| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1479844207261.32723@vmware.com>
Date: Tue, 22 Nov 2016 19:50:07 +0000
From: VMware Security Response Center <security@...are.com>
To: VMware Security Response Center <security@...are.com>
Subject: [FD] NEW VMSA-2016-0022 VMware product updates address information
disclosure vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ---------------------------------------------------------------------------
- ---
VMware Security Advisory
Advisory ID: VMSA-2016-0022
Severity: Important
Synopsis: VMware product updates address information disclosure
vulnerabilities
Issue date: 2016-11-22
Updated on: 2016-11-22 (Initial Advisory)
CVE number: CVE-2016-7458, CVE-2016-7459, CVE-2016-7460
1. Summary
VMware vCenter Server, vSphere Client, and vRealize Automation updates
address information disclosure vulnerabilities.
2. Relevant Products
VMware vCenter Server
VMware vSphere Client
vRealize Automation
3. Problem Description
a. vSphere Client XML External Entity vulnerability
The vSphere Client contains an XML External Entity (XXE) vulnerability.
This issue can lead to information disclosure if a vSphere Client
user is tricked into connecting to a malicious instance of vCenter
Server or ESXi.
There are no known workarounds for this issue.
VMware would like to thank Vladimir Ivanov, Andrey Evlanin, Mikhail
Stepankin, Artem Kondratenko, Arseniy Sharoglazov of Positive
Technologies for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-7458 to this issue.
Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/ Mitigation
Product Version on Severity Apply Patch * Workaround
============== ======= ======= ========= ============= ==========
vSphere Client 6.0 Windows Important 6.0 U2a None
vSphere Client 5.5 Windows Important 5.5 U3e None
* In order to remediate the vulnerability, the vSphere Client will
need to be uninstalled and re-installed. A fixed version of vSphere
Client can be obtained from:
- vCenter Server 6.0 U2a
- vCenter Server 5.5 U3e
- VMware Knowledge Base article 2089791
The build numbers of the fixed client versions may be found in
VMware Knowledge Base article 2089791.
b. vCenter Server XML External Entity vulnerability
vCenter Server contains an XML External Entity (XXE) vulnerability in
the Log Browser, the Distributed Switch setup, and the Content
Library. A specially crafted XML request issued to the server may
lead to unintended information disclosure.
There are no known workarounds for this issue.
VMware would like to thank Vladimir Ivanov, Andrey Evlanin, Mikhail
Stepankin, Artem Kondratenko, Arseniy Sharoglazov of Positive
Technologies, and Lukasz Plonka for independently for reporting this
issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-7459 to this issue.
Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/ Mitigation
Product Version on Severity Apply Patch Workaround
============== ======= ======= ========= ============= ==========
vCenter Server 6.5 Any N/A Not affected N/A
vCenter Server 6.0 Any Important 6.0 U2a None
vCenter Server 5.5 Any Important 5.5 U3e None
c. vCenter Server and vRealize Automation XML External Entity
vulnerability
vCenter Server and vRealize Automation contain an XML External
Entity (XXE) vulnerability in the Single Sign-On functionality. A
specially crafted XML request issued to the server may lead to a
Denial of Service or to unintended information disclosure.
There are no known workarounds for this issue.
VMware would like to thank Vladimir Ivanov, Andrey Evlanin, Mikhail
Stepankin, Artem Kondratenko, Arseniy Sharoglazov of Positive
Technologies for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-7460 to this issue.
Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/ Mitigation
Product Version on Severity Apply Patch Workaround
============== ======= ======= ========= ============= ==========
vCenter Server 6.5 Any N/A Not affected N/A
vCenter Server 6.0 Any Important 6.0 U2a None
vCenter Server 5.5 Any Important 5.5 U3e None
vRealize 7.x VA N/A Not affected N/A
Automation
vRealize 6.x VA Important 6.2.5 None
Automation
4. Solution
Please review the patch/release notes for your product and version and
verify the checksum of your downloaded file.
vCenter Server
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
vRealize Automation
Downloads and Documentation:
https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_manage
ment/vmware_vrealize_automation/6_2
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7459
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7460
VMware Knowledge Base article 2089791
https://kb.vmware.com/kb/2089791
- ------------------------------------------------------------------------
6. Change log
2016-11-22
VMSA-2016-0022 Initial security advisory in conjunction with the
release of vSphere 6.0 U2a on 2016-11-22.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFYNJihDEcm8Vbi9kMRApi1AJ9bAlKpivhmBgsT+XgLvW2LDhfJgQCg1X4i
Rqc+ck+V8jSvbcFO5OuddJg=
=2J1L
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists