Jump to content


Photo

VMware svr and client multiple vulns - updates available


  • Please log in to reply
182 replies to this topic

#101 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 August 2013 - 04:24 AM

FYI...

VMSA-2013-0010 - VMware Workstation host privilege escalation vuln
- http://www.vmware.co...-2013-0010.html
Issue date: 2013-08-22
CVE numbers: CVE-2013-1662
Summary: VMware Workstation addresses a vulnerability in the vmware-mount component which could result in a privilege escalation on linux-based host machines.
Relevant releases:
VMware Workstation 9.x, 8.x
VMware Player 5.x, 4.x...
- https://www.vmware.c...loadworkstation

- https://secunia.com/advisories/54580/
Release Date: 2013-08-23
Where: Local system
Impact: Privilege escalation
... vulnerability affects only installations running on Debian-based Linux platforms.
Original Advisory: VMware (VMSA-2013-0010):
http://www.vmware.co...-2013-0010.html
 

:ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#102 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 August 2013 - 05:46 AM

FYI...

VMSA-2013-0011 - VMware ESXi and ESX address an NFC Protocol Unhandled Exception
- http://www.vmware.co...-2013-0011.html
2013-08-29
Synopsis: VMware ESXi and ESX address an NFC Protocol Unhandled Exception
CVE numbers: CVE-2013-1661
"Summary: VMware has updated VMware ESXi and ESX to address a vulnerability in an unhandled exception in the NFC protocol handler..."
https://www.vmware.c...download.portal

- http://www.securityt....com/id/1028966
CVE Reference: CVE-2013-1661
Aug 30 2013
Impact: Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): ESX/ESXi 4.0, 4.1, ESXi 5.0, 5.1
Impact: A remote user can cause denial of service conditions.
Solution: The vendor has issued a fix...

- https://secunia.com/advisories/54614/
Release Date: 2013-08-30
Where: From local network
Impact: DoS
Solution Status: Vendor Patch
Operating System: VMware ESX Server 4.x, VMware ESXi 4.x, VMware ESXi 5.x
CVE Reference: CVE-2013-1661
... weakness is reported in VMware ESXi versions 4.0, 4.1, 5.0, and 5.1 and VMware ESX versions 4.0 and 4.1.
Solution: Apply patches.
Original Advisory: VMware (VMSA-2013-0011)...

- https://isc.sans.edu...l?storyid=16472
Last Updated: 2013-08-30 11:48:31
 

:ph34r:


Edited by AplusWebMaster, 06 October 2013 - 01:00 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#103 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 18 October 2013 - 05:50 AM

FYI...

VMSA-2013-0012 - VMware vSphere updates address multiple vulnerabilities
- http://www.vmware.co...-2013-0012.html
2013-10-17 - "Summary: VMware has updated vCenter Server, vCenter Server Appliance (vCSA),
vSphere Update Manager (VUM), ESXi and ESX to address multiple security vulnerabilities..."
CVE numbers: CVE-2013-5970, CVE-2013-5971

- https://secunia.com/advisories/55226/
Release Date: 2013-10-18
Criticality: Highly Critical
Where: From remote
Impact: Security Bypass, Spoofing, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access...
... vulnerabilities are caused due to a bundled vulnerable version of Java.
For more information: https://secunia.com/SA53846/
The vulnerabilities are reported in the following products and versions:
* vCenter Server versions 4.1, 5.0, and 5.1
* Update Manager versions 5.0 and 5.1
* ESX version 4.1
Original Advisory: http://www.vmware.co...-2013-0012.html
___

VMSA-2013-0006.1 - VMware security updates for vCenter Server
- http://www.vmware.co...-2013-0006.html
Updated on: 2013-10-17 - "Summary: VMware has updated vCenter Server Appliance (vCSA) and vCenter Server running on Windows to address multiple security vulnerabilities..."
CVE numbers:
CVE-2013-3107, CVE-2013-3079, CVE-2013-3080
--- tomcat ---
CVE-2012-5885, CVE-2012-5886, CVE-2012-5887, CVE-2012-2733,
CVE-2012-4534, CVE-2012-3546, CVE-2012-4431
--- JRE ---

VMSA-2013-0009.1 - VMware vSphere, ESX and ESXi updates to third party libraries
- http://www.vmware.co...-2013-0009.html
Updated on: 2013-10-17 - "Summary: VMware has updated several third party libraries in vCenter Server, ESX and ESXi to address multiple security vulnerabilities..."
CVE numbers:  
--- OpenSSL ---
CVE-2013-0169, CVE-2013-0166
 --- libxml2 (COS and userworld) ---
CVE-2013-0338
 --- GnuTLS (COS) ---
CVE-2013-2116
--- Kernel (COS) ---
CVE-2013-0268, CVE-2013-0871
___

- https://isc.sans.edu...l?storyid=16847
Last Updated: 2013-10-18 10:41:39 UTC
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 18 October 2013 - 02:55 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#104 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 November 2013 - 05:47 AM

FYI...

VMSA-2013-0013 - VMware Workstation host privilege escalation vuln
- http://www.vmware.co...-2013-0013.html
2013-11-14
CVE-2013-5972
1. Summary: VMware has updated VMware Workstation and VMware Player to address a
vulnerability that could result in an escalation of privilege on Linux-based host machines.
2. Relevant releases: VMware Workstation for Linux 9.x prior to version 9.0.3 VMware Player for Linux 5.x prior to version 5.0.3...

- http://www.securityt....com/id/1029350
CVE Reference: CVE-2013-5972
Nov 15 2013
Impact: Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Workstation for Linux 9.x prior to 9.0.3; Player for Linux 5.x prior to 5.0.3...
Solution: The vendor has issued a fix (5.0.3, 9.0.3)...
 

:ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#105 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 04 December 2013 - 04:09 AM

FYI...

VMSA-2013-0014 - VMware Workstation, Fusion, ESXi and ESX patches
- http://www.vmware.co...-2013-0014.html
2013-12-03
CVE number: https://web.nvd.nist...d=CVE-2013-3519 - 6.9
Summary: VMware Workstation, Fusion, ESXi and ESX patches address a vulnerability in the LGTOSYNC.SYS driver which could result in a privilege escalation on older Windows-based Guest Operating Systems.
Relevant releases:
VMware Workstation 9.x prior to version 9.0.3
VMware Player 5.x prior to version 5.0.3
VMware Fusion 5.x prior to version 5.0.4
VMware ESXi 5.1 without patch ESXi510-201304102
VMware ESXi 5.0 without patch ESXi500-201303102
VMware ESXi 4.1 without patch ESXi410-201301402
VMware ESXi 4.0 without patch ESXi400-201305401
VMware ESX 4.1 without patch ESX410-201301401
VMware ESX 4.0 without patch ESX400-201305401 ...

- http://www.securityt....com/id/1029430
CVE-2013-3519
Dec 4 2013
Impact: Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Workstation 9.x, Fusion 5.x ...
Solution: The vendor has issued a fix (Workstation 9.0.3, Fusion 5.0.3 on Windows, Fusion 5.0.4 on OS X)...

- http://www.securityt....com/id/1029429
CVE-2013-3519
Dec 4 2013
Impact: Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): ESX/ESXi 4.0, 4.1, ESXi 5.0, 5.1 ...
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 04 December 2013 - 10:12 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#106 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 December 2013 - 12:02 PM

FYI...

