-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0003 Synopsis: VMware product updates address critical information disclosure issue in JRE. Issue date: 2015-04-02 Updated on: 2015-04-02 (Initial Advisory) CVE number: CVE-2014-6593, for other CVEs see JRE reference - ------------------------------------------------------------------------ 1. Summary VMware product updates address critical information disclosure issue in JRE. 2. Relevant Releases Horizon View 6.x or 5.x Horizon Workspace Portal Server 2.1 or 2.0 vCenter Operations Manager 5.8.x or 5.7.x vCloud Automation Center 6.0.1 vSphere Replication prior to 5.8.0.2 or 5.6.0.3 vRealize Automation 6.2.x or 6.1.x vRealize Code Stream 1.1 or 1.0 vRealize Hyperic 5.8.x, 5.7.x or 5.0.x vSphere AppHA Prior to 1.1.x vRealize Business Standard prior to 1.1.x or 1.0.x NSX for Multi-Hypervisor prior to 4.2.4 vRealize Configuration Manager 5.7.x or 5.6.x vRealize Infrastructure 5.8 or 5.7 3. Problem Description a. Oracle JRE Update Oracle JRE is updated in VMware products to address a critical security issue that existed in earlier releases of Oracle JRE. VMware products running JRE 1.7 Update 75 or newer and JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593, as documented in the Oracle Java SE Critical Patch Update Advisory of January 2015. This advisory also includes the other security issues that are addressed in JRE 1.7 Update 75 and JRE 1.6 Update 91. The References section provides a link to the JRE advisory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-6593 to this issue. This issue is also known as "SKIP" or "SKIP-TLS". Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch** ============= ======= ======= ================= Horizon View 6.x any 6.1 Horizon View 5.x any 5.3.4 Horizon Workspace Portal 2.1 ,2.0 any 2.1.1 Server Horizon DaaS Platform 6.1 any patch pending Horizon DaaS Platform 6.0 any patch pending Horizon DaaS Platform 5.4 any patch pending vCloud Networking and Security 5.5 any patch pending* vCloud Connector 2.7 any patch pending* vCloud Usage Meter 3.3 any patch pending* vCenter Site Recovery Manager 5.5.x any patch pending*** vCenter Site Recovery Manager 5.1.x any patch pending*** vCenter Site Recovery Manager 5.0.x any patch pending*** vCenter Server 6.0 any patch pending vCenter Server 5.5 any patch pending vCenter Server 5.1 any patch pending vCenter Server 5.0 any patch pending vRealize Operations Manager 6.0 any patch pending* vCenter Operations Manager 5.8.x any KB2111172 vCenter Operations Manager 5.7.x any KB2111172 vCenter Support Assistant 5.5.1.x any patch pending vRealize Application Services 6.2 any patch pending vRealize Application Services 6.1 any patch pending vCloud Application Director 6.0 any patch pending vCloud Application Director 5.2 any KB2111981 vRealize Automation 6.2 any KB2111658 vRealize Automation 6.1 any KB2111658 vCloud Automation Center 6.0.1 any KB2111658 vRealize Code Stream 1.1 any KB2111658 vRealize Code Stream 1.0 any KB2111658 vPostgres 9.3.x any patch pending vPostgres 9.2.x any patch pending vPostgres 9.1.x any patch pending vSphere Replication 5.8.1 any patch pending vSphere Replication 5.8.0 any 5.8.0.2 vSphere Replication 5.6.0 any 5.6.0.3 vSphere Replication 5.1 any patch pending vSphere Storage Appliance 5.x any patch pending* vRealize Hyperic 5.8 any KB2111337 vRealize Hyperic 5.7 any KB2111337 vRealize Hyperic 5.0 any KB2111337 vSphere AppHA 1.1 any KB2111336 vSphere Big Data Extensions 2.1 any patch pending* vSphere Big Data Extensions 2.0 any patch pending* vSphere Data Protection 6.0 any patch pending* vSphere Data Protection 5.8 any patch pending* vSphere Data Protection 5.5 any patch pending* vSphere Data Protection 5.1 any patch pending* vCenter Chargeback Manager 2.6 any patch pending* vRealize Business Adv/Ent 8.1 any patch pending* vRealize Business Adv/Ent 8.0 any patch pending* vRealize Business Standard 6.0 any KB2111802 vRealize Business Standard 1.1 any KB2111802 vRealize Business Standard 1.0 any KB2111802 NSX for vSphere 6.1 any patch pending* NSX for Multi-Hypervisor 4.2 any 4.2.4* vCloud Director 5.5.x any 5.5.3* vCloud Director For 5.6.4 any patch pending* Service Providers vCenter Application Discovery 7.0 any patch pending* Manager vRealize Configuration Manager 5.7.x any KB2111670 vRealize Configuration Manager 5.6 any KB2111670 vRealize Infrastructure 5.8 any 5.8.4 Navigator vRealize Infrastructure 5.7 any KB2111334* Navigator vRealize Orchestrator 6.0 any patch pending* vRealize Orchestrator 5.2 any patch pending* vRealize Orchestrator 5.1 any patch pending* vShield 5.5 any patch pending* vRealize Log Insight 2.5 any patch pending* vRealize Log Insight 2.0 any patch pending* vRealize Log Insight 1.5 any patch pending* vRealize Log Insight 1.0 any patch pending* vSphere Management Assistant 5.x any patch pending vSphere Update Manager 6.0 any patch pending* vSphere Update Manager 5.5 any patch pending* vSphere Update Manager 5.1 any patch pending* vSphere Update Manager 5.0 any patch pending* * The severity of critical is lowered to important for this product as is not considered Internet facing ** Knowledge Base (KB) articles provides details of the patches and how to install them. *** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not include JRE but they include the vSphere Replication appliance which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include JRE nor the vSphere Replication appliance. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. Horizon View 6.1, 5.3.4: ======================== Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productI d=492 https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&pro ductId=396 VMware Workspace Portal 2.1.1 ============================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=5 01&rPId=7586 Documentation: https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.h tml vCenter Operations Manager 6.0, 5.8.5, 5.7.4 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111172 vCloud Automation Center 6.0.1.2 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111685 vSphere Replication 5.8.0.2, 5.6.0.3 ==================================== Downloads: https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802 https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603 Documentation: http://kb.vmware.com/kb/2112025 vRealize Automation 6.2.1, 6.1.1 ================================ Downloads and Documentation: http://kb.vmware.com/kb/2111658 vRealize Code Stream 1.1, 1.0 ============================= Downloads and Documentation: http://kb.vmware.com/kb/2111685 vRealize Hyperic 5.8.4, 5.7.2, 5.0.3 ==================================== Downloads and Documentation: http://kb.vmware.com/kb/KB2111337 vSphere AppHA 1.1.1 =================== Downloads and Documentation: http://kb.vmware.com/kb/2111336 vRealize Business Standard 6.0, 1.1 , 1.0 ======================================= Downloads and Documentation: http://kb.vmware.com/kb/2111802 vRealize Configuration Manager 5.7.3 =================================== Downloads and Documentation: http://kb.vmware.com/kb/2111670 vRealize Infrastructure Navigator 5.8.4 ======================================= Download: https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=47 6 vRealize Infrastructure Navigator 5.7 ===================================== Downloads and Documentation: http://kb.vmware.com/kb/2111334 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593 JRE Oracle Java SE Critical Patch Update Advisory of January 2015 http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html - ------------------------------------------------------------------------ 6. Change log 2015-04-02 VMSA-2015-0003 Initial security advisory in conjunction with the release of VMware Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5; vCenter Operations Manager 5.7.4; vCloud Automation Center 6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0; vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1; vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches released on 2015-04-02. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFVHbgPDEcm8Vbi9kMRAlg3AJ4n6zhhL4TYWtn/RjtlM16J1qvwzgCg+lU5 V4eBaZXBBKNbPABP/G0mKj8= =BXOw -----END PGP SIGNATURE-----