[Security-announce] Update VMSA-2016-0007.1 - VMware NSX and vCNS product updates address a critical information disclosure vulnerability

VMware Security Announcements security-announce at lists.vmware.com
Mon Aug 15 23:02:15 PDT 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------
Advisory ID: VMSA-2016-0007.1
Synopsis:    VMware NSX and vCNS product updates address a
             critical information disclosure vulnerability
Issue date:  2016-06-09
Updated on:  2016-08-15
CVE number:  CVE-2016-2079

1. Summary

   VMware NSX and vCNS product updates address a critical
   information disclosure vulnerability.

2. Relevant Releases

   NSX 6.2 prior to 6.2.3
   NSX 6.1 prior to 6.1.7
   vCNS 5.5.4 prior to 5.5.4.3

3. Problem Description

   a. VMware NSX and vCNS critical information disclosure vulnerability

   VMware NSX and vCNS with SSL-VPN enabled contain a critical
   input validation vulnerability. This issue may allow a remote
   attacker to gain access to sensitive information.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2016-2079 to this issue.

   Column 4 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware              Product       Running      Replace with/
   Product             Version         on          Apply Patch
   ============       ==========    ==========    =============
   NSX Edge             6.2           Any            See note *
   NSX Edge             6.1           Any            6.1.7
   vCNS Edge            5.5           Any            5.5.4.3

* Note: NSX Edge 6.2.3 which addresses CVE-2016-2079 is no longer
  available for download. NSX Edge 6.2.x customers that use SSL-VPN are
  advised to contact VMware support to request immediate assistance. 
  To contact VMware support, see VMware Knowledge Base article 2006985
  or visit https://www.vmware.com/support/file-sr.html.


4. Solution

    Please review the patch/release notes for your product and version
    and verify the checksum of your downloaded file.

    VMware NSX
    Downloads:
    https://www.vmware.com/go/download-nsx-vsphere

    Documentation:
    https://www.vmware.com/support/pubs/nsx_pubs.html

    vCNS
    Downloads:
    https://www.vmware.com/go/download-vcd-ns

    Documentation:
    https://www.vmware.com/support/pubs/vshield_pubs.html

5. References

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2079

    VMware Knowledge Base article 2006985
    https://kb.vmware.com/kb/2006985


- ------------------------------------------------------------------------

6. Change log

    2016-06-09 VMSA-2016-0007
    Initial security advisory in conjunction with the release of VMware
    NSX 6.2.3, 6.1.7 and vCNS 5.5.4.3 on 2016-06-09.

    2016-08-15 VMSA-2016-0007.1
    Updated security advisory to reflect that NSX Edge 6.2.x customers
    that use SSL-VPN are advised to contact VMware support.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

   security-announce at lists.vmware.com
   bugtraq at securityfocus.com
   fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2016 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFXspyeDEcm8Vbi9kMRAunjAJ9kyYyScR9UR8oKhxztYTHifIkNMgCgk+9y
aLMDmCSZyXuWJc35q1QIUGQ=
=n4ws
-----END PGP SIGNATURE-----


More information about the Security-announce mailing list