[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NEW VMSA-2015-0008 - VMware product updates address information disclosure issue



------------------------------------------------------------------------
                  VMware Security Advisory

Advisory ID: VMSA-2015-0008
Synopsis:    VMware product updates address information disclosure
            issue

Issue date:  2015-11-18
Updated on:  2015-11-18
CVE number:  CVE-2015-3269
------------------------------------------------------------------------

1. Summary

 VMware product updates address information disclosure issue.


2. Relevant Releases

 VMware vCenter Server 5.5 prior to version 5.5 update 3
 VMware vCenter Server 5.1 prior to version 5.1 update u3b
 VMware vCenter Server 5.0 prior to version 5.0 update u3e

 vCloud Director 5.6 prior to version 5.6.4
 vCloud Director 5.5 prior to version 5.5.3

 VMware Horizon View 6.0 prior to version 6.1
 VMware Horizon View 5.0 prior to version 5.3.4



3. Problem Description

  a. vCenter Server, vCloud Director, Horizon View information
     disclosure issue.

    VMware products that use Flex BlazeDS may be affected by a flaw in
    the processing of XML External Entity (XXE) requests. A specially
    crafted XML request sent to the server could lead to unintended
    information be disclosed.

    VMware would like to thank Matthias Kaiser of Code White GmbH for
    reporting this issue to us.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the identifier CVE-2015-3269  to this issue.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

       VMware          Product	  Running   Replace with/
       Product         Version	  on        Apply Patch
       =============	=======	  =======   =================
       vCenter Server    6.0      any      not affected
       vCenter Server    5.5      any      5.5 update 3
       vCenter Server    5.1      any      5.1 update u3b
       vCenter Server    5.0      any      5.5 update u3e

       vCloud Director   5.6      any      5.6.4
       vCloud Director   5.5      any      5.5.3

       Horizon View      6.0      any      6.1
       Horizon View      5.3      any      5.3.4


4. Solution

  Please review the patch/release notes for your product and version
  and verify the checksum of your downloaded file.


  vCenter Server
  --------------------------------
  Downloads and Documentation:
  https://www.vmware.com/go/download-vsphere

  vCloud Director For Service Providers
  --------------------------------
  Downloads and Documentation:
  https://www.vmware.com/support/pubs/vcd_pubs.html

  Horizon View 6.1, 5.3.4:
  --------------------------------
  Downloads:
  https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productId=492
  https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&productId=396


5. References

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3269

------------------------------------------------------------------------

6. Change log

  2015-11-18 VMSA-2015-0008
  Initial security advisory

------------------------------------------------------------------------

7. Contact

  E-mail list for product security notifications and announcements:
  http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

  This Security Advisory is posted to the following lists:

   security-announce at lists.vmware.com
   bugtraq at securityfocus.com
   fulldisclosure at seclists.org

  E-mail: security at vmware.com
  PGP key at: http://kb.vmware.com/kb/1055

  VMware Security Advisories
  http://www.vmware.com/security/advisories

  Consolidated list of VMware Security Advisories
  http://kb.vmware.com/kb/2078735

  VMware Security Response Policy
  https://www.vmware.com/support/policies/security_response.html

  VMware Lifecycle Support Phases
  https://www.vmware.com/support/policies/lifecycle.html

  Twitter
  https://twitter.com/VMwareSRC

  Copyright 2015 VMware Inc.  All rights reserved.

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail