181 replies to this topic

[AplusWebMaster]

FYI...

VMSA-2014-0013 - VMware vCloud Automation Center product updates address a critical remote privilege escalation vulnerability
- http://www.vmware.co...-2014-0013.html
2014-12-09
CVE numbers: http://cve.mitre.org...e=CVE-2014-8373
Summary: VMware vCloud Automation Center (vCAC) product updates address a critical vulnerability in the vCAC VMware Remote Console (VMRC) function which could lead to a remote privilege escalation.
2. Relevant releases: vCloud Automation Center 6.x without patch
3. Problem Description:
a. VMware vCloud Automation Center remote privilege escalation
VMware vCloud Automation Center has a remote privilege escalation vulnerability. This issue may allow an authenticated vCAC user to obtain administrative access to vCenter Server.
This issue is present in environments that use the "Connect (by) Using VMRC" function in vCAC to connect directly to vCenter Server. Environments that exclusively use vCloud Director (vCD) as a proxy to connect to vCenter Server are not affected.
At this time the issue is remediated by removing the "Connect (by) Using VMRC" functionality for directly connecting to vCenter Server. Deploying the provided patch will remove this functionality.
VMware is working on a secure solution that will restore this functionality. Customers may continue to use the "Connect (by) Using RDP" or "Connect (by) Using SSH" options for remote desktop management as they are not affected by this issue...
4. Solution: Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
vCloud Automation Center 6.x
Downloads and Documentation:
- http://kb.vmware.com/kb/2097932 ..."
 

[AplusWebMaster]

FYI...

VMSA-2014-0014 - AirWatch by VMware product update addresses information disclosure vulnerabilities
- http://www.vmware.co...-2014-0014.html
2014-12-10
CVE numbers: https://cve.mitre.or...e=CVE-2014-8372
Summary: AirWatch by VMware product update addresses information disclosure vulnerabilities
Relevant releases: AirWatch by VMware on-premise 7.3.x.x prior to 7.3.3.0 (FP3)
Problem Description: AirWatch by VMware has direct object reference vulnerabilities. These issues may allow a user that manages an AirWatch deployment in a multi-tenant environment to view the organizational information and statistics of another tenant. AirWatch Cloud has been patched to resolve this issue, On-Premise deployments must be updated. See solution section for details...
To perform a self-upgrade, please email support@air-watch.com to request the install files. (Please note that only requests submitted by your company’s AirWatch Administrator(s) will be accepted)...

- http://www.securityt....com/id/1031342
CVE Reference: https://cve.mitre.or...e=CVE-2014-8372
Dec 11 2014
Impact: Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.3.x.x prior to 7.3.3.0 (FP3) ...
Solution: The vendor has issued a fix (7.3.3.0 (FP3))...
 

[AplusWebMaster]

FYI...

VMSA-2015-0001 VMware vCenter Server, ESXi, Workstation, Player, Fusion security issue updates
- http://www.vmware.co...-2015-0001.html
2015-01-27
CVE numbers: CVE-2014-8370, CVE-2015-1043, CVE-2015-1044
--- OPENSSL---
CVE-2014-3513, CVE-2014-3567,CVE-2014-3566, CVE-2014-3568
 --- libxml2 ---
CVE-2014-3660
Summary: VMware vCenter Server, ESXi, Workstation, Player and Fusion address several security issues.
Relevant Releases:
VMware Workstation 10.x prior to version 10.0.5
VMware Player 6.x prior to version 6.0.5
VMware Fusion 7.x prior to version 7.0.1
VMware Fusion 6.x prior to version 6.0.5
vCenter Server 5.5 prior to Update 2d
ESXi 5.5 without patch ESXi550-201403102-SG, ESXi550-201501101-SG
ESXi 5.1 without patch ESXi510-201404101-SG
ESXi 5.0 without patch ESXi500-201405101-SG
Problem Description:
VMware ESXi, Workstation, Player, and Fusion host privilege escalation vulnerability
VMware ESXi, Workstation, Player and Fusion contain an arbitrary file write issue. Exploitation this issue may allow for privilege escalation on the host.
The vulnerability does not allow for privilege escalation from the guest Operating System to the host or vice-versa. This means that host memory can not be manipulated from the Guest Operating
System...
Solution: Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file...

VMSA-2014-0012.1 - VMware vSphere product updates address security vulnerabilities
- http://www.vmware.co...-2014-0012.html
Updated on: 2015-01-27
CVE numbers: CVE-2014-3797, CVE-2014-8371, CVE-2013-2877, CVE-2014-0191, CVE-2014-0015, CVE-2014-0138, CVE-2013-1752 and CVE-2013-4238
Summary: VMware vSphere product updates address a Cross Site Scripting issue, a certificate validation issue and security vulnerabilities in third-party libraries...
 

[AplusWebMaster]

FYI...

VMSA-2015-0002 - VMware vSphere Data Protection product update
- certificate validation vulnerability
- http://www.vmware.co...-2015-0002.html
2015-01-29
CVE-2014-4632
Summary: VMware vSphere Data Protection product update addresses a certificate validation vulnerability.
Relevant releases:
VMware vSphere Data Protection 5.8
VMware vSphere Data Protection 5.5 prior to 5.5.9
VMware vSphere Data Protection 5.1 all versions
Problem Description:
VMware vSphere Data Protection certificate validation vulnerability. VMware vSphere Data Protection (VDP) does not fully validate SSL certificates coming from vCenter Server. This issue may allow a Man-in-the-Middle attack that enables the attacker to perform unauthorized backup and restore operations...
Downloads:
5.8.1: https://my.vmware.co...adGroup=VDP58_1
5.5.9: https://my.vmware.co...adGroup=VDP55_9
___

- http://www.securityt....com/id/1031664
CVE Reference: https://cve.mitre.or...e=CVE-2014-4632
Jan 30 2015
Impact: Disclosure of system information, Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): vSphere Data Protection 5.1, 5.5.x prior to 5.5.9, 5.8 ...
Solution: The vendor has issued a fix (VDP 5.5.9, 5.8.1)...
___

VMSA-2015-0001.1 - VMware vCenter Server, ESXi, Workstation, Player, and Fusion updates address security issues
- http://www.vmware.co...-2015-0001.html
Updated on: 2015-02-26
Summary: VMware vCenter Server, ESXi, Workstation, Player and Fusion address several security issues.
Solution: Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file...
 

Edited by AplusWebMaster, 24 March 2015 - 03:40 AM.

[AplusWebMaster]

FYI...

VMSA-2015-0003 - Critical information disclosure issue in JRE
- https://www.vmware.c...-2015-0003.html
2015-04-02
Relevant Releases:
Horizon View 6.x or 5.x
Horizon Workspace Portal Server  2.1 or 2.0
vCenter Operations Manager 5.8.x or 5.7.x
vCloud Automation Center 6.0.1
vSphere Replication prior to 5.8.0.2 or 5.6.0.3
vRealize Automation 6.2.x or 6.1.x
vRealize Code Stream 1.1 or 1.0
vRealize Hyperic 5.8.x, 5.7.x or 5.0.x
vSphere AppHA Prior to 1.1.x
vRealize Business Standard prior to 1.1.x or 1.0.x
NSX for Multi-Hypervisor  prior to 4.2.4    
vRealize Configuration Manager 5.7.x or 5.6.x
vRealize Infrastructure 5.8, 5.7
Problem Description:
a. Oracle JRE Update:
Oracle JRE is updated in VMware products to address a critical security issue that existed in earlier releases of Oracle JRE.
VMware products running JRE 1.7 Update 75 or newer and JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593, as documented in the Oracle Java SE Critical Patch Update Advisory of January 2015.
This advisory also includes the other security issues that are addressed in JRE 1.7 Update 75 and JRE 1.6 Update 91...
References: https://web.nvd.nist...d=CVE-2014-6593 - 4.0
Oracle Java SE Critical Patch Update Advisory of January 2015
- http://www.oracle.co...ml#AppendixJAVA

- https://secunia.com/advisories/62858/
 

Edited by AplusWebMaster, 05 April 2015 - 06:52 AM.

[AplusWebMaster]

FYI...

VMSA-2015-0004 - VMware Workstation, Fusion / Horizon View Client updates...
- https://www.vmware.c...-2015-0004.html
2015-06-09
CVE numbers: CVE-2012-0897, CVE-2015-2336, CVE-2015-2337, CVE-2015-2338, CVE-2015-2339, CVE-2015-2340, CVE-2015-2341
Summary: VMware Workstation, Fusion and Horizon View Client updates address critical security issues.
Relevant Releases:
VMware Workstation prior to version 11.1.1
VMware Workstation prior to version 10.0.6
VMware Player prior to version 7.1.1
VMware Player prior to version 6.0.6
VMware Fusion prior to version 7.0.1
VMware Fusion prior to version 6.0.6
VMware Horizon Client for Windows prior to version 3.4.0
VMware Horizon Client for Windows prior to version 3.2.1
VMware Horizon Client for Windows (with local mode) prior to version 5.4.1
Problem Description:
a. VMware Workstation and Horizon Client memory manipulation issues
VMware Workstation and Horizon Client TPView.ddl and TPInt.dll incorrectly handle memory allocation. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon Client...
b. VMware Workstation, Player, and Fusion Denial of Service vulnerability
VMware Workstation, Player, and Fusion contain an input validation issue on an RPC command. This issue may allow for a Denial of Service of the Guest Operating System (32-bit) or a Denial of Service of the Host Operating System (64-bit)...
___

- http://www.securityt....com/id/1032529
CVE Reference: CVE-2012-0897, CVE-2015-2336, CVE-2015-2337, CVE-2015-2338, CVE-2015-2339, CVE-2015-2340

Jun 9 2015
Impact: Denial of service via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Horizon Client for Windows prior to versions 3.2.1, 3.4.0, and (with local mode) 5.4.1...
Solution: The vendor has issued a fix (Horizon Client for Windows 3.2.1, 3.4.0, 5.4.2).

- http://www.securityt....com/id/1032530
CVE Reference: CVE-2012-0897, CVE-2015-2336, CVE-2015-2337, CVE-2015-2338, CVE-2015-2339, CVE-2015-2340, CVE-2015-2341
Jun 9 2015
Impact: Denial of service via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Workstation prior to versions 10.0.6, 11.1.1; Player prior to versions 6.0.6, 7.1.1; Fusion prior to versions 6.0.6, 7.0.1...
Solution: The vendor has issued a fix (Workstation 10.0.6, 11.1.1; Player 6.0.6, 7.1.1; Fusion 6.0.6, 7.0.1).
 

Edited by AplusWebMaster, 10 June 2015 - 08:12 AM.

[AplusWebMaster]

FYI...

VMSA-2015-0005 - VMware Workstation, Player and Horizon View Client for Windows
- https://www.vmware.c...-2015-0005.html
2015-07-09
CVE number: CVE-2015-3650
Summary: VMware Workstation, Player and Horizon View Client for Windows updates address a host privilege escalation vulnerability.
Relevant Releases:
VMware Workstation for Windows 11.x prior to version 11.1.1
VMware Workstation for Windows 10.x prior to version 10.0.7
VMware Player for Windows 7.x prior to version 7.1.1
VMware Player for Windows 6.x prior to version 6.0.7
VMware Horizon Client for Windows (with Local Mode Option) prior to version 5.4.2
Problem Description:
a. VMware Workstation, Player and Horizon View Client for Windows host privilege escalation vulnerability.
VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes. This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process.
Solution: Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
VMware Workstation: https://www.vmware.c...loadworkstation
VMware Player: https://www.vmware.c.../downloadplayer
VMware Horizon Clients: https://www.vmware.com/go/viewclients
___

- http://www.securityt....com/id/1032822
CVE Reference: CVE-2015-3650
Jul 10 2015
Impact: Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Horizon Client for Windows (with Local Mode Option) prior to 5.4.2 ...
Solution: The vendor has issued a fix (5.4.2)...

- http://www.securityt....com/id/1032823
CVE Reference: CVE-2015-3650
Jul 10 2015
Impact: Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Solution: The vendor has issued a fix (Workstation 10.0.7, 11.1.1; Player 6.0.7, 7.1.1)...
 

[AplusWebMaster]

FYI...

VMSA-2015-0006 - VMware vCenter Server updates address a LDAP certificate validation issue
- https://www.vmware.c...-2015-0006.html
2015-09-16
1. Summary
VMware vCenter Server updates address a LDAP certificate validation issue.
2. Relevant Releases
VMware vCenter Server prior to version 6.0 update 1
VMware vCenter Server prior to version 5.5 update 3
3. Problem Description
VMware vCenter Server LDAP certificate validation vulnerability.
VMware vCenter Server does not validate the certificate when binding to an LDAP server using TLS. Exploitation of this vulnerability may allow an attacker that is able to intercept traffic between vCenter Server and the LDAP server to capture sensitive information.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-6932 to this issue...

VMware Security Advisories
- http://kb.vmware.com/kb/2078735
___

- http://www.securityt....com/id/1033582
CVE Reference: CVE-2015-6932
Sep 16 2015
Impact: Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Server; 5.5.x prior to 5.5 update 3, 6.0.x prior to 6.0 update 1...
Solution: The vendor has issued a fix (5.5 u3, 6.0 u1).
 

[AplusWebMaster]

FYI...

VMSA-2015-0007.2 - VMware vCenter and ESXi updates address critical security issues
- https://www.vmware.c...-2015-0007.html

2015-10-20 VMSA-2015-0007.2
Updated security advisory to reflect that CVE-2015-2342 is fixed in an earlier vCenter Server version (6.0.0b) than originally reported (6.0 U1) and that the port required to exploit the vulnerability is blocked in the appliance versions of the software (5.1 and above).
Change log: 2015-10-06 VMSA-2015-0007.1
"Updated security advisory in conjunction with the release of ESXi 5.5 U3a on 2015-10-06. Added a note to section 3.a to alert customers to a non-security issue in ESXi 5.5 U3 that is addressed in ESXi 5.5 U3a."

1. Summary:
VMware vCenter and ESXi updates address critical security issues.
2. Relevant Releases:
VMware ESXi 5.5 without patch ESXi550-201509101
VMware ESXi 5.1 without patch ESXi510-201510101
VMware ESXi 5.0 without patch ESXi500-201510101
VMware vCenter Server 6.0 prior to version 6.0 update 1
VMware vCenter Server 5.5 prior to version 5.5 update 3
VMware vCenter Server 5.1 prior to version 5.1 update u3b
VMware vCenter Server 5.0 prior to version 5.u update u3e
3. Problem Description:
a. VMware ESXi OpenSLP Remote Code Execution:
VMware ESXi contains a double free flaw in OpenSLP's SLPDProcessMessage() function. Exploitation of this issue may allow an unauthenticated attacker to execute code remotely on the ESXi host...
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-5177 to this issue...
b. VMware vCenter Server JMX RMI Remote Code Execution:
VMware vCenter Server contains a remotely accessible JMX RMI service that is not securely configured. An unauthenticated remote attacker that is able to connect to the service may be able use it to execute arbitrary code on the vCenter server...
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-2342 to this issue...
c. VMware vCenter Server vpxd denial-of-service vulnerability
VMware vCenter Server does not properly sanitize long heartbeat messages. Exploitation of this issue may allow an unauthenticated attacker to create a denial-of-service condition in the vpxd service...
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-1047 to this issue...
4. Solution:
Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
vCenter Server - Downloads and Documentation:
- https://www.vmware.c...ownload-vsphere
ESXi - Downloads:
- https://www.vmware.c...indPatch.portal
Documentation:
- http://kb.vmware.com/kb/2110247
- http://kb.vmware.com/kb/2114875
- http://kb.vmware.com/kb/2120209
5. References:
- http://cve.mitre.org...e=CVE-2015-5177
- http://cve.mitre.org...e=CVE-2015-2342
- http://cve.mitre.org...e=CVE-2015-1047
___

- http://www.securityt....com/id/1033719
CVE Reference: CVE-2015-5177
Oct 1 2015
Impact: Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): ESXi 5.0, 5.1, 5...
Solution:   The vendor has issued a fix.
5.5: ESXi550-201509101
5.1: ESXi510-201510101
5.0: ESXi500-201510101 ...

- http://www.securityt....com/id/1033720
CVE Reference: CVE-2015-1047, CVE-2015-2342
Updated: Oct 2 2015
Impact: Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.0 prior to 5.u update u3e, 5.1 prior to 5.1 update u3b, 5.5 prior to 5.5 update 3, 6.0 prior to 6.0 update 1 ...
Solution: The vendor has issued a fix (5.0u3e, 5.1u3b, 5.5u3)...
 

Edited by AplusWebMaster, 21 October 2015 - 08:13 PM.

[AplusWebMaster]

FYI...

VMSA-2015-0008 - VMware product updates address information disclosure issue
- https://www.vmware.c...-2015-0008.html
2015-11-18
Synopsis: VMware product updates address information disclosure issue.
CVE numbers: https://web.nvd.nist...d=CVE-2015-3269
Summary: VMware product updates address information disclosure issue.
Relevant Releases:
VMware vCenter Server 5.5 prior to version 5.5 update 3
VMware vCenter Server 5.1 prior to version 5.1 update u3b
VMware vCenter Server 5.0 prior to version 5.0 update u3e
vCloud Director 5.6 prior to version 5.6.4
vCloud Director 5.5 prior to version 5.5.3
VMware Horizon View 6.0 prior to version 6.1
VMware Horizon View 5.0 prior to version 5.3.4
Problem Description:
vCenter Server, vCloud Director, Horizon View information disclosure issue
VMware products that use Flex BlazeDS may be affected by a flaw in the processing of XML External Entity (XXE) requests. A specially crafted XML request sent to the server could lead to unintended information be disclosed...
vCenter Server Downloads and Documentation:
- https://www.vmware.c...ownload-vsphere
vCloud Director For Service Providers Downloads and Documentation:
- https://www.vmware.c...s/vcd_pubs.html
Horizon View 6.1, 5.3.4: Downloads:
- https://my.vmware.co...A&productId=492
- https://my.vmware.co...R&productId=396
___

VMware Tools 10.0.0 Released
- https://blogs.vmware...0-released.html
Sep 10, 2015
 

Edited by AplusWebMaster, 03 December 2015 - 10:23 AM.

[AplusWebMaster]

FYI...

VMSA-2015-0009 - VMware product updates address a critical deserialization vuln
- https://www.vmware.c...-2015-0009.html
2015-12-18
1. Summary: VMware product updates address a critical deserialization vulnerability
2. Relevant Releases:
vRealize Orchestrator 6.x
vCenter Orchestrator 5.x
3. Problem Description: Deserialization vulnerability
A deserialization vulnerability involving Apache Commons-collections and a specially constructed chain of classes exists. Successful exploitation could result in remote code execution, with the permissions of the application using the Commons-collections library. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-6934 to this issue...
4. Solution: Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
vRealize Orchestrator 6.x and vCenter Orchestrator 5.x
Downloads and Documentation:
- http://kb.vmware.com/kb/2141244
5. References:
- http://cve.mitre.org...e=CVE-2015-6934
6. Change log:
2015-12-18 VMSA-2015-0009 Initial security advisory in conjunction with the release of vRealize Orchestrator 6.x and vCenter Orchestrator 5.x patches on 2015-12-18...
 

[AplusWebMaster]

FYI...

VMSA-2016-0001 - VMware ESXi, Fusion, Player, and Workstation updates
- https://www.vmware.c...-2016-0001.html
2016-01-07
Summary: VMware ESXi, Fusion, Player, and Workstation updates address important guest privilege escalation vulnerability
Relevant Releases:
VMware ESXi 6.0 without patch ESXi600-201512102-SG
VMware ESXi 5.5 without patch ESXi550-201512102-SG
VMware ESXi 5.1 without patch ESXi510-201510102-SG
VMware ESXi 5.0 without patch ESXi500-201510102-SG
VMware Workstation prior to 11.1.2
VMware Player prior to 7.1.2
VMware Fusion prior to 7.1.2
Problem Description: Important Windows-based guest privilege escalation in VMware Tools:
A kernel memory corruption vulnerability is present in the VMware Tools "Shared Folders" (HGFS) feature running on Microsoft Windows. Successful exploitation of this issue could lead to an escalation of privilege in the guest operating system...
Workarounds:
Removing the "Shared Folders" (HGFS) feature from previously installed VMware Tools will remove the possibility of exploitation...
Solution: Please review the patch/release notes for your product and version and verify the checksum of your downloaded file...
Downloads: https://www.vmware.c...indPatch.portal
Documentation: http://kb.vmware.com/kb/2135123...
___

- http://www.securityt....com/id/1034603
CVE Reference: CVE-2015-6933
Jan 7 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.0, 5.1, 5.5, 6.0 ...
Impact: A local user on the guest system can gain elevated privileges on the guest system.
Solution: The vendor has issued a fix...

- http://www.securityt....com/id/1034604
CVE Reference: CVE-2015-6933
Jan 7 2016
Impact: A local user on the guest system can gain elevated privileges on the guest system.
Solution: The vendor has issued a fix (Workstation 11.1.2, Player 7.1.2, Fusion 7.1.2).
VMware Tools must always be updated on affected guests...
 

[AplusWebMaster]

FYI...

VMSA-2015-0007.3 - VMware vCenter and ESXi updates address critical security issues
- https://www.vmware.c...-2015-0007.html
Updated on: 2016-02-12
CVE numbers: CVE-2015-5177 CVE-2015-2342 CVE-2015-1047
Summary: VMware vCenter and ESXi updates address -critical- security issues...
NOTE: See section 3.b for a critical update on an incomplete fix for the JMX RMI issue.  
Relevant Releases:
VMware ESXi 5.5 without patch ESXi550-201509101-SG
VMware ESXi 5.1 without patch ESXi510-201510101-SG
VMware ESXi 5.0 without patch ESXi500-201510101-SG
VMware vCenter Server 6.0 prior to version 6.0.0b
VMware vCenter Server 5.5 prior to version 5.5 update 3
VMware vCenter Server 5.1 prior to version 5.1 update u3b
VMware vCenter Server 5.0 prior to version 5.0 update u3e
Problem Description:
a. VMware ESXi OpenSLP Remote Code Execution...
b. VMware vCenter Server JMX RMI Remote Code Execution
VMware vCenter Server contains a remotely accessible JMX RMI service that is not securely configured. An unauthenticated remote attacker who is able to connect to the service may be able to use it to execute arbitrary code on the vCenter Server. A local attacker may be able to elevate their privileges on vCenter Server.
vCenter Server Appliance (vCSA) 5.1, 5.5 and 6.0 has remote access to the JMX RMI service (port 9875) blocked by default.
CRITICAL UPDATE:
VMSA-2015-0007.2 and earlier versions of this advisory documented that CVE-2015-2342 was addressed in vCenter Server 5.0 U3e, 5.1 U3b, and 5.5 U3. Subsequently, it was found that the fix for CVE-2015-2342 in vCenter Server 5.0 U3e, 5.1 U3b, and 5.5 U3/U3a/U3b running on Windows was incomplete and did not address the issue.
In order to address the issue on these versions of vCenter Server Windows, an additional patch must be installed. This additional patch is available from VMware Knowledge Base (KB) article 2144428* ...
* http://kb.vmware.com/kb/2144428
(More detail at the wmware URL at the top ot this post.)
___

- https://isc.sans.edu...l?storyid=20727
2016-02-13
 

[AplusWebMaster]

FYI...

VMSA-2016-0002 - VMware product updates address a critical glibc security vuln
- https://www.vmware.c...-2016-0002.html
2016-02-22
Summary: VMware product updates address a critical glibc security vulnerability
Relevant Releases: (Affected products that have remediation available)
ESXi 5.5 without patch ESXi550-201602401-SG
VMware virtual appliances
Problem Description:
    a. glibc update for multiple products.
The glibc library has been updated in multiple products to resolve a stack buffer overflow present in the glibc getaddrinfo function.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-7547.
VMware products have been grouped into the following four categories:
I) ESXi and ESX Hypervisor:
      Versions of ESXi and ESX prior to 5.5 are not affected because
      they do not ship with a vulnerable version of glibc.
      ESXi 5.5 and ESXi 6.0 ship with a vulnerable version of glibc and
      are affected.
      See table 1 for remediation for ESXi 5.5 and ESXi 6.0.
II) Windows-based products:
      Windows-based products, including all versions of vCenter Server
      running on Windows, are not affected.
III) VMware virtual appliances:
      VMware virtual appliances ship with a vulnerable version of glibc
      and are affected.
      See table 2 for remediation for appliances.
IV) Products that run on Linux:
      VMware products that run on Linux (excluding virtual appliances)
      might use a vulnerable version of glibc as part of the base operating
      system. If the operating system has a vulnerable version of glibc,
      VMware recommends that customers contact their operating system
      vendor for resolution.
WORKAROUND:Workarounds are available for several virtual appliances. These are
      documented in VMware KB article 2144032:
- https://kb.vmware.co...ernalId=2144032
RECOMMENDATIONS:
      VMware recommends customers evaluate and deploy patches for affected products in Table 1 and 2 below as these patches become available. In case patches are not available, customers are advised to deploy the workaround...
Solution:
   ESXi Downloads:
  https://www.vmware.c...indPatch.portal
  Documentation:
  http://kb.vmware.com/kb/2144357 
  VMware virtual appliances
  -------------------------------------
  Refer to VMware KB article 2144032
References
   VMware Knowledge Base article 2144032
   http://kb.vmware.com/kb/2144032
Change Log
   2016-02-22 VMSA-2016-0002
   Initial security advisory in conjunction with the release of ESXi 5.5
   patches and patches for virtual appliances as documented in VMware
   Knowledge Base article 2144032 on 2016-02-22.
> https://kb.vmware.co...ernalId=2144032
___

- https://www.us-cert....c-Vulnerability
Feb 17, 2016

 

> https://web.nvd.nist...d=CVE-2015-7547-  8.1 High
Last revised: 02/19/2016
 

Edited by AplusWebMaster, 23 February 2016 - 07:37 AM.

[AplusWebMaster]

FYI...

VMSA-2016-0003: VMware vRealize Automation and vRealize Business Advanced and Enterprise address Cross-Site Scripting (XSS) issues
- https://www.vmware.c...-2016-0003.html
2016-03-15
CVE numbers: CVE-2015-2344, CVE-2016-2075
Summary: VMware vRealize Automation and vRealize Business Advanced and Enterprise address Cross-Site Scripting (XSS) issues.
Relevant Releases: VMware vRealize Automation 6.x prior to 6.2.4
VMware vRealize Business Advanced and Enterprise 8.x prior to 8.2.5
Problem Description: ... VMware vRealize Automation contains a vulnerability that may allow for a Stored Cross-Site Scripting (XSS) attack. Exploitation of this issue may lead to the compromise of a vRA user's client workstation...
Solution: Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
VMware vRealize Automation 6.2.4
Downloads and Documentation:
- https://my.vmware.co..._automation/6_2
VMware vRealize Business Advanced and Enterprise 8.2.5
Downloads and Documentation:
- https://my.vmware.co...ze_business/8_2
___

- http://www.securityt....com/id/1035270
CVE Reference: CVE-2015-2344, CVE-2016-2075
Mar 15 2016
Fix Available:  Yes  Vendor Confirmed:  Yes
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the target user's client workstation, access data recently submitted by the target user via web form to the system, or take actions on the system acting as the target user.
Solution: The vendor has issued a fix (vRealize Automation 6.2.4 for Linux; vRealize Business Advanced and Enterprise 8.2.5 for Linux)...
___

- https://www.us-cert....urity-Updates-0
March 16, 2016
 

Edited by AplusWebMaster, 16 March 2016 - 02:44 PM.