VMSA-2013-0015 - VMware ESX updates to third party libraries
- http://www.vmware.co...-2013-0015.html
2013-12-05
CVE numbers:
--- kernel (service console) ---
CVE-2012-2372, CVE-2012-3552, CVE-2013-2147, CVE-2013-2164, CVE-2013-2206, CVE-2013-2224, CVE-2013-2234, CVE-2013-2237, CVE-2013-2232
--- nss and nspr (service console) ---
CVE-2013-0791, CVE-2013-1620
Summary: VMware has updated several third party libraries in ESX that address multiple security vulnerabilities.
Relevant releases: VMware ESX 4.1 without patch ESX410-201312001
Problem Description: Update to ESX service console kernel
The ESX service console kernel is updated to resolve multiple security issues.
- Update to ESX service console NSPR and NSS
This patch updates the ESX service console Netscape Portable Runtime (NSPR) and Network Security Services (NSS) RPMs to resolve multiple security issues...

- http://kb.vmware.com...ernalId=2061209
Dec 05, 2013
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#107 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 December 2013 - 05:44 AM

FYI...

VMSA-2013-0016 - VMware ESXi and ESX unauthorized file access through vCenter Server and ESX
- http://www.vmware.co...-2013-0016.html
2013-12-22
Summary: VMware ESXi and ESX unauthorized file access through vCenter Server and ESX  
Relevant releases:
VMware ESXi 5.5 without patch ESXi550-201312001
VMware ESXi 5.1 without patch ESXi510-201310001
VMware ESXi 5.0 without patch update-from-esxi5.0-5.0_update03
VMware ESXi 4.1 without patch ESXi410-201312001
VMware ESXi 4.0 without patch ESXi400-201310001
VMware ESX 4.1 without patch ESX410-201312001
VMware ESX 4.0 without patch ESX400-201310001
Problem Description:
VMware ESXi and ESX unauthorized file access through vCenter Server and ESX
Workaround: A workaround is provided in VMware Knowledge Base article 2066856*...
* http://kb.vmware.com/kb/2066856

- http://www.securityt....com/id/1029529
CVE Reference: https://web.nvd.nist...d=CVE-2013-5973
Dec 23 2013
Impact: Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): ESX/ESXi 4.0, 4.1, ESXi 5.0, 5.1, 5.5
Solution:   The vendor has issued a fix.
ESXi 5.5: ESXi550-201312101-SG
ESXi 5.1: ESXi510-201310101-SG
ESXi 5.0: ESXi500-201310101-SG
ESXi 4.1: ESXi410-201312401-SG
ESXi 4.0: ESXi400-201310401-SG
ESX 4.1: ESX410-201312401-SG
ESX 4.0: ESX400-201310401-SG
The vendor's advisory is available at:
- http://www.vmware.co...-2013-0016.html
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 23 December 2013 - 12:43 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#108 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 17 January 2014 - 07:21 AM

FYI...

VMSA-2014-0001 - VMware Workstation, Player, Fusion, ESXi, ESX and vCloud Director
- http://www.vmware.co...-2014-0001.html
2014-01-16
CVE numbers: CVE-2014-1207, CVE-2014-1208, CVE-2014-1211
Summary: VMware Workstation, Player, Fusion, ESXi, ESX and vCloud Director address several security issues.
Relevant releases:
VMware Workstation 9.x prior to version 9.0
VMware Player 5.x prior to version 5.0
VMware Fusion 5.x prior to version 5.0
VMware ESXi 5.1 without patch ESXi510-201401101
VMware ESXi 5.0 without patch ESXi500-201310101
VMware ESXi 4.1 without patch ESXi410-201312401
VMware ESXi 4.0 without patch ESXi400-201310401
VMware ESX 4.1 without patch ESX410-201312401
VMware ESX 4.0 without patch ESX400-201310401
vCloud Director 5.1.x prior to version 5.1.3 ...
 

:!:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#109 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 12 March 2014 - 09:22 AM

FYI...

VMSA-2014-0002 - VMware vSphere updates - third party libraries
- http://www.vmware.co...-2014-0002.html
2014-03-11 - "Summary: VMware has updated vSphere third party libraries... The NTP daemon has a DDoS vulnerability in the handling of the "monlist" command. An attacker may send a forged request to a vulnerable NTP server resulting in an amplified response to the intended target of the DDoS attack... Mitigation for this issue is documented in VMware Knowledge Base article 2070193*...
* http://kb.vmware.com/kb/2070193

vCenter Server 5.5 - Release Notes:
- https://www.vmware.c...ease-notes.html

ESXi 5.5
- http://kb.vmware.com/kb/2065826
___

- https://secunia.com/advisories/57388/
Release Date: 2014-03-12
Criticality: Highly Critical
Where: From remote
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access...

- https://secunia.com/advisories/57393/
Release Date: 2014-03-12
Criticality: Highly Critical
Where: From remote
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access...
 

:ph34r:


Edited by AplusWebMaster, 12 March 2014 - 10:12 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#110 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 11 April 2014 - 06:45 AM

FYI...

VMSA-2014-0003 - VMware vSphere Client updates address security vulns
- http://www.vmware.co...-2014-0003.html
2014-04-10
Synopsis: VMware vSphere Client updates address security vulnerabilities
CVE numbers: CVE-2014-1209, CVE-2014-1210
Summary: VMware vSphere Client updates address security vulnerabilities
Relevant Releases: vSphere Client 5.1, 5.0, 4.1, 4.0
Problem Description: vSphere Client Insecure Client Download
vSphere Client contains a vulnerability in accepting an updated vSphere Client file from an untrusted source. The vulnerability may allow a host to direct vSphere Client to download and execute an arbitrary file from any URI. This issue can be exploited if the host has been compromised or if a user has been tricked into clicking a malicious link... table lists the action required to remediate the vulnerability in each release, if a solution is available...
(More detail available at the vmware URL above.)
___

- http://www.securityt....com/id/1030055
CVE Reference: CVE-2014-1209, CVE-2014-1210
Apr 11 2014
Impact: Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): vSphere Client 4.0, 4.1, 5.0, 5.1 ...
Solution: The vendor has issued a fix (5.0 Update 3, 5.1 Update 2; For versions 4.x, use vSphere Client 4.0 or 4.1 from ESX/EXSi)...
The vendor's advisory is available at:
- http://www.vmware.co...-2014-0003.html
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 12 April 2014 - 08:04 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#111 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 14 April 2014 - 11:59 AM

FYI...

VMSA-2014-0004.6 - VMware product updates address OpenSSL security vulnerabilities
- http://www.vmware.co...-2014-0004.html
Updated on: 2014-04-20
... Change Log:
2014-04-14 VMSA-2014-0004
Initial security advisory in conjunction with the release of Horizon Workspace Server 1.8 and 1.5 updates on 2014-04-14
2014-04-15 VMSA-2014-0004.1
Updated security advisory in conjunction with the release of Horizon Mirage Edge Gateway 4.4.2 patch on 2014-04-15
2014-04-16 VMSA-2014-0004.2
Updated security advisory in conjunction with the release of vCloud Networking and Security 5.5.2 and 5.1.4 on 2014-04-16
2014-04-17 VMSA-2014-0004.3
Updated security advisory in conjunction with the release of Workstation 10.0.2, Fusion 6.0.3, Player 6.0.2 and Horizon Workspace Client 1.8.1 on 2014-04-17
2014-04-18 VMSA-2014-0004.4
Updated security advisory in conjunction with the release of NSX 6.0.4 for vSphere, Horizon View 5.3 Feature Pack 2 and Horizon View Clients 2.3.3 on 2014-04-18
2014-04-19 VMSA-2014-0004.5
Updated security advisory in conjunction with the release of vCenter Server 5.5.0c, vCenter Server 5.5 Update 1a, ESXi 5.5, Horizon Workspace Server 1.8.1, NSX for Multi-Hypervisor 4.0.2 and 4.1.1, NSX 3.2.2, OVF Tool 3.5.1, vCloud Automation Center (vCAC) 6.0.1, vSphere Big Data Extensions 1.1 and Client Integration Plug-In 5.5 on 2014-04-19
2014-04-20 VMSA-2014-0004.6
Updated security advisory in conjunction with the release of vCloud Director 5.5.1.1 on 2014-04-20

- https://web.nvd.nist...d=CVE-2014-0076 - 4.3
- https://web.nvd.nist...d=CVE-2014-0160 - 5.0
___

VMware OpenSSL TLS/DTLS Heartbeat Vulnerabilities - Multiple Products ...
- https://secunia.com/advisories/57770/
Last Update:  2014-04-21
Criticality: Moderately Critical
Where: From remote
Impact: Exposure of sensitive information ...
Original Advisory:
 -http://kb.vmware.com...ernalId=2076225
Purpose: The VMware Security Engineering, Communications, and Response group (vSECR) is investigating the OpenSSL issue dubbed "Heartbleed" (CVE-2014-0160).
This article reflects the status of the ongoing investigation.
Resolution: The following is a response to the current situation with the software security vulnerability dubbed Heartbleed:
The VMware Security and Engineering teams are working on remediation for the VMware products that have been impacted. VMware is acutely aware of the seriousness of the Heartbleed vulnerability, and all available resources are being directed toward a resolution amidst this industry-wide situation. VMware plans to release updated products and patches for all affected products in this article by April 19th. Please check this article for any updates or exceptions to this timeframe. See the lists below for affected products, and refer to the Resolution/mitigation section for steps to protect your systems while updates are being prepared...

 

- http://blog.socialca...-cve-2014-0160/
Apr 9, 2014
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 21 April 2014 - 07:45 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#112 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 May 2014 - 05:10 AM

FYI...

VMSA-2014-0005 - VMware Workstation, Player, Fusion, and ESXi patches
- http://www.vmware.co...-2014-0005.html
2014-05-29
Synopsis: VMware Workstation, Player, Fusion, and ESXi patches address a guest privilege escalation
CVE numbers: CVE-2014-3793
Relevant Releases:
VMware Workstation 10.x prior to version 10.0.2
VMware Player 6.x prior to version 6.0.2
VMware Fusion 6.x prior to version 6.0.3
ESXi 5.5 without patch ESXi550-201403102-SG
ESXi 5.1 without patch ESXi510-201404102-SG
ESXi 5.0 without patch ESXi500-201405102-SG
Problem Description:
Guest privilege escalation in VMware Tools: A kernel NULL dereference vulnerability was found in VMware Tools running on Microsoft Windows 8.1. Successful exploitation of this issue could lead to an escalation of privilege in the guest operating system...

- http://www.securityt....com/id/1030310
CVE Reference: CVE-2014-3793
May 30 2014
Impact:   User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Workstation 10.x prior to 10.0.2, Player 6.x prior to 6.0.2, Fusion 6.x prior to 6.0.3
Solution: The vendor has issued a fix (Workstation 10.0.2; Player 6.0.2; Fusion 6.0.3)...

- http://www.securityt....com/id/1030311
CVE Reference: CVE-2014-3793
May 30 2014
Impact:   User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): ESXi 5.0, 5.1, 5.5
Solution: The vendor has issued a fix.
ESXi 5.0: ESXi500-201405102-SG
ESXi 5.1: ESXi510-201404102-SG
ESXi 5.5: ESXi550-201403102-SG ...
 

:ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#113 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 11 June 2014 - 12:45 PM

FYI...

VMSA-2014-0006 - VMware updates - OpenSSL security vulns
- http://www.vmware.co...-2014-0006.html
2014-06-10
CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470
Relevant Releases: ESXi 5.5 prior to ESXi550-201406401-SG
Change Log: 2014-06-10 VMSA-2014-0006 - Initial security advisory in conjunction with the release of ESXi 5.5 updates on 2014-06-10
Download: https://www.vmware.c...download.portal
Release Notes and Remediation Instructions:
- http://kb.vmware.com/kb/2077359
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#114 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 16 June 2014 - 03:42 AM

FYI...

VMSA-2014-0006.1 - VMware product updates address OpenSSL security vulns
- http://www.vmware.co...-2014-0006.html
Updated on: 2014-06-12
CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470
Relevant Releases:
Big Data Extensions prior to 2.0.0
ESXi 5.5 prior to ESXi550-201406401-SG
Horizon Mirage Edge Gateway prior to 4.4.3
vCD prior to 5.5.1.2
vCenter prior to 5.5u1b
vCSA prior to 5.5u1b
Update Manager prior to 5.5u1b
Change Log: 2014-06-12 VMSA-2014-0006.1
Updated security advisory in conjunction with the release of Big Data Extensions 2.0.0, Horizon Mirage Edge Gateway 4.4.3, vCD 5.5.1.2, vCenter Server 5.5u1b, vCSA 5.5u1b, and Update Manager 5.5u1b on 2014-06-12..
More at: http://www.vmware.co...-2014-0006.html
 

:ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#115 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 19 June 2014 - 03:31 AM

FYI...

VMSA-2014-0006.2 - VMware product updates address OpenSSL security vulnerabilities
- http://www.vmware.co...-2014-0006.html
Updated on: 2014-06-17
CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470
Relevant Releases:
Big Data Extensions prior to 2.0.0
ESXi 5.5 without patch ESXi550-201406401-SG
ESXi 5.1 without patch ESXi510-201406401-SG
Horizon Mirage Edge Gateway prior to 4.4.3
vCD prior to 5.5.1.2
vCenter prior to 5.5u1b
vCSA prior to 5.5u1b
Update Manager prior to 5.5u1b
VDDK prior to 5.0.4
VDDK prior to 5.1.3
VDDK prior to 5.5.2 ...
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#116 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 25 June 2014 - 03:09 AM

FYI...

VMSA-2014-0007 - VMware product updates - Apache Struts library
- http://www.vmware.co...-2014-0007.html
2014-06-24
CVE numbers:
- https://web.nvd.nist...d=CVE-2014-0050 - 5.0
- https://web.nvd.nist...d=CVE-2014-0094 - 5.0
- https://web.nvd.nist...d=CVE-2014-0112 - 7.5 (HIGH)
Relevant releases: VMware vCenter Operations Management Suite prior to 5.8.2
Problem Description: The Apache Struts library is updated to version 2.3.16.2 to address multiple security issues.
Solution: Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
vCenter Operations Management Suite 5.8.2 / Downloads and Documentation:
- https://www.vmware.c.../download-vcops
Change log: 2014-06-24 VMSA-2014-0007 Initial security advisory in conjunction with the release of vCenter Operations Management Suite 5.8.2 on 2014-06-24...
 

:ph34r:


Edited by AplusWebMaster, 25 June 2014 - 12:54 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#117 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 10 September 2014 - 01:26 PM

FYI...

VMSA-2014-0008 - VMware vSphere product updates to 3rd party libraries
- http://www.vmware.co...-2014-0008.html
Sep 9, 2014
Summary: VMware has updated vSphere third party libraries
- Relevant releases:
VMware vCenter Server 5.5 prior to Update 2
VMware vCenter Update Manager 5.5 prior to Update 2
VMware ESXi 5.5 without patch ESXi550-201409101-SG
Problem Description:
a. vCenter Server Apache Struts Update
b. vCenter Server tc-server 2.9.5 / Apache Tomcat 7.0.52 updates
c. Update to ESXi glibc package
d. vCenter and Update Manager, Oracle JRE 1.7 Update 55
Change log:
VMSA-2014-0008 Initial security advisory in conjunction with the release of vSphere 5.5 Update 2 on 2014-09-09...
 

:ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#118 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 12 September 2014 - 04:37 AM

FYI...

VMSA-2014-0009 - VMware NSX and vCNS product updates ...
- http://www.vmware.co...-2014-0009.html
2014-09-11
Summary: VMware NSX and vCloud Networking and Security (vCNS) product updates address a vulnerability that could lead to critical information disclosure.
Relevant releases:
NSX 6.0 prior to 6.0.6
vCNS 5.5 prior to 5.5.3
vCNS 5.1.4 prior to 5.1.4.2
Problem Description:
a. VMware NSX and vCNS information disclosure vulnerability
VMware NSX and vCNS contain an input validation vulnerability. This issue may allow for critical information disclosure...
- https://web.nvd.nist...d=CVE-2014-3796 - 5.0

- http://www.securityt....com/id/1030835
CVE Reference: CVE-2014-3796
Sep 11 2014
Impact: Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): vCNS 5.1.4 prior to 5.1.4.2, 5.5 prior to 5.5.3 ...
Solution: The vendor has issued a fix (5.1.4.2, 5.5.3)...
 

:ph34r:


Edited by AplusWebMaster, 18 September 2014 - 09:48 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#119 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 October 2014 - 04:17 AM

FYI...

VMSA-2014-0010.13 - VMware product updates address critical Bash security vulns
- http://www.vmware.co...-2014-0010.html
Updated on: 2014-10-17
CVE numbers: CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
Summary: VMware product updates address Bash security vulnerabilities.
Problem Description:
a. Bash update for multiple products: Bash libraries have been updated in multiple products to resolve multiple critical security issues, also referred to as Shellshock...
I) ESXi and ESX Hypervisor: ESXi is not affected because ESXi uses the Ash shell (through busybox), which is not affected by the vulnerability reported for the Bash shell. ESX has an affected version of the Bash shell.
II) Windows-based products: Windows-based products, including all versions of vCenter Server running on Windows, are not affected.
III) VMware (virtual) appliances: VMware (virtual) appliances ship with an affected version of Bash.
See table 2 for remediation for appliances.
IV) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances)
Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) might use the Bash shell that is part of the operating system. If the operating system has a vulnerable version of Bash, the Bash security vulnerability might be exploited through the product. VMware recommends that customers contact their operating system vendor for a patch.
MITIGATIONS: VMware encourages restricting access to appliances through firewall rules and other network layer controls to only trusted IP addresses. This measure will greatly reduce any risk to these appliances...
References: http://kb.vmware.com/kb/2090740
09/26/2014 - Added Virtual Appliance info
09/27/2014 - Updated list of affected virtual appliances, affected ESXi and ESX versions, affected services, and added guidance
09/29/2014 - Added new CVEs and updated affected products and services; updated AirWatch MDM Cloud Services info
09/30/2014 - Added patch information
10/01/2014 - Added patch information
10/03/2014 - Added patch information

10/04/2014 - Added patch information

10/05/2014 - Added patch information

10/06/2014 - Added patch information

10/07/2014 - Added patch information
(More detail at the vmware URLs above.)
VMSA-2014-0010.13
Updated on: 2014-10-17
Change Logs:

2014-09-30 VMSA-2014-0010: Initial security advisory in conjunction with the release of vCenter Log Insight 2.0 U1 on 2014-09-30.
2014-10-01 VMSA-2014-0010.1: Updated advisory in conjunction with the release of ESX 4.x patches, vCenter Server Appliance 5.5 U2a, 5.1 U2b, and 5.0 U3b, vCloud Director Appliance 5.5.1.3, VMware Data Recovery 2.0.4, VMware Mirage Gateway 5.1.1 and vSphere Storage Appliance 5.5.2 on 2014-10-01. Added CVE-2014-6277 and CVE-2014-6278 as they have been confirmed to be mitigated.
2014-10-01 VMSA-2014-0010.2: Updated advisory in conjunction with the release of Horizon Workspace patches, IT Business Management Suite 1.1.0 and 1.0.1, vCenter Operations Manager patches, vCenter Site Recovery Manager 5.5.1.3 and 5.1.2.2, vCloud Application Director patches, vCloud Automation Center patches, vCloud Automation Center Application Services patches, vCloud Director Appliance 5.5.1.3, vFabric Postgres 9.3.5.1, 9.2.9.1, and 9.1.14.1, vSphere Replication 5.8.0.1, 5.5.1.3, and 5.1.2.2 on 2014-10-01.
2014-10-02 VMSA-2014-0010.3: Updated advisory in conjunction with the release of vCenter Hyperic Server 5.8.3, 5.7.2, and 5.0.3, vCenter Infrastructure Navigator 5.8.3, 5.7.1, and 2.0.1, vCenter Orchestrator Appliance patches, vCenter Support Assistant patches, vSphere App HA 1.1.1, vSphere Management Assistant 5.5 EP1 and 5.0 EP1, and vSphere Storage Appliance patches on 2014-10-02
2014-10-02 VMSA-2014-0010.4: Updated advisory in conjunction with the release of Horizon DaaS Platform 6.1.1, 6.0.2, and 5.4.3, vCenter Orchestrator Appliance 5.5.2.1, vCloud Connector 2.6.1, vCloud Usage Meter 3.3.2, and vSphere Replication 5.6.0.2 on 2014-10-02.
2014-10-03 VMSA-2014-0010.5: Updated advisory in conjunction with the release of vCloud Networking and Security 5.5.3.1 and 5.1.4.3 on 2014-10-03.
2014-10-04 VMSA-2014-0010.6: Updated advisory in conjunction with the release of NSX for Multi-Hypervisor 4.2.1, 4.1.4, and 4.0.5, NSX for vSphere 6.1.1 and 6.0.7, NVP 3.2.4, and vSphere Big Data Extensions 2.x patch on 2014-10-04.
2014-10-05 VMSA-2014-0010.7: Updated advisory in conjunction with the release of View Planner 3.0.1.1, and vSphere Data Protection 5.x patch on 2014-10-05.
2014-10-06 VMSA-2014-0010.8: Updated advisory in conjunction with the release of vCenter Hyperic Server 5.8.2 SP3, 5.8.1 SP3, 5.8.0 SP2, 5.7.1 SP1, and 5.0.2 SP1, vCenter Log Insight 1.5.0U1, View Planner Flexible 3.0.1.1, VMware Application Dependency Planner 2.0.0.1, VMware HealthAnalyzer 5.0.3.1, and vSphere App HA 1.1.0 patch on 2014-10-06.
2014-10-07 VMSA-2014-0010.9: Updated advisory in conjunction with the release of vCenter Operations Manager patches, VMware Socialcast On Premise 2-116-1 and 2-112-1, and vSphere Data Protection patches on 2014-10-07.
2014-10-08 VMSA-2014-0010.10: Updated advisory in conjunction with the release of vCenter Operations Manager patches on 2014-10-08.
2014-10-09 VMSA-2014-0010.11: Updated advisory in conjunction with the release of vCenter Converter Standalone 5.5.3 and 5.1.2, and vCenter Log Insight 2.0.5 on 2014-10-09.
2014-10-13 VMSA-2014-0010.12: Updated advisory in conjunction with the release of VMware Studio 2.x patch on 2014-10-13.
2014-10-17 VMSA-2014-0010.13: Updated advisory in conjunction with the release of vCenter Application Discovery Manager 7.0 patch, vSphere Management Assistant 5.1.0.2, and VMware Workbench 3.0.2 on 2014-10-17.

 

- http://www.securityt....com/id/1030943
CVE Reference: CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187

Updated: Oct 14 2014
Impact: Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes ...
... vulnerability is being actively exploited...
... advisory is available at: http://www.vmware.co...-2014-0010.html
... archive entry is a follow-up to: http://www.securityt....com/id/1030890
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 18 October 2014 - 10:25 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#120 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 October 2014 - 10:08 AM

FYI...

VMSA-2014-0011 - VMware vSphere Data Protection - critical update
- http://www.vmware.co...-2014-0011.html
2014-10-22
Summary: VMware vSphere Data Protection product update addresses a critical information disclosure vulnerability.
Relevant releases: VMware vSphere Data Protection 5.5 prior to 5.5.7
Solution: Please review the patch/release notes for your product and version...
- https://cve.mitre.or...e=CVE-2014-4624
Downloads:
- https://my.vmware.co...roup=VDPADV55_7
Documentation:
- https://www.vmware.c...leasenotes.html
___

- http://www.securityt....com/id/1031114
CVE Reference: http://cve.mitre.org...e=CVE-2014-4624
Oct 23 2014
Impact: Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): vSphere Data Protection 5.5.x prior to 5.5.7 ...
Impact: A remote user can obtain passwords.
Solution: The vendor has issued a fix (5.5.7)...
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 25 October 2014 - 04:47 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#121 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 05 December 2014 - 05:59 AM

FYI...

VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
- http://www.vmware.co...-2014-0012.html
2014-12-04
CVE numbers: CVE-2014-3797, CVE-2014-8371, CVE-2013-2877, CVE-2014-0191, CVE-2014-0015, CVE-2014-0138, CVE-2013-1752 and CVE-2013-4238
Summary: VMware vSphere product updates address a Cross Site Scripting issue, a certificate validation issue and security vulnerabilities in third-party libraries.
Relevant releases:
VMware vCenter Server Appliance 5.1 Prior to Update 3
VMware vCenter Server 5.5 prior to Update 2
VMware vCenter Server 5.1 prior to Update 3
VMware vCenter Server 5.0 prior to Update 3c
VMware ESXi 5.1 without patch ESXi510-201412101-SG ...

- http://www.securityt....com/id/1031302
CVE-2014-3797
Dec 5 2014
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): vCSA 5.1 ...
Solution: The vendor has issued a fix (5.1 Update 3)...

- http://www.securityt....com/id/1031303
CVE Reference: CVE-2014-8371
Dec 5 2014
Impact:   Disclosure of system information, Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): vCenter Server 5.0, 5.1, 5.5 ...
Solution: The vendor has issued a fix (5.0 Update 3c, 5.1 Update 3, 5.5 Update 2)...
 

:ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#122 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 09 December 2014 - 08:08 PM

FYI...

VMSA-2014-0013 - VMware vCloud Automation Center product updates address a critical remote privilege escalation vulnerability
- http://www.vmware.co...-2014-0013.html
2014-12-09
CVE numbers: http://cve.mitre.org...e=CVE-2014-8373
Summary: VMware vCloud Automation Center (vCAC) product updates address a critical vulnerability in the vCAC VMware Remote Console (VMRC) function which could lead to a remote privilege escalation.
2. Relevant releases: vCloud Automation Center 6.x without patch
3. Problem Description:
a. VMware vCloud Automation Center remote privilege escalation
VMware vCloud Automation Center has a remote privilege escalation vulnerability. This issue may allow an authenticated vCAC user to obtain administrative access to vCenter Server.
This issue is present in environments that use the "Connect (by) Using VMRC" function in vCAC to connect directly to vCenter Server. Environments that exclusively use vCloud Director (vCD) as a proxy to connect to vCenter Server are not affected.
At this time the issue is remediated by removing the "Connect (by) Using VMRC" functionality for directly connecting to vCenter Server. Deploying the provided patch will remove this functionality.
VMware is working on a secure solution that will restore this functionality. Customers may continue to use the "Connect (by) Using RDP" or "Connect (by) Using SSH" options for remote desktop management as they are not affected by this issue...
4. Solution: Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
vCloud Automation Center 6.x
Downloads and Documentation:
- http://kb.vmware.com/kb/2097932..."
 

:ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#123 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 11 December 2014 - 05:44 AM

FYI...

VMSA-2014-0014 - AirWatch by VMware product update addresses information disclosure vulnerabilities
- http://www.vmware.co...-2014-0014.html
2014-12-10
CVE numbers: https://cve.mitre.or...e=CVE-2014-8372
Summary: AirWatch by VMware product update addresses information disclosure vulnerabilities
Relevant releases: AirWatch by VMware on-premise 7.3.x.x prior to 7.3.3.0 (FP3)
Problem Description: AirWatch by VMware has direct object reference vulnerabilities. These issues may allow a user that manages an AirWatch deployment in a multi-tenant environment to view the organizational information and statistics of another tenant. AirWatch Cloud has been patched to resolve this issue, On-Premise deployments must be updated. See solution section for details...
To perform a self-upgrade, please email support@air-watch.com to request the install files. (Please note that only requests submitted by your company’s AirWatch Administrator(s) will be accepted)...

- http://www.securityt....com/id/1031342
CVE Reference: https://cve.mitre.or...e=CVE-2014-8372
Dec 11 2014
Impact: Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.3.x.x prior to 7.3.3.0 (FP3) ...
Solution: The vendor has issued a fix (7.3.3.0 (FP3))...
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#124 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 January 2015 - 04:20 AM

FYI...

VMSA-2015-0001 VMware vCenter Server, ESXi, Workstation, Player, Fusion security issue updates
- http://www.vmware.co...-2015-0001.html
2015-01-27
CVE numbers: CVE-2014-8370, CVE-2015-1043, CVE-2015-1044
--- OPENSSL---
CVE-2014-3513, CVE-2014-3567,CVE-2014-3566, CVE-2014-3568
 --- libxml2 ---
CVE-2014-3660
Summary: VMware vCenter Server, ESXi, Workstation, Player and Fusion address several security issues.
Relevant Releases:
VMware Workstation 10.x prior to version 10.0.5
VMware Player 6.x prior to version 6.0.5
VMware Fusion 7.x prior to version 7.0.1
VMware Fusion 6.x prior to version 6.0.5
vCenter Server 5.5 prior to Update 2d
ESXi 5.5 without patch ESXi550-201403102-SG, ESXi550-201501101-SG
ESXi 5.1 without patch ESXi510-201404101-SG
ESXi 5.0 without patch ESXi500-201405101-SG
Problem Description:
VMware ESXi, Workstation, Player, and Fusion host privilege escalation vulnerability
VMware ESXi, Workstation, Player and Fusion contain an arbitrary file write issue. Exploitation this issue may allow for privilege escalation on the host.
The vulnerability does not allow for privilege escalation from the guest Operating System to the host or vice-versa. This means that host memory can not be manipulated from the Guest Operating
System...
Solution: Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file...

VMSA-2014-0012.1 - VMware vSphere product updates address security vulnerabilities
- http://www.vmware.co...-2014-0012.html
Updated on: 2015-01-27
CVE numbers: CVE-2014-3797, CVE-2014-8371, CVE-2013-2877, CVE-2014-0191, CVE-2014-0015, CVE-2014-0138, CVE-2013-1752 and CVE-2013-4238
Summary: VMware vSphere product updates address a Cross Site Scripting issue, a certificate validation issue and security vulnerabilities in third-party libraries...
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#125 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 January 2015 - 05:33 AM

FYI...

VMSA-2015-0002 - VMware vSphere Data Protection product update
- certificate validation vulnerability

- http://www.vmware.co...-2015-0002.html
2015-01-29
CVE-2014-4632
Summary: VMware vSphere Data Protection product update addresses a certificate validation vulnerability.
Relevant releases:
VMware vSphere Data Protection 5.8
VMware vSphere Data Protection 5.5 prior to 5.5.9
VMware vSphere Data Protection 5.1 all versions
Problem Description:
VMware vSphere Data Protection certificate validation vulnerability. VMware vSphere Data Protection (VDP) does not fully validate SSL certificates coming from vCenter Server. This issue may allow a Man-in-the-Middle attack that enables the attacker to perform unauthorized backup and restore operations...
Downloads:
5.8.1: https://my.vmware.co...adGroup=VDP58_1
5.5.9: https://my.vmware.co...adGroup=VDP55_9
___

- http://www.securityt....com/id/1031664
CVE Reference: https://cve.mitre.or...e=CVE-2014-4632
Jan 30 2015
Impact: Disclosure of system information, Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): vSphere Data Protection 5.1, 5.5.x prior to 5.5.9, 5.8 ...
Solution: The vendor has issued a fix (VDP 5.5.9, 5.8.1)...
___

VMSA-2015-0001.1 - VMware vCenter Server, ESXi, Workstation, Player, and Fusion updates address security issues
- http://www.vmware.co...-2015-0001.html
Updated on: 2015-02-26
Summary: VMware vCenter Server, ESXi, Workstation, Player and Fusion address several security issues.
Solution: Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file...
 

:ph34r:


Edited by AplusWebMaster, 24 March 2015 - 03:40 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#126 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 03 April 2015 - 10:45 AM

FYI...

VMSA-2015-0003 - Critical information disclosure issue in JRE
- https://www.vmware.c...-2015-0003.html
2015-04-02
Relevant Releases:
Horizon View 6.x or 5.x
Horizon Workspace Portal Server  2.1 or 2.0
vCenter Operations Manager 5.8.x or 5.7.x
vCloud Automation Center 6.0.1
vSphere Replication prior to 5.8.0.2 or 5.6.0.3
vRealize Automation 6.2.x or 6.1.x
vRealize Code Stream 1.1 or 1.0
vRealize Hyperic 5.8.x, 5.7.x or 5.0.x
vSphere AppHA Prior to 1.1.x
vRealize Business Standard prior to 1.1.x or 1.0.x
NSX for Multi-Hypervisor  prior to 4.2.4    
vRealize Configuration Manager 5.7.x or 5.6.x
vRealize Infrastructure 5.8, 5.7
Problem Description:
a. Oracle JRE Update:
Oracle JRE is updated in VMware products to address a critical security issue that existed in earlier releases of Oracle JRE.
VMware products running JRE 1.7 Update 75 or newer and JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593, as documented in the Oracle Java SE Critical Patch Update Advisory of January 2015.
This advisory also includes the other security issues that are addressed in JRE 1.7 Update 75 and JRE 1.6 Update 91...
References: https://web.nvd.nist...d=CVE-2014-6593 - 4.0
Oracle Java SE Critical Patch Update Advisory of January 2015
- http://www.oracle.co...ml#AppendixJAVA

- https://secunia.com/advisories/62858/
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 05 April 2015 - 06:50 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#127 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 09 June 2015 - 08:24 PM

FYI...

VMSA-2015-0004 - VMware Workstation, Fusion / Horizon View Client updates...
- https://www.vmware.c...-2015-0004.html
2015-06-09
CVE numbers: CVE-2012-0897, CVE-2015-2336, CVE-2015-2337, CVE-2015-2338, CVE-2015-2339, CVE-2015-2340, CVE-2015-2341
Summary: VMware Workstation, Fusion and Horizon View Client updates address critical security issues.
Relevant Releases:
VMware Workstation prior to version 11.1.1
VMware Workstation prior to version 10.0.6
VMware Player prior to version 7.1.1
VMware Player prior to version 6.0.6
VMware Fusion prior to version 7.0.1
VMware Fusion prior to version 6.0.6
VMware Horizon Client for Windows prior to version 3.4.0
VMware Horizon Client for Windows prior to version 3.2.1
VMware Horizon Client for Windows (with local mode) prior to version 5.4.1
Problem Description:
a. VMware Workstation and Horizon Client memory manipulation issues
VMware Workstation and Horizon Client TPView.ddl and TPInt.dll incorrectly handle memory allocation. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon Client...
b. VMware Workstation, Player, and Fusion Denial of Service vulnerability
VMware Workstation, Player, and Fusion contain an input validation issue on an RPC command. This issue may allow for a Denial of Service of the Guest Operating System (32-bit) or a Denial of Service of the Host Operating System (64-bit)...
___

- http://www.securityt....com/id/1032529
CVE Reference: CVE-2012-0897, CVE-2015-2336, CVE-2015-2337, CVE-2015-2338, CVE-2015-2339, CVE-2015-2340

Jun 9 2015
Impact: Denial of service via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Horizon Client for Windows prior to versions 3.2.1, 3.4.0, and (with local mode) 5.4.1...
Solution: The vendor has issued a fix (Horizon Client for Windows 3.2.1, 3.4.0, 5.4.2).

- http://www.securityt....com/id/1032530
CVE Reference: CVE-2012-0897, CVE-2015-2336, CVE-2015-2337, CVE-2015-2338, CVE-2015-2339, CVE-2015-2340, CVE-2015-2341
Jun 9 2015
Impact: Denial of service via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Workstation prior to versions 10.0.6, 11.1.1; Player prior to versions 6.0.6, 7.1.1; Fusion prior to versions 6.0.6, 7.0.1...
Solution: The vendor has issued a fix (Workstation 10.0.6, 11.1.1; Player 6.0.6, 7.1.1; Fusion 6.0.6, 7.0.1).
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 10 June 2015 - 08:08 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#128 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 10 July 2015 - 04:49 AM

FYI...

VMSA-2015-0005 - VMware Workstation, Player and Horizon View Client for Windows
- https://www.vmware.c...-2015-0005.html
2015-07-09
CVE number: CVE-2015-3650
Summary: VMware Workstation, Player and Horizon View Client for Windows updates address a host privilege escalation vulnerability.
Relevant Releases:
VMware Workstation for Windows 11.x prior to version 11.1.1
VMware Workstation for Windows 10.x prior to version 10.0.7
VMware Player for Windows 7.x prior to version 7.1.1
VMware Player for Windows 6.x prior to version 6.0.7
VMware Horizon Client for Windows (with Local Mode Option) prior to version 5.4.2
Problem Description:
a. VMware Workstation, Player and Horizon View Client for Windows host privilege escalation vulnerability.
VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes. This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process.
Solution: Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
VMware Workstation: https://www.vmware.c...loadworkstation
VMware Player: https://www.vmware.c.../downloadplayer
VMware Horizon Clients: https://www.vmware.com/go/viewclients
___

- http://www.securityt....com/id/1032822
CVE Reference: CVE-2015-3650
Jul 10 2015
Impact: Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Horizon Client for Windows (with Local Mode Option) prior to 5.4.2 ...
Solution: The vendor has issued a fix (5.4.2)...

- http://www.securityt....com/id/1032823
CVE Reference: CVE-2015-3650
Jul 10 2015
Impact: Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Solution: The vendor has issued a fix (Workstation 10.0.7, 11.1.1; Player 6.0.7, 7.1.1)...
 

:ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#129 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 17 September 2015 - 05:50 AM

FYI...

VMSA-2015-0006 - VMware vCenter Server updates address a LDAP certificate validation issue
- https://www.vmware.c...-2015-0006.html
2015-09-16
1. Summary
VMware vCenter Server updates address a LDAP certificate validation issue.
2. Relevant Releases
VMware vCenter Server prior to version 6.0 update 1
VMware vCenter Server prior to version 5.5 update 3
3. Problem Description
VMware vCenter Server LDAP certificate validation vulnerability.
VMware vCenter Server does not validate the certificate when binding to an LDAP server using TLS. Exploitation of this vulnerability may allow an attacker that is able to intercept traffic between vCenter Server and the LDAP server to capture sensitive information.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-6932 to this issue...

VMware Security Advisories
- http://kb.vmware.com/kb/2078735
___

- http://www.securityt....com/id/1033582
CVE Reference: CVE-2015-6932
Sep 16 2015
Impact: Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Server; 5.5.x prior to 5.5 update 3, 6.0.x prior to 6.0 update 1...
Solution: The vendor has issued a fix (5.5 u3, 6.0 u1).
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#130 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 October 2015 - 12:03 PM

FYI...

VMSA-2015-0007.2 - VMware vCenter and ESXi updates address critical security issues
- https://www.vmware.c...-2015-0007.html
2015-10-20 VMSA-2015-0007.2
Updated security advisory to reflect that CVE-2015-2342 is fixed in an earlier vCenter Server version (6.0.0b) than originally reported (6.0 U1) and that the port required to exploit the vulnerability is blocked in the appliance versions of the software (5.1 and above).
Change log: 2015-10-06 VMSA-2015-0007.1
"Updated security advisory in conjunction with the release of ESXi 5.5 U3a on 2015-10-06. Added a note to section 3.a to alert customers to a non-security issue in ESXi 5.5 U3 that is addressed in ESXi 5.5 U3a."
1. Summary:
VMware vCenter and ESXi updates address critical security issues.
2. Relevant Releases:
VMware ESXi 5.5 without patch ESXi550-201509101
VMware ESXi 5.1 without patch ESXi510-201510101
VMware ESXi 5.0 without patch ESXi500-201510101
VMware vCenter Server 6.0 prior to version 6.0 update 1
VMware vCenter Server 5.5 prior to version 5.5 update 3
VMware vCenter Server 5.1 prior to version 5.1 update u3b
VMware vCenter Server 5.0 prior to version 5.u update u3e
3. Problem Description:
a. VMware ESXi OpenSLP Remote Code Execution:
VMware ESXi contains a double free flaw in OpenSLP's SLPDProcessMessage() function. Exploitation of this issue may allow an unauthenticated attacker to execute code remotely on the ESXi host...
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-5177 to this issue...
b. VMware vCenter Server JMX RMI Remote Code Execution:
VMware vCenter Server contains a remotely accessible JMX RMI service that is not securely configured. An unauthenticated remote attacker that is able to connect to the service may be able use it to execute arbitrary code on the vCenter server...
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-2342 to this issue...
c. VMware vCenter Server vpxd denial-of-service vulnerability
VMware vCenter Server does not properly sanitize long heartbeat messages. Exploitation of this issue may allow an unauthenticated attacker to create a denial-of-service condition in the vpxd service...
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-1047 to this issue...
4. Solution:
Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
vCenter Server - Downloads and Documentation:
- https://www.vmware.c...ownload-vsphere
ESXi - Downloads:
- https://www.vmware.c...indPatch.portal
Documentation:
- http://kb.vmware.com/kb/2110247
- http://kb.vmware.com/kb/2114875
- http://kb.vmware.com/kb/2120209
5. References:
- http://cve.mitre.org...e=CVE-2015-5177
- http://cve.mitre.org...e=CVE-2015-2342
- http://cve.mitre.org...e=CVE-2015-1047
___

- http://www.securityt....com/id/1033719
CVE Reference: CVE-2015-5177
Oct 1 2015
Impact: Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): ESXi 5.0, 5.1, 5...
Solution:   The vendor has issued a fix.
5.5: ESXi550-201509101
5.1: ESXi510-201510101
5.0: ESXi500-201510101 ...

- http://www.securityt....com/id/1033720
CVE Reference: CVE-2015-1047, CVE-2015-2342
Updated: Oct 2 2015
Impact: Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.0 prior to 5.u update u3e, 5.1 prior to 5.1 update u3b, 5.5 prior to 5.5 update 3, 6.0 prior to 6.0 update 1 ...
Solution: The vendor has issued a fix (5.0u3e, 5.1u3b, 5.5u3)...
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 21 October 2015 - 08:12 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#131 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 03 December 2015 - 10:25 AM

FYI...

VMSA-2015-0008 - VMware product updates address information disclosure issue
- https://www.vmware.c...-2015-0008.html
2015-11-18
Synopsis: VMware product updates address information disclosure issue.
CVE numbers: https://web.nvd.nist...d=CVE-2015-3269
Summary: VMware product updates address information disclosure issue.
Relevant Releases:
VMware vCenter Server 5.5 prior to version 5.5 update 3
VMware vCenter Server 5.1 prior to version 5.1 update u3b
VMware vCenter Server 5.0 prior to version 5.0 update u3e
vCloud Director 5.6 prior to version 5.6.4
vCloud Director 5.5 prior to version 5.5.3
VMware Horizon View 6.0 prior to version 6.1
VMware Horizon View 5.0 prior to version 5.3.4
Problem Description:
vCenter Server, vCloud Director, Horizon View information disclosure issue
VMware products that use Flex BlazeDS may be affected by a flaw in the processing of XML External Entity (XXE) requests. A specially crafted XML request sent to the server could lead to unintended information be disclosed...
vCenter Server Downloads and Documentation:
- https://www.vmware.c...ownload-vsphere
vCloud Director For Service Providers Downloads and Documentation:
- https://www.vmware.c...s/vcd_pubs.html
Horizon View 6.1, 5.3.4: Downloads:
- https://my.vmware.co...A&productId=492
- https://my.vmware.co...R&productId=396
___

VMware Tools 10.0.0 Released
- https://blogs.vmware...0-released.html
Sep 10, 2015
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#132 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 19 December 2015 - 06:31 AM

FYI...

VMSA-2015-0009 - VMware product updates address a critical deserialization vuln
- https://www.vmware.c...-2015-0009.html
2015-12-18
1. Summary: VMware product updates address a critical deserialization vulnerability
2. Relevant Releases:
vRealize Orchestrator 6.x
vCenter Orchestrator 5.x
3. Problem Description: Deserialization vulnerability
A deserialization vulnerability involving Apache Commons-collections and a specially constructed chain of classes exists. Successful exploitation could result in remote code execution, with the permissions of the application using the Commons-collections library. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-6934 to this issue...
4. Solution: Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
vRealize Orchestrator 6.x and vCenter Orchestrator 5.x
Downloads and Documentation:
- http://kb.vmware.com/kb/2141244
5. References:
- http://cve.mitre.org...e=CVE-2015-6934
6. Change log:
2015-12-18 VMSA-2015-0009 Initial security advisory in conjunction with the release of vRealize Orchestrator 6.x and vCenter Orchestrator 5.x patches on 2015-12-18...
 

:ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#133 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 08 January 2016 - 05:26 AM

FYI...

VMSA-2016-0001 - VMware ESXi, Fusion, Player, and Workstation updates
- https://www.vmware.c...-2016-0001.html
2016-01-07
Summary: VMware ESXi, Fusion, Player, and Workstation updates address important guest privilege escalation vulnerability
Relevant Releases:
VMware ESXi 6.0 without patch ESXi600-201512102-SG
VMware ESXi 5.5 without patch ESXi550-201512102-SG
VMware ESXi 5.1 without patch ESXi510-201510102-SG
VMware ESXi 5.0 without patch ESXi500-201510102-SG
VMware Workstation prior to 11.1.2
VMware Player prior to 7.1.2
VMware Fusion prior to 7.1.2
Problem Description: Important Windows-based guest privilege escalation in VMware Tools:
A kernel memory corruption vulnerability is present in the VMware Tools "Shared Folders" (HGFS) feature running on Microsoft Windows. Successful exploitation of this issue could lead to an escalation of privilege in the guest operating system...
Workarounds:
Removing the "Shared Folders" (HGFS) feature from previously installed VMware Tools will remove the possibility of exploitation...
Solution: Please review the patch/release notes for your product and version and verify the checksum of your downloaded file...
Downloads: https://www.vmware.c...indPatch.portal
Documentation: http://kb.vmware.com/kb/2135123...
___

- http://www.securityt....com/id/1034603
CVE Reference: CVE-2015-6933
Jan 7 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.0, 5.1, 5.5, 6.0 ...
Impact: A local user on the guest system can gain elevated privileges on the guest system.
Solution: The vendor has issued a fix...

- http://www.securityt....com/id/1034604
CVE Reference: CVE-2015-6933
Jan 7 2016
Impact: A local user on the guest system can gain elevated privileges on the guest system.
Solution: The vendor has issued a fix (Workstation 11.1.2, Player 7.1.2, Fusion 7.1.2).
VMware Tools must always be updated on affected guests...
 

:ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#134 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 13 February 2016 - 06:53 AM

FYI...

VMSA-2015-0007.3 - VMware vCenter and ESXi updates address critical security issues
- https://www.vmware.c...-2015-0007.html
Updated on: 2016-02-12
CVE numbers: CVE-2015-5177 CVE-2015-2342 CVE-2015-1047
Summary: VMware vCenter and ESXi updates address -critical- security issues...
NOTE: See section 3.b for a critical update on an incomplete fix for the JMX RMI issue.  
Relevant Releases:
VMware ESXi 5.5 without patch ESXi550-201509101-SG
VMware ESXi 5.1 without patch ESXi510-201510101-SG
VMware ESXi 5.0 without patch ESXi500-201510101-SG
VMware vCenter Server 6.0 prior to version 6.0.0b
VMware vCenter Server 5.5 prior to version 5.5 update 3
VMware vCenter Server 5.1 prior to version 5.1 update u3b
VMware vCenter Server 5.0 prior to version 5.0 update u3e
Problem Description:
a. VMware ESXi OpenSLP Remote Code Execution...
b. VMware vCenter Server JMX RMI Remote Code Execution
VMware vCenter Server contains a remotely accessible JMX RMI service that is not securely configured. An unauthenticated remote attacker who is able to connect to the service may be able to use it to execute arbitrary code on the vCenter Server. A local attacker may be able to elevate their privileges on vCenter Server.
vCenter Server Appliance (vCSA) 5.1, 5.5 and 6.0 has remote access to the JMX RMI service (port 9875) blocked by default.
CRITICAL UPDATE:
VMSA-2015-0007.2 and earlier versions of this advisory documented that CVE-2015-2342 was addressed in vCenter Server 5.0 U3e, 5.1 U3b, and 5.5 U3. Subsequently, it was found that the fix for CVE-2015-2342 in vCenter Server 5.0 U3e, 5.1 U3b, and 5.5 U3/U3a/U3b running on Windows was incomplete and did not address the issue.
In order to address the issue on these versions of vCenter Server Windows, an additional patch must be installed. This additional patch is available from VMware Knowledge Base (KB) article 2144428* ...
* http://kb.vmware.com/kb/2144428
(More detail at the wmware URL at the top ot this post.)
___

- https://isc.sans.edu...l?storyid=20727
2016-02-13
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#135 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 22 February 2016 - 12:13 PM

FYI...

VMSA-2016-0002 - VMware product updates address a critical glibc security vuln
- https://www.vmware.c...-2016-0002.html
2016-02-22
Summary: VMware product updates address a critical glibc security vulnerability
Relevant Releases: (Affected products that have remediation available)
ESXi 5.5 without patch ESXi550-201602401-SG
VMware virtual appliances
Problem Description:
    a. glibc update for multiple products.
The glibc library has been updated in multiple products to resolve a stack buffer overflow present in the glibc getaddrinfo function.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-7547.
VMware products have been grouped into the following four categories:
I) ESXi and ESX Hypervisor:
      Versions of ESXi and ESX prior to 5.5 are not affected because
      they do not ship with a vulnerable version of glibc.
      ESXi 5.5 and ESXi 6.0 ship with a vulnerable version of glibc and
      are affected.
      See table 1 for remediation for ESXi 5.5 and ESXi 6.0.
II) Windows-based products:
      Windows-based products, including all versions of vCenter Server
      running on Windows, are not affected.
III) VMware virtual appliances:
      VMware virtual appliances ship with a vulnerable version of glibc
      and are affected.
      See table 2 for remediation for appliances.
IV) Products that run on Linux:
      VMware products that run on Linux (excluding virtual appliances)
      might use a vulnerable version of glibc as part of the base operating
      system. If the operating system has a vulnerable version of glibc,
      VMware recommends that customers contact their operating system
      vendor for resolution.
WORKAROUND:Workarounds are available for several virtual appliances. These are
      documented in VMware KB article 2144032:
- https://kb.vmware.co...ernalId=2144032
RECOMMENDATIONS:
      VMware recommends customers evaluate and deploy patches for affected products in Table 1 and 2 below as these patches become available. In case patches are not available, customers are advised to deploy the workaround...
Solution:
   ESXi Downloads:
  https://www.vmware.c...indPatch.portal
  Documentation:
  http://kb.vmware.com/kb/2144357 
  VMware virtual appliances
  -------------------------------------
  Refer to VMware KB article 2144032
References
   VMware Knowledge Base article 2144032
   http://kb.vmware.com/kb/2144032
Change Log
   2016-02-22 VMSA-2016-0002
   Initial security advisory in conjunction with the release of ESXi 5.5
   patches and patches for virtual appliances as documented in VMware
   Knowledge Base article 2144032 on 2016-02-22.
> https://kb.vmware.co...ernalId=2144032
___

 

- https://www.us-cert....c-Vulnerability
Feb 17, 2016

 

> https://web.nvd.nist...d=CVE-2015-75478.1 High
Last revised: 02/19/2016
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 23 February 2016 - 07:37 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#136 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 16 March 2016 - 08:58 AM

FYI...

VMSA-2016-0003: VMware vRealize Automation and vRealize Business Advanced and Enterprise address Cross-Site Scripting (XSS) issues
- https://www.vmware.c...-2016-0003.html
2016-03-15
CVE numbers: CVE-2015-2344, CVE-2016-2075
Summary: VMware vRealize Automation and vRealize Business Advanced and Enterprise address Cross-Site Scripting (XSS) issues.
Relevant Releases: VMware vRealize Automation 6.x prior to 6.2.4
VMware vRealize Business Advanced and Enterprise 8.x prior to 8.2.5
Problem Description: ... VMware vRealize Automation contains a vulnerability that may allow for a Stored Cross