[Security-announce] NEW VMSA-2016-0022 VMware product updates address information disclosure vulnerabilities

VMware Security Announcements security-announce at lists.vmware.com
Tue Nov 22 11:15:26 PST 2016


​

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------------
- ---
                        VMware Security Advisory

Advisory ID: VMSA-2016-0022
Severity:    Important
Synopsis:    VMware product updates address information disclosure
             vulnerabilities
Issue date:  2016-11-22
Updated on:  2016-11-22 (Initial Advisory)
CVE number:  CVE-2016-7458, CVE-2016-7459, CVE-2016-7460

1. Summary

   VMware vCenter Server, vSphere Client, and vRealize Automation updates
   address information disclosure vulnerabilities.

2. Relevant Products

   VMware vCenter Server
   VMware vSphere Client
   vRealize Automation

3. Problem Description

   a. vSphere Client XML External Entity vulnerability

   The vSphere Client contains an XML External Entity (XXE) vulnerability.
   This issue can lead to information disclosure if a vSphere Client
   user is tricked into connecting to a malicious instance of vCenter
   Server or ESXi.

   There are no known workarounds for this issue.

   VMware would like to thank Vladimir Ivanov, Andrey Evlanin, Mikhail
   Stepankin, Artem Kondratenko, Arseniy Sharoglazov of Positive
   Technologies for reporting this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2016-7458 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware          Product Running             Replace with/  Mitigation
   Product         Version on       Severity   Apply Patch *  Workaround
   ==============  ======= =======  =========  =============  ==========
   vSphere Client  6.0     Windows  Important  6.0 U2a        None
   vSphere Client  5.5     Windows  Important  5.5 U3e        None

   * In order to remediate the vulnerability, the vSphere Client will
     need to be uninstalled and re-installed. A fixed version of vSphere
     Client can be obtained from:
     - vCenter Server 6.0 U2a
     - vCenter Server 5.5 U3e
     - VMware Knowledge Base article 2089791
     The build numbers of the fixed client versions may be found in
     VMware Knowledge Base article 2089791.


b. vCenter Server XML External Entity vulnerability

   vCenter Server contains an XML External Entity (XXE) vulnerability in
   the Log Browser, the Distributed Switch setup, and the Content
   Library. A specially crafted XML request issued to the server may
   lead to unintended information disclosure.

   There are no known workarounds for this issue.

   VMware would like to thank Vladimir Ivanov, Andrey Evlanin, Mikhail
   Stepankin, Artem Kondratenko, Arseniy Sharoglazov of Positive
   Technologies, and Lukasz Plonka for independently for reporting this
   issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2016-7459 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware          Product Running             Replace with/  Mitigation
   Product         Version on       Severity   Apply Patch    Workaround
   ==============  ======= =======  =========  =============  ==========
   vCenter Server  6.5     Any      N/A        Not affected   N/A
   vCenter Server  6.0     Any      Important  6.0 U2a        None
   vCenter Server  5.5     Any      Important  5.5 U3e        None

c. vCenter Server and vRealize Automation XML External Entity
   vulnerability

   vCenter Server and vRealize Automation contain an XML External
   Entity (XXE) vulnerability in the Single Sign-On functionality. A
   specially crafted XML request issued to the server may lead to a
   Denial of Service or to unintended information disclosure.

   There are no known workarounds for this issue.

   VMware would like to thank Vladimir Ivanov, Andrey Evlanin, Mikhail
   Stepankin, Artem Kondratenko, Arseniy Sharoglazov of Positive
   Technologies for reporting this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2016-7460 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware          Product Running             Replace with/  Mitigation
   Product         Version on       Severity   Apply Patch    Workaround
   ==============  ======= =======  =========  =============  ==========
   vCenter Server  6.5     Any      N/A        Not affected   N/A
   vCenter Server  6.0     Any      Important  6.0 U2a        None
   vCenter Server  5.5     Any      Important  5.5 U3e        None

   vRealize        7.x     VA       N/A        Not affected   N/A
   Automation
   vRealize        6.x     VA       Important  6.2.5          None
   Automation

4. Solution

   Please review the patch/release notes for your product and version and
   verify the checksum of your downloaded file.

   vCenter Server
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   vRealize Automation
   Downloads and Documentation:

https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_manage
ment/vmware_vrealize_automation/6_2


5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7458
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7459
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7460

   VMware Knowledge Base article 2089791
   https://kb.vmware.com/kb/2089791

- ------------------------------------------------------------------------

6. Change log

   2016-11-22
   VMSA-2016-0022 Initial security advisory in conjunction with the
   release of vSphere 6.0 U2a on 2016-11-22.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFYNJihDEcm8Vbi9kMRApi1AJ9bAlKpivhmBgsT+XgLvW2LDhfJgQCg1X4i
Rqc+ck+V8jSvbcFO5OuddJg=
=2J1L
-----END PGP SIGNATURE-----​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.vmware.com/pipermail/security-announce/attachments/20161122/0ed097d4/attachment.html>


More information about the Security-announce mailing list