[Security-announce] Update: VMSA-2017-0004.6 - VMware product updates resolve remote code execution vulnerability via Apache Struts 2

VMware Security Announcements security-announce at lists.vmware.com
Thu Mar 23 06:39:46 PDT 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------------
                        VMware Security Advisory

Advisory ID: VMSA-2017-0004.6
Severity:    Critical
Synopsis:    VMware product updates resolve remote code execution
             vulnerability via Apache Struts 2
Issue date:  2017-03-13
Updated on:  2017-03-23
CVE number:  CVE-2017-5638

1. Summary

   VMware product updates resolve remote code execution vulnerability via
   Apache Struts 2

2. Relevant Products

   Horizon Desktop as-a-Service Platform (DaaS)
   VMware vCenter Server (vCenter)
   vRealize Operations Manager (vROps)
   vRealize Hyperic Server (Hyperic)

3. Problem Description

   Remote code execution vulnerability via Apache Struts 2

   Multiple VMware products contain a Remote code execution vulnerability
   due to the use of Apache Struts 2. Successful exploitation of this issue
   may result in the complete compromise of an affected product.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2017-5638 to this issue.

   Column 5 of the following table lists the action required to remediate
   the vulnerability in each release, if a solution is available.

   VMware      Product    Running             Replace with/  Mitigation/
   Product     Version    on       Severity   Apply Patch    Workaround
   ==========  =========  =======  =========  =============  ==========
   DaaS        7.x        Any      Critical   KB2149495      None
   DaaS        6.1.6      Any      Critical   KB2149500      None
   DaaS        6.1.x      Any      Critical   KB2149588      None

   vCenter     6.5        Any      Critical   6.5b           None
   vCenter     6.0        Any      Critical   6.0u3a         KB2149434
   vCenter     5.5        Any      N/A        not affected   N/A

   vROps       6.x        Any      Critical   patch pending  KB2149472

   Hyperic     5.x        Any      Critical   KB2149543      None

4. Solution

   Please review the patch/release notes for your product and version and
   verify the checksum of your downloaded file.

   Horizon Desktop as-a-Service Platform 7.0.0
   Downloads and Documentation:
   https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON_DAAS_700&productId=638&rPId=14833
   https://kb.vmware.com/kb/2149495

   Horizon Desktop as-a-Service Platform 6.1.6
   Downloads and Documentation:
   https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN&productId=405&rPId=6527
   https://kb.vmware.com/kb/2149500

   Horizon Desktop as-a-Service Platform 6.1.x
   Downloads and Documentation:
   https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN&productId=405&rPId=6527
   https://kb.vmware.com/kb/2149588

   VMware vCenter Server 6.5b
   Downloads and Documentation:
   https://my.vmware.com/web/vmware/details?downloadGroup=VC650B&productId=614&rPId=15190

   VMware vCenter Server 6.0u3a
   Downloads and Documentation:
   https://my.vmware.com/web/vmware/details?downloadGroup=VC60U3&productId=491&rPId=15373
   https://kb.vmware.com/kb/2149434

   vRealize Operations Manager
   Downloads and Documentation:
   https://kb.vmware.com/kb/2149472

   vRealize Hyperic Server
   Downloads and Documentation:
   https://kb.vmware.com/kb/2149543

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
   https://struts.apache.org/docs/s2-045.html
   https://struts.apache.org/docs/s2-046.html
   https://kb.vmware.com/kb/2149434
   https://kb.vmware.com/kb/2149449
   https://kb.vmware.com/kb/2149472
   https://kb.vmware.com/kb/2149495
   https://kb.vmware.com/kb/2149588
   https://kb.vmware.com/kb/2149543

- ---------------------------------------------------------------------------

6. Change log

   2017-03-13: VMSA-2017-0004
   Initial security advisory in conjunction with the release of
   workarounds for VMware vCenter Server 6.5 and 6.0.

   2017-03-14: VMSA-2017-0004.1
   Security advisory update removing VMware vCenter Server 6.5 workaround.

   2017-03-14: VMSA-2017-0004.2
   Security advisory update in conjunction with the release of VMware
   vCenter Server 6.5b.

   2017-03-15: VMSA-2017-0004.3
   Security advisory update in conjunction with the release of Horizon
   Desktop as-a-Service Platform 6.1.6 fixes and a vRealize Operations
   Manager workaround.

   2017-03-16: VMSA-2017-0004.4
   Security advisory update in conjunction with the release of Horizon
   Desktop as-a-Service Platform 7.0.0 fixes.

   2017-03-21: VMSA-2017-0004.5
   Security advisory update in conjunction with the release of Horizon
   Desktop as-a-Service Platform 6.1.5 fixes and vCenter 6.0u3a.

   2017-03-23: VMSA-2017-0004.6
   Security advisory update in conjunction with the release of vRealize
   Hyperic Server 5.8.6 and 5.8.5 fixes.

- --------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2017 VMware Inc.  All rights reserved.
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAljTz3wACgkQDEcm8Vbi9kPJEgCg6or83klKee9k3KRlaCNcGEUm
FFYAn23ynt1yKuCx28EVgn8qxv0jAGls
=KCG0
-----END PGP SIGNATURE-----

?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.vmware.com/pipermail/security-announce/attachments/20170323/9962fc6b/attachment.html>


More information about the Security-announce mailing list