[Security-announce] UPDATED VMSA-2015-0009.4 VMware product updates address a critical deserialization vulnerability

VMware Security Announcements security-announce at lists.vmware.com
Tue Aug 23 12:12:32 PDT 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2015-0009.4
Synopsis:    VMware product updates address a critical deserialization
             vulnerability
Issue date:  2015-12-18
Updated on:  2016-08-23
CVE number:  CVE-2015-6934

- ------------------------------------------------------------------------

1. Summary

   VMware product updates address a critical deserialization
   vulnerability

2. Relevant Releases

   vRealize Orchestrator 6.x
   vCenter Orchestrator 5.x
   vRealize Operations 6.x
   vRealize Infrastructure Navigator 5.8.x

3. Problem Description

   3.a  Commons-collections deserialization vulnerability

   A deserialization vulnerability involving Apache Commons-collections
   and a specially constructed chain of classes exists. Successful
   exploitation could result in remote code execution, with the
   permissions of the application using the Commons-collections library.

   VMware would like to thank Jacob Baines of Tenable Network Security
   for reporting that the vRealize Operations appliance is affected.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2015-6934 to this issue.

   Column 4 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware                       Product   Running   Replace with/
   Product                      Version   on        Apply Patch
   =====================        =======   =======   =================
   vRealize Orchestrator        7.0       Any       Not Affected
   vRealize Orchestrator        6.x       Any       See KB2141244
   vCenter Orchestrator         5.x       Any       See KB2141244

   vRealize Operations          6.x       Any       6.2
   vCenter Operations           5.x       Any       Not Affected

   vCenter Application          7.x       Any       No patch planned *
   Discovery Manager (vADM)

   vRealize Infrastructure      5.8.x     Linux     5.8.5
   Navigator

   * Exploitation of the issue on vCenter Application Discovery
     Manager is limited to local privilege escalation.

4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   vRealize Orchestrator 6.x and
   vCenter Orchestrator 5.x
   Downloads and Documentation:
   http://kb.vmware.com/kb/2141244

   vRealize Operations 6.x
   Release Notes
  
http://pubs.vmware.com/Release_Notes/en/vrops/62/vrops-62-release-notes.htm
l

   vRealize Infrastructure Navigator 5.8.5
   Release Notes
   http://pubs.vmware.com/Release_Notes/en/vin/585/releasenotes-vin585.html


5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6934

- ------------------------------------------------------------------------

6. Change log

   2015-12-18 VMSA-2015-0009
   Initial security advisory in conjunction with the release of vRealize
   Orchestrator 6.x and vCenter Orchestrator 5.x patches on 2015-12-18.

   2016-01-29 VMSA-2015-0009.1
   Updated security advisory in conjunction with the release of vRealize
   Operations 6.2 on 2016-01-28. Added a note below the table in
   section 3.a that exploitation of this issue in vCenter Application
   Discovery Manager is limited to local privilege escalation.

   2016-03-15 VMSA-2015-0009.2
   Updated security advisory to reflect the release of vRealize
   Infrastructure Navigator 5.8.5, which addresses CVE-2015-6934.

   2016-06-14 VMSA-2015-0009.3
   Updated security advisory to reflect that vCenter Operations 5.x is 
   not affected (earlier versions of this advisory said “Patch
   Pending”). Added that no patch is planned for vCenter Application
   Discovery Manager.

   2016-08-23 VMSA-2015-0009.4
   Updated security advisory to reflect that the appliance version of
   vRealize Operations 6.x is affected (earlier versions of this advisory
   said “Not affected”). Added acknowledgement for reporter that
alerted
   VMware to this.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2015 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFXvJ+tDEcm8Vbi9kMRAsmSAJ9yjvkcMBHHkFTlvMrzHq6oIR8p2ACgt2UC
m+TaDfL+JH8xHZqu332yUfU=
=IhkI
-----END PGP SIGNATURE-----


More information about the Security-announce mailing list