[Security-announce] UPDATE : VMSA-2015-0008.1 - VMware product updates address information disclosure issue

VMware Security Announcements security-announce at lists.vmware.com
Fri Dec 18 14:45:00 PST 2015

                   VMware Security Advisory

Advisory ID: VMSA-2015-0008.1
Synopsis:    VMware product updates address information disclosure

Issue date:  2015-11-18
Updated on:  2015-12-18
CVE number:  CVE-2015-3269 CVE-2015-5255

1. Summary

  VMware product updates address information disclosure issue.

2. Relevant Releases

  VMware vCenter Server 5.5 prior to version 5.5 update 3
  VMware vCenter Server 5.1 prior to version 5.1 update u3b
  VMware vCenter Server 5.0 prior to version 5.0 update u3e

  vCloud Director 5.6 prior to version 5.6.4
  vCloud Director 5.5 prior to version 5.5.3

  VMware Horizon View 6.0 prior to version 6.1
  VMware Horizon View 5.0 prior to version 5.3.4

3. Problem Description

   a. vCenter Server, vCloud Director, Horizon View information
      disclosure issue.

     VMware products that use Flex BlazeDS may be affected by a flaw in
     the processing of XML External Entity (XXE) requests. A specially
     crafted XML request sent to the server could lead to unintended
     information be disclosed.

     VMware would like to thank Matthias Kaiser of Code White GmbH for
     reporting this issue to us.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the identifier CVE-2015-3269 to this issue.

     The product updates listed in the table below have also been
     determined to address a XML External Entity (XXE) Processing and
     Server Side Request Forgery vulnerability in Flex BlazeDS.

     VMware would like to thank James Kettle of PortSwigger Web Security
     for reporting these issues to us.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the identifier CVE-2015-5255 to these issues.

     Column 4 of the following table lists the action required to
     remediate the vulnerability in each release, if a solution is

        VMware          Product	  Running   Replace with/
        Product         Version	  on        Apply Patch
        =============	=======	  =======   =================
        vCenter Server    6.0      any      not affected
        vCenter Server    5.5      any      5.5 update 3
        vCenter Server    5.1      any      5.1 update u3b
        vCenter Server    5.0      any      5.5 update u3e

        vCloud Director   5.6      any      5.6.4
        vCloud Director   5.5      any      5.5.3

        Horizon View      6.0      any      6.1
        Horizon View      5.3      any      5.3.4

4. Solution

   Please review the patch/release notes for your product and version
   and verify the checksum of your downloaded file.

   vCenter Server
   Downloads and Documentation:

   vCloud Director For Service Providers
   Downloads and Documentation:

   Horizon View 6.1, 5.3.4:

5. References



6. Change log

   2015-11-18 VMSA-2015-0008
   Initial security advisory

   2015-12-18 VMSA-2015-0008.1
   Updated advisory to note these updates also address CVE-2015-5255


7. Contact

   E-mail list for product security notifications and announcements:

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories

   Consolidated list of VMware Security Advisories

   VMware Security Response Policy

   VMware Lifecycle Support Phases


   Copyright 2015 VMware Inc.  All rights reserved.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.vmware.com/pipermail/security-announce/attachments/20151218/5b9c0124/attachment.sig>

More information about the Security-announce mailing list