lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <32D937FA-1CC4-4991-A91E-FCEEAA0F8C48@vmware.com>
Date: Thu, 19 Nov 2015 02:19:34 +0000
From: VMware Security Response Center <security@...are.com>
To: VMware Security Response Center <security@...are.com>
Subject: NEW VMSA-2015-0008 - VMware product updates address information
 disclosure issue

------------------------------------------------------------------------
                  VMware Security Advisory

Advisory ID: VMSA-2015-0008
Synopsis:    VMware product updates address information disclosure
            issue

Issue date:  2015-11-18
Updated on:  2015-11-18
CVE number:  CVE-2015-3269
------------------------------------------------------------------------

1. Summary

 VMware product updates address information disclosure issue.


2. Relevant Releases

 VMware vCenter Server 5.5 prior to version 5.5 update 3
 VMware vCenter Server 5.1 prior to version 5.1 update u3b
 VMware vCenter Server 5.0 prior to version 5.0 update u3e

 vCloud Director 5.6 prior to version 5.6.4
 vCloud Director 5.5 prior to version 5.5.3

 VMware Horizon View 6.0 prior to version 6.1
 VMware Horizon View 5.0 prior to version 5.3.4



3. Problem Description

  a. vCenter Server, vCloud Director, Horizon View information
     disclosure issue.

    VMware products that use Flex BlazeDS may be affected by a flaw in
    the processing of XML External Entity (XXE) requests. A specially
    crafted XML request sent to the server could lead to unintended
    information be disclosed.

    VMware would like to thank Matthias Kaiser of Code White GmbH for
    reporting this issue to us.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the identifier CVE-2015-3269  to this issue.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

       VMware          Product	  Running   Replace with/
       Product         Version	  on        Apply Patch
       =============	=======	  =======   =================
       vCenter Server    6.0      any      not affected
       vCenter Server    5.5      any      5.5 update 3
       vCenter Server    5.1      any      5.1 update u3b
       vCenter Server    5.0      any      5.5 update u3e

       vCloud Director   5.6      any      5.6.4
       vCloud Director   5.5      any      5.5.3

       Horizon View      6.0      any      6.1
       Horizon View      5.3      any      5.3.4


4. Solution

  Please review the patch/release notes for your product and version
  and verify the checksum of your downloaded file.


  vCenter Server
  --------------------------------
  Downloads and Documentation:
  https://www.vmware.com/go/download-vsphere

  vCloud Director For Service Providers
  --------------------------------
  Downloads and Documentation:
  https://www.vmware.com/support/pubs/vcd_pubs.html

  Horizon View 6.1, 5.3.4:
  --------------------------------
  Downloads:
  https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productId=492
  https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&productId=396


5. References

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3269

------------------------------------------------------------------------

6. Change log

  2015-11-18 VMSA-2015-0008
  Initial security advisory

------------------------------------------------------------------------

7. Contact

  E-mail list for product security notifications and announcements:
  http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

  This Security Advisory is posted to the following lists:

   security-announce at lists.vmware.com
   bugtraq at securityfocus.com
   fulldisclosure at seclists.org

  E-mail: security at vmware.com
  PGP key at: http://kb.vmware.com/kb/1055

  VMware Security Advisories
  http://www.vmware.com/security/advisories

  Consolidated list of VMware Security Advisories
  http://kb.vmware.com/kb/2078735

  VMware Security Response Policy
  https://www.vmware.com/support/policies/security_response.html

  VMware Lifecycle Support Phases
  https://www.vmware.com/support/policies/lifecycle.html

  Twitter
  https://twitter.com/VMwareSRC

  Copyright 2015 VMware Inc.  All rights reserved.

Download attachment "signature.asc" of type "application/pgp-signature" (205 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