:
a. Bash update for multiple products: Bash libraries have been updated in multiple products to resolve multiple critical security issues, also referred to as Shellshock...
I) ESXi and ESX Hypervisor: ESXi is not affected because ESXi uses the Ash shell (through busybox), which is not affected by the vulnerability reported for the Bash shell. ESX has an affected version of the Bash shell.
II) Windows-based products: Windows-based products, including all versions of vCenter Server running on Windows, are not affected.
III) VMware (virtual) appliances: VMware (virtual) appliances ship with an affected version of Bash.
See table 2 for remediation for appliances.
IV) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances)
Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) might use the Bash shell that is part of the operating system. If the operating system has a vulnerable version of Bash, the Bash security vulnerability might be exploited through the product. VMware recommends that customers contact their operating system vendor for a patch.
MITIGATIONS: VMware encourages restricting access to appliances through firewall rules and other network layer controls to only trusted IP addresses. This measure will greatly reduce any risk to these appliances...
References: http://kb.vmware.com/kb/2090740
09/26/2014 - Added Virtual Appliance info
09/27/2014 - Updated list of affected virtual appliances, affected ESXi and ESX versions, affected services, and added guidance
09/29/2014 - Added new CVEs and updated affected products and services; updated AirWatch MDM Cloud Services info
09/30/2014 - Added patch information
10/01/2014 - Added patch information
10/03/2014 - Added patch information

10/04/2014 - Added patch information

10/05/2014 - Added patch information

10/06/2014 - Added patch information

10/07/2014 - Added patch information
(More detail at the vmware URLs above.)
VMSA-2014-0010.13
Updated on: 2014-10-17
Change Logs:

2014-09-30 VMSA-2014-0010: Initial security advisory in conjunction with the release of vCenter Log Insight 2.0 U1 on 2014-09-30.
2014-10-01 VMSA-2014-0010.1: Updated advisory in conjunction with the release of ESX 4.x patches, vCenter Server Appliance 5.5 U2a, 5.1 U2b, and 5.0 U3b, vCloud Director Appliance 5.5.1.3, VMware Data Recovery 2.0.4, VMware Mirage Gateway 5.1.1 and vSphere Storage Appliance 5.5.2 on 2014-10-01. Added CVE-2014-6277 and CVE-2014-6278 as they have been confirmed to be mitigated.
2014-10-01 VMSA-2014-0010.2: Updated advisory in conjunction with the release of Horizon Workspace patches, IT Business Management Suite 1.1.0 and 1.0.1, vCenter Operations Manager patches, vCenter Site Recovery Manager 5.5.1.3 and 5.1.2.2, vCloud Application Director patches, vCloud Automation Center patches, vCloud Automation Center Application Services patches, vCloud Director Appliance 5.5.1.3, vFabric Postgres 9.3.5.1, 9.2.9.1, and 9.1.14.1, vSphere Replication 5.8.0.1, 5.5.1.3, and 5.1.2.2 on 2014-10-01.
2014-10-02 VMSA-2014-0010.3: Updated advisory in conjunction with the release of vCenter Hyperic Server 5.8.3, 5.7.2, and 5.0.3, vCenter Infrastructure Navigator 5.8.3, 5.7.1, and 2.0.1, vCenter Orchestrator Appliance patches, vCenter Support Assistant patches, vSphere App HA 1.1.1, vSphere Management Assistant 5.5 EP1 and 5.0 EP1, and vSphere Storage Appliance patches on 2014-10-02
2014-10-02 VMSA-2014-0010.4: Updated advisory in conjunction with the release of Horizon DaaS Platform 6.1.1, 6.0.2, and 5.4.3, vCenter Orchestrator Appliance 5.5.2.1, vCloud Connector 2.6.1, vCloud Usage Meter 3.3.2, and vSphere Replication 5.6.0.2 on 2014-10-02.
2014-10-03 VMSA-2014-0010.5: Updated advisory in conjunction with the release of vCloud Networking and Security 5.5.3.1 and 5.1.4.3 on 2014-10-03.
2014-10-04 VMSA-2014-0010.6: Updated advisory in conjunction with the release of NSX for Multi-Hypervisor 4.2.1, 4.1.4, and 4.0.5, NSX for vSphere 6.1.1 and 6.0.7, NVP 3.2.4, and vSphere Big Data Extensions 2.x patch on 2014-10-04.
2014-10-05 VMSA-2014-0010.7: Updated advisory in conjunction with the release of View Planner 3.0.1.1, and vSphere Data Protection 5.x patch on 2014-10-05.
2014-10-06 VMSA-2014-0010.8: Updated advisory in conjunction with the release of vCenter Hyperic Server 5.8.2 SP3, 5.8.1 SP3, 5.8.0 SP2, 5.7.1 SP1, and 5.0.2 SP1, vCenter Log Insight 1.5.0U1, View Planner Flexible 3.0.1.1, VMware Application Dependency Planner 2.0.0.1, VMware HealthAnalyzer 5.0.3.1, and vSphere App HA 1.1.0 patch on 2014-10-06.

2014-10-07 VMSA-2014-0010.9: Updated advisory in conjunction with the release of vCenter Operations Manager patches, VMware Socialcast On Premise 2-116-1 and 2-112-1, and vSphere Data Protection patches on 2014-10-07.
2014-10-08 VMSA-2014-0010.10: Updated advisory in conjunction with the release of vCenter Operations Manager patches on 2014-10-08.
2014-10-09 VMSA-2014-0010.11: Updated advisory in conjunction with the release of vCenter Converter Standalone 5.5.3 and 5.1.2, and vCenter Log Insight 2.0.5 on 2014-10-09.
2014-10-13 VMSA-2014-0010.12: Updated advisory in conjunction with the release of VMware Studio 2.x patch on 2014-10-13.
2014-10-17 VMSA-2014-0010.13: Updated advisory in conjunction with the release of vCenter Application Discovery Manager 7.0 patch, vSphere Management Assistant 5.1.0.2, and VMware Workbench 3.0.2 on 2014-10-17.

 

- http://www.securityt....com/id/1030943
CVE Reference: CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
Updated: Oct 14 2014
Impact: Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes ...
... vulnerability is being actively exploited...
... advisory is available at: http://www.vmware.co...-2014-0010.html
... archive entry is a follow-up to: http://www.securityt....com/id/1030890
 

Edited by AplusWebMaster, 18 October 2014 - 10:29 PM.

[AplusWebMaster]

FYI...

VMSA-2014-0011 - VMware vSphere Data Protection - critical update
- http://www.vmware.co...-2014-0011.html
2014-10-22
Summary: VMware vSphere Data Protection product update addresses a critical information disclosure vulnerability.
Relevant releases: VMware vSphere Data Protection 5.5 prior to 5.5.7
Solution: Please review the patch/release notes for your product and version...
- https://cve.mitre.or...e=CVE-2014-4624
Downloads:
- https://my.vmware.co...roup=VDPADV55_7
Documentation:
- https://www.vmware.c...leasenotes.html
___

- http://www.securityt....com/id/1031114
CVE Reference: http://cve.mitre.org...e=CVE-2014-4624
Oct 23 2014
Impact: Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): vSphere Data Protection 5.5.x prior to 5.5.7 ...
Impact: A remote user can obtain passwords.
Solution: The vendor has issued a fix (5.5.7)...
 

Edited by AplusWebMaster, 25 October 2014 - 04:49 AM.

[AplusWebMaster]

FYI...

VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
- http://www.vmware.co...-2014-0012.html
2014-12-04
CVE numbers: CVE-2014-3797, CVE-2014-8371, CVE-2013-2877, CVE-2014-0191, CVE-2014-0015, CVE-2014-0138, CVE-2013-1752 and CVE-2013-4238
Summary: VMware vSphere product updates address a Cross Site Scripting issue, a certificate validation issue and security vulnerabilities in third-party libraries.
Relevant releases:
VMware vCenter Server Appliance 5.1 Prior to Update 3
VMware vCenter Server 5.5 prior to Update 2
VMware vCenter Server 5.1 prior to Update 3
VMware vCenter Server 5.0 prior to Update 3c
VMware ESXi 5.1 without patch ESXi510-201412101-SG ...

- http://www.securityt....com/id/1031302
CVE-2014-3797
Dec 5 2014
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): vCSA 5.1 ...
Solution: The vendor has issued a fix (5.1 Update 3)...

- http://www.securityt....com/id/1031303
CVE Reference: CVE-2014-8371
Dec 5 2014
Impact:   Disclosure of system information, Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): vCenter Server 5.0, 5.1, 5.5 ...
Solution: The vendor has issued a fix (5.0 Update 3c, 5.1 Update 3, 5.5 Update 2)...