[Security-announce] New VMSA-2016-0007 VMware NSX and vCNS product updates address a critical information disclosure vulnerability

VMware Security Announcements security-announce at lists.vmware.com
Thu Jun 9 21:46:27 PDT 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Advisory ID: VMSA-2016-0007
Synopsis:    VMware NSX and vCNS product updates address a critical
information disclosure vulnerability

Issue date:  2016-06-09
Updated on:  2016-06-09 (Initial Advisory)
CVE number:  CVE-2016-2079

1. Summary

   VMware NSX and vCNS product updates address a critical information
   disclosure vulnerability.

2. Relevant Releases

   NSX 6.2 prior to 6.2.3
   NSX 6.1 prior to 6.1.7

   vCNS 5.5.4 prior to 5.5.4.3

3. Problem Description

   a. VMware NSX and vCNS critical information disclosure vulnerability

      VMware NSX and vCNS with SSL-VPN enabled contain a critical input
      validation vulnerability. This issue may allow a remote attacker
      to gain access to sensitive information.


   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2016-2079 to this issue.

   Column 4 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware              Product       Running      Replace with/
   Product             Version         on          Apply Patch
   ============       ==========    ==========    =============
   NSX Edge             6.2           Any            6.2.3
   NSX Edge             6.1           Any            6.1.7
   vCNS Edge            5.5           Any            5.5.4.3


4. Solution

    Please review the patch/release notes for your product and version and
verify
the checksum of your downloaded file.

VMware NSX
    Downloads:
    https://www.vmware.com/go/download-nsx-vsphere

    Documentation:
    https://www.vmware.com/support/pubs/nsx_pubs.html

    vCNS
    Downloads:
    https://www.vmware.com/go/download-vcd-ns

    Documentation:
    https://www.vmware.com/support/pubs/vshield_pubs.html

5. References

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2079

- - - -
- - ------------------------------------------------------------------------

6. Change log

    2016-06-09 VMSA-2016-0007
    Initial security advisory in conjunction with the release of VMware
    NSX 6.2.3, 6.1.7 and vCNS 5.5.4.3 on 2016-06-09.

- - - -
- - ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

   security-announce at lists.vmware.com
   bugtraq at securityfocus.com
   fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2016 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 21165)
Charset: utf-8

wj8DBQFXWj8bDEcm8Vbi9kMRAstiAKC5ejIGTYxy1cyZICirCBe7ZZ0qHwCg3ohk
/WKIK9nNhceGenKdZBakL04=
=VsXF
-----END PGP SIGNATURE-----?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.vmware.com/pipermail/security-announce/attachments/20160610/8e798af8/attachment.html>


More information about the Security-announce mailing list