[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NEW VMSA-2015-0008 - VMware product updates address information disclosure issue

                  VMware Security Advisory

Advisory ID: VMSA-2015-0008
Synopsis:    VMware product updates address information disclosure

Issue date:  2015-11-18
Updated on:  2015-11-18
CVE number:  CVE-2015-3269

1. Summary

 VMware product updates address information disclosure issue.

2. Relevant Releases

 VMware vCenter Server 5.5 prior to version 5.5 update 3
 VMware vCenter Server 5.1 prior to version 5.1 update u3b
 VMware vCenter Server 5.0 prior to version 5.0 update u3e

 vCloud Director 5.6 prior to version 5.6.4
 vCloud Director 5.5 prior to version 5.5.3

 VMware Horizon View 6.0 prior to version 6.1
 VMware Horizon View 5.0 prior to version 5.3.4

3. Problem Description

  a. vCenter Server, vCloud Director, Horizon View information
     disclosure issue.

    VMware products that use Flex BlazeDS may be affected by a flaw in
    the processing of XML External Entity (XXE) requests. A specially
    crafted XML request sent to the server could lead to unintended
    information be disclosed.

    VMware would like to thank Matthias Kaiser of Code White GmbH for
    reporting this issue to us.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the identifier CVE-2015-3269  to this issue.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is

       VMware          Product	  Running   Replace with/
       Product         Version	  on        Apply Patch
       =============	=======	  =======   =================
       vCenter Server    6.0      any      not affected
       vCenter Server    5.5      any      5.5 update 3
       vCenter Server    5.1      any      5.1 update u3b
       vCenter Server    5.0      any      5.5 update u3e

       vCloud Director   5.6      any      5.6.4
       vCloud Director   5.5      any      5.5.3

       Horizon View      6.0      any      6.1
       Horizon View      5.3      any      5.3.4

4. Solution

  Please review the patch/release notes for your product and version
  and verify the checksum of your downloaded file.

  vCenter Server
  Downloads and Documentation:

  vCloud Director For Service Providers
  Downloads and Documentation:

  Horizon View 6.1, 5.3.4:

5. References



6. Change log

  2015-11-18 VMSA-2015-0008
  Initial security advisory


7. Contact

  E-mail list for product security notifications and announcements:

  This Security Advisory is posted to the following lists:

   security-announce at lists.vmware.com
   bugtraq at securityfocus.com
   fulldisclosure at seclists.org

  E-mail: security at vmware.com
  PGP key at: http://kb.vmware.com/kb/1055

  VMware Security Advisories

  Consolidated list of VMware Security Advisories

  VMware Security Response Policy

  VMware Lifecycle Support Phases


  Copyright 2015 VMware Inc.  All rights reserved.

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail