-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2016-0004 Synopsis: VMware product updates address a critical security issue in the VMware Client Integration Plugin Issue date: 2016-04-14 Updated on: 2016-04-14 (Initial Advisory) CVE number: CVE-2016-2076 1. Summary VMware vCenter Server, vCloud Director (vCD), vRealize Automation (vRA) Identity Appliance, and the Client Integration Plugin (CIP) updates address a critical security issue. 2. Relevant Releases vCenter Server 6.0 vCenter Server 5.5 U3a, U3b, U3c vCloud Director 5.5.5 vRealize Automation Identity Appliance 6.2.4 3. Problem Description a. Critical VMware Client Integration Plugin incorrect session handling The VMware Client Integration Plugin does not handle session content in a safe way. This may allow for a Man in the Middle attack or Web session hijacking in case the user of the vSphere Web Client visits a malicious Web site. The vulnerability is present in versions of CIP that shipped with: - vCenter Server 6.0 (any 6.0 version up to 6.0 U2) - vCenter Server 5.5 U3a, U3b, U3c - vCloud Director 5.5.5 - vRealize Automation Identity Appliance 6.2.4 In order to remediate the issue, both the server side (i.e. vCenter Server, vCloud Director, and vRealize Automation Identity Appliance) and the client side (i.e. CIP of the vSphere Web Client) will need to be updated. The steps to remediate the issue are as follows: A) Install an updated version of: - vCenter Server, - vCloud Director, - vRealize Automation Identity Appliance, B) Subsequently update the Client Integration Plugin on the system from which the vSphere Web Client is used. Updating the plugin on vSphere and vRA Identity Appliance is explained in VMware Knowledge Base article 2145066. Updating the plugin on vCloud Director is initiated by a prompt when connecting the vSphere Web Client to the updated version of vCloud Director. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-2076 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ====================== ============= ======= ============= vCenter Server 6.0 any 6.0 U2 * vCenter Server 5.5 U3a - U3c any 5.5 U3d * vCenter Server 5.1 any not affected vCenter Server 5.0 any not affected vCloud Director 8.0.x Windows not affected ** vCloud Director 5.6.x Windows not affected vCloud Director 5.5.5 Windows 5.5.6 * vRA Identity Appliance 7.x Linux not affected vRA Identity Appliance 6.2.4 Linux 6.2.4.1 * Client Integration see text Windows, see item B above Plugin above Mac OS * After installing the updated version, the Client Integration Plugin will need to be updated on all systems from which the vSphere Web Client is used to connect to vCenter Server, vCloud Director and vRealize Automation Identity Manager. ** vCloud Director 8.0.0 did not ship with a vulnerable CIP version, and vCloud Director 8.0.1 shipped with the updated version of the CIP. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Server -------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere http://pubs.vmware.com/Release_Notes/en/vsphere/55/vsphere-vcenter-server-5 5u3d-release-notes.html vCloud Director --------------- Downloads and Documentation: https://www.vmware.com/go/download/vcloud-director http://pubs.vmware.com/Release_Notes/en/vcd/556/rel_notes_vcloud_director_5 56.html VMware vRealize Automation 6.2.4.1 ---------------------------------- Downloads and Documentation: https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_manage ment/vmware_vrealize_automation/6_2 (select "Go to Downloads" and scroll down to "Security Update") http://pubs.vmware.com/Release_Notes/en/vra/vrealize-automation-624-release - -notes.html 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2076 VMware Knowledge Base article 2145066 kb.vmware.com/kb/2145066 - ------------------------------------------------------------------------ 6. Change log 2016-04-14 VMSA-2016-0004 Initial security advisory in conjunction with the release of VMware vSphere 5.5 U3d and vCloud Director 5.5.6 on 2016-04-14. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2016 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFXD+2rDEcm8Vbi9kMRAkavAJ9Jh0+7d46fu6t24ZTbfi+gZqNhNACfbiip CTomNkThpHn4T6WPTz8LAuw= =DZIG -----END PGP SIGNATURE-----