what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

VMware Security Advisory 2016-0004

VMware Security Advisory 2016-0004
Posted Apr 15, 2016
Authored by VMware | Site vmware.com

VMware Security Advisory 2016-0004 - VMware vCenter Server, vCloud Director (vCD), vRealize Automation (vRA) Identity Appliance, and the Client Integration Plugin (CIP) updates address a critical security issue.

tags | advisory
advisories | CVE-2016-2076
SHA-256 | bd56155a16a9898620437b43f01ad1f323acba62d3f1fc3b322b4be0caad980b

VMware Security Advisory 2016-0004

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2016-0004
Synopsis: VMware product updates address a critical security issue in
the VMware Client Integration Plugin
Issue date: 2016-04-14
Updated on: 2016-04-14 (Initial Advisory)
CVE number: CVE-2016-2076

1. Summary

VMware vCenter Server, vCloud Director (vCD), vRealize Automation
(vRA) Identity Appliance, and the Client Integration Plugin (CIP)
updates address a critical security issue.

2. Relevant Releases

vCenter Server 6.0
vCenter Server 5.5 U3a, U3b, U3c

vCloud Director 5.5.5

vRealize Automation Identity Appliance 6.2.4

3. Problem Description

a. Critical VMware Client Integration Plugin incorrect session
handling

The VMware Client Integration Plugin does not handle session content
in a safe way. This may allow for a Man in the Middle attack or Web
session hijacking in case the user of the vSphere Web Client visits
a malicious Web site.

The vulnerability is present in versions of CIP that shipped with:
- vCenter Server 6.0 (any 6.0 version up to 6.0 U2)
- vCenter Server 5.5 U3a, U3b, U3c
- vCloud Director 5.5.5
- vRealize Automation Identity Appliance 6.2.4

In order to remediate the issue, both the server side (i.e. vCenter
Server, vCloud Director, and vRealize Automation Identity Appliance)
and the client side (i.e. CIP of the vSphere Web Client) will need
to be updated.

The steps to remediate the issue are as follows:
A) Install an updated version of:
- vCenter Server,
- vCloud Director,
- vRealize Automation Identity Appliance,
B) Subsequently update the Client Integration Plugin on the system
from which the vSphere Web Client is used.
Updating the plugin on vSphere and vRA Identity Appliance is
explained in VMware Knowledge Base article 2145066.
Updating the plugin on vCloud Director is initiated by a prompt
when connecting the vSphere Web Client to the updated version of
vCloud Director.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-2076 to this issue.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/
Product Version on Apply Patch
====================== ============= ======= =============

vCenter Server 6.0 any 6.0 U2 *
vCenter Server 5.5 U3a - U3c any 5.5 U3d *
vCenter Server 5.1 any not affected
vCenter Server 5.0 any not affected

vCloud Director 8.0.x Windows not affected **
vCloud Director 5.6.x Windows not affected
vCloud Director 5.5.5 Windows 5.5.6 *

vRA Identity Appliance 7.x Linux not affected
vRA Identity Appliance 6.2.4 Linux 6.2.4.1 *

Client Integration see text Windows, see item B above
Plugin above Mac OS

* After installing the updated version, the Client Integration Plugin
will need to be updated on all systems from which the vSphere Web
Client is used to connect to vCenter Server, vCloud Director and
vRealize Automation Identity Manager.

** vCloud Director 8.0.0 did not ship with a vulnerable CIP version,
and vCloud Director 8.0.1 shipped with the updated version of the
CIP.

4. Solution

Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.

vCenter Server
--------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere

https://pubs.vmware.com/Release_Notes/en/vsphere/55/vsphere-vcenter-server-5
5u3d-release-notes.html

vCloud Director
---------------
Downloads and Documentation:
https://www.vmware.com/go/download/vcloud-director

https://pubs.vmware.com/Release_Notes/en/vcd/556/rel_notes_vcloud_director_5
56.html

VMware vRealize Automation 6.2.4.1
----------------------------------
Downloads and Documentation:

https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_manage
ment/vmware_vrealize_automation/6_2
(select "Go to Downloads" and scroll down to "Security Update")

https://pubs.vmware.com/Release_Notes/en/vra/vrealize-automation-624-release
- -notes.html


5. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2076

VMware Knowledge Base article 2145066
kb.vmware.com/kb/2145066

- ------------------------------------------------------------------------

6. Change log

2016-04-14 VMSA-2016-0004
Initial security advisory in conjunction with the release of VMware
vSphere 5.5 U3d and vCloud Director 5.5.6 on 2016-04-14.

- ------------------------------------------------------------------------

7. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org

E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055

VMware Security Advisories
https://www.vmware.com/security/advisories

Consolidated list of VMware Security Advisories
https://kb.vmware.com/kb/2078735

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

Twitter
https://twitter.com/VMwareSRC

Copyright 2016 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFXD+2rDEcm8Vbi9kMRAkavAJ9Jh0+7d46fu6t24ZTbfi+gZqNhNACfbiip
CTomNkThpHn4T6WPTz8LAuw=
=DZIG
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close