Twenty Year Anniversary

VMware Security Advisory 2016-0022

VMware Security Advisory 2016-0022
Posted Nov 24, 2016
Authored by VMware | Site vmware.com

VMware Security Advisory 2016-0022 - VMware vCenter Server, vSphere Client, and vRealize Automation updates address information disclosure vulnerabilities.

tags | advisory, vulnerability, info disclosure
advisories | CVE-2016-7458, CVE-2016-7459, CVE-2016-7460
MD5 | 476130603dba190123ac984ecc43f84c

VMware Security Advisory 2016-0022

Change Mirror Download
aa-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------------
- ---
VMware Security Advisory

Advisory ID: VMSA-2016-0022
Severity: Important
Synopsis: VMware product updates address information disclosure
vulnerabilities
Issue date: 2016-11-22
Updated on: 2016-11-22 (Initial Advisory)
CVE number: CVE-2016-7458, CVE-2016-7459, CVE-2016-7460

1. Summary

VMware vCenter Server, vSphere Client, and vRealize Automation updates
address information disclosure vulnerabilities.

2. Relevant Products

VMware vCenter Server
VMware vSphere Client
vRealize Automation

3. Problem Description

a. vSphere Client XML External Entity vulnerabilitya"
The vSphere Client contains an XML External Entity (XXE) vulnerability.
This issue can lead to information disclosure if a vSphere Client
user is tricked into connecting to a malicious instance of vCenter
Server or ESXi.

There are no known workarounds for this issue.

VMware would like to thank Vladimir Ivanov, Andrey Evlanin, Mikhail
Stepankin, Artem Kondratenko, Arseniy Sharoglazov of Positive
Technologies for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-7458 to this issue.

Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/ Mitigation
Product Version on Severity Apply Patch * Workaround
============== ======= ======= ========= ============= ==========
vSphere Client 6.0 Windows Important 6.0 U2a None
vSphere Client 5.5 Windows Important 5.5 U3e None

* In order to remediate the vulnerability, the vSphere Client will
need to be uninstalled and re-installed. A fixed version of vSphere
Client can be obtained from:
- vCenter Server 6.0 U2a
- vCenter Server 5.5 U3e
- VMware Knowledge Base article 2089791
The build numbers of the fixed client versions may be found in
VMware Knowledge Base article 2089791.


b. vCenter Server XML External Entity vulnerability

vCenter Server contains an XML External Entity (XXE) vulnerability in
the Log Browser, the Distributed Switch setup, and the Content
Library. A specially crafted XML request issued to the server may
lead to unintended information disclosure.

There are no known workarounds for this issue.

VMware would like to thank Vladimir Ivanov, Andrey Evlanin, Mikhail
Stepankin, Artem Kondratenko, Arseniy Sharoglazov of Positive
Technologies, and Lukasz Plonka for independently for reporting this
issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-7459 to this issue.

Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/ Mitigation
Product Version on Severity Apply Patch Workaround
============== ======= ======= ========= ============= ==========
vCenter Server 6.5 Any N/A Not affected N/A
vCenter Server 6.0 Any Important 6.0 U2a None
vCenter Server 5.5 Any Important 5.5 U3e None

c. vCenter Server and vRealize Automation XML External Entity
vulnerability

vCenter Server and vRealize Automation contain an XML External
Entity (XXE) vulnerability in the Single Sign-On functionality. A
specially crafted XML request issued to the server may lead to a
Denial of Service or to unintended information disclosure.

There are no known workarounds for this issue.

VMware would like to thank Vladimir Ivanov, Andrey Evlanin, Mikhail
Stepankin, Artem Kondratenko, Arseniy Sharoglazov of Positive
Technologies for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-7460 to this issue.

Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/ Mitigation
Product Version on Severity Apply Patch Workaround
============== ======= ======= ========= ============= ==========
vCenter Server 6.5 Any N/A Not affected N/A
vCenter Server 6.0 Any Important 6.0 U2a None
vCenter Server 5.5 Any Important 5.5 U3e None

vRealize 7.x VA N/A Not affected N/A
Automation
vRealize 6.x VA Important 6.2.5 None
Automation

4. Solution

Please review the patch/release notes for your product and version and
verify the checksum of your downloaded file.

vCenter Server
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere

vRealize Automation
Downloads and Documentation:

https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_manage
ment/vmware_vrealize_automation/6_2


5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7459
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7460

VMware Knowledge Base article 2089791
https://kb.vmware.com/kb/2089791

- ------------------------------------------------------------------------

6. Change log

2016-11-22
VMSA-2016-0022 Initial security advisory in conjunction with the
release of vSphere 6.0 U2a on 2016-11-22.

- ------------------------------------------------------------------------

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org

E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

Twitter
https://twitter.com/VMwareSRC

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFYNJihDEcm8Vbi9kMRApi1AJ9bAlKpivhmBgsT+XgLvW2LDhfJgQCg1X4i
Rqc+ck+V8jSvbcFO5OuddJg=
=2J1L
-----END PGP SIGNATURE-----a


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    1 Files
  • 16
    Jul 16th
    21 Files
  • 17
    Jul 17th
    4 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close