------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0008 Synopsis: VMware product updates address information disclosure issue Issue date: 2015-11-18 Updated on: 2015-11-18 CVE number: CVE-2015-3269 ------------------------------------------------------------------------ 1. Summary VMware product updates address information disclosure issue. 2. Relevant Releases VMware vCenter Server 5.5 prior to version 5.5 update 3 VMware vCenter Server 5.1 prior to version 5.1 update u3b VMware vCenter Server 5.0 prior to version 5.0 update u3e vCloud Director 5.6 prior to version 5.6.4 vCloud Director 5.5 prior to version 5.5.3 VMware Horizon View 6.0 prior to version 6.1 VMware Horizon View 5.0 prior to version 5.3.4 3. Problem Description a. vCenter Server, vCloud Director, Horizon View information disclosure issue. VMware products that use Flex BlazeDS may be affected by a flaw in the processing of XML External Entity (XXE) requests. A specially crafted XML request sent to the server could lead to unintended information be disclosed. VMware would like to thank Matthias Kaiser of Code White GmbH for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-3269 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= vCenter Server 6.0 any not affected vCenter Server 5.5 any 5.5 update 3 vCenter Server 5.1 any 5.1 update u3b vCenter Server 5.0 any 5.5 update u3e vCloud Director 5.6 any 5.6.4 vCloud Director 5.5 any 5.5.3 Horizon View 6.0 any 6.1 Horizon View 5.3 any 5.3.4 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Server -------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere vCloud Director For Service Providers -------------------------------- Downloads and Documentation: https://www.vmware.com/support/pubs/vcd_pubs.html Horizon View 6.1, 5.3.4: -------------------------------- Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productId=492 https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&productId=396 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3269 ------------------------------------------------------------------------ 6. Change log 2015-11-18 VMSA-2015-0008 Initial security advisory ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved.