lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 14 Apr 2016 19:39:20 +0000
From: VMware Security Response Center <>
To: "" <>,
  "" <>
CC: VMware Security Response Center <>
Subject: NEW VMSA-2016-0004 VMware product updates address a critical security
 issue in the VMware Client Integration Plugin

Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2016-0004
Synopsis:    VMware product updates address a critical security issue in
             the VMware Client Integration Plugin
Issue date:  2016-04-14
Updated on:  2016-04-14 (Initial Advisory)
CVE number:  CVE-2016-2076
1. Summary

   VMware vCenter Server, vCloud Director (vCD), vRealize Automation
   (vRA) Identity Appliance, and the Client Integration Plugin (CIP)
   updates address a critical security issue.

2. Relevant Releases

   vCenter Server 6.0
   vCenter Server 5.5 U3a, U3b, U3c
   vCloud Director 5.5.5
   vRealize Automation Identity Appliance 6.2.4

3. Problem Description

   a. Critical VMware Client Integration Plugin incorrect session

   The VMware Client Integration Plugin does not handle session content
   in a safe way. This may allow for a Man in the Middle attack or Web
   session hijacking in case the user of the vSphere Web Client visits
   a malicious Web site.

   The vulnerability is present in versions of CIP that shipped with:
   - vCenter Server 6.0 (any 6.0 version up to 6.0 U2)
   - vCenter Server 5.5 U3a, U3b, U3c
   - vCloud Director 5.5.5
   - vRealize Automation Identity Appliance 6.2.4

   In order to remediate the issue, both the server side (i.e. vCenter
   Server, vCloud Director, and vRealize Automation Identity Appliance)
   and the client side (i.e. CIP of the vSphere Web Client) will need
   to be updated.

   The steps to remediate the issue are as follows:
   A) Install an updated version of:
      - vCenter Server,
      - vCloud Director,
      - vRealize Automation Identity Appliance,
   B) Subsequently update the Client Integration Plugin on the system
      from which the vSphere Web Client is used.
      Updating the plugin on vSphere and vRA Identity Appliance is
      explained in VMware Knowledge Base article 2145066.
      Updating the plugin on vCloud Director is initiated by a prompt
      when connecting the vSphere Web Client to the updated version of
      vCloud Director.

   The Common Vulnerabilities and Exposures project ( has
   assigned the identifier CVE-2016-2076 to this issue.

   Column 4 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is

   VMware                  Product        Running   Replace with/
   Product                 Version        on        Apply Patch
   ======================  =============  =======   =============
   vCenter Server          6.0            any       6.0 U2 *
   vCenter Server          5.5 U3a - U3c  any       5.5 U3d *
   vCenter Server          5.1            any       not affected
   vCenter Server          5.0            any       not affected 

   vCloud Director         8.0.x          Windows   not affected **
   vCloud Director         5.6.x          Windows   not affected
   vCloud Director         5.5.5          Windows   5.5.6 *

   vRA Identity Appliance  7.x            Linux     not affected
   vRA Identity Appliance  6.2.4          Linux *

   Client Integration      see text       Windows,  see item B above
   Plugin                  above          Mac OS
   * After installing the updated version, the Client Integration Plugin
     will need to be updated on all systems from which the vSphere Web
     Client is used to connect to vCenter Server, vCloud Director and
     vRealize Automation Identity Manager.

  ** vCloud Director 8.0.0 did not ship with a vulnerable CIP version,
      and vCloud Director 8.0.1 shipped with the updated version of the

4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   vCenter Server
   Downloads and Documentation:

   vCloud Director
   Downloads and Documentation:

   VMware vRealize Automation
   Downloads and Documentation:
   (select "Go to Downloads" and scroll down to "Security Update")
- -notes.html

5. References

   VMware Knowledge Base article 2145066

- ------------------------------------------------------------------------

6. Change log

   2016-04-14 VMSA-2016-0004
   Initial security advisory in conjunction with the release of VMware
   vSphere 5.5 U3d and vCloud Director 5.5.6 on 2016-04-14.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:

   This Security Advisory is posted to the following lists:

    security-announce at
    bugtraq at
    fulldisclosure at

   E-mail: security at
   PGP key at:

   VMware Security Advisories

   Consolidated list of VMware Security Advisories

   VMware Security Response Policy

   VMware Lifecycle Support Phases


   Copyright 2016 VMware Inc.  All rights reserved.

Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8


Powered by blists - more mailing lists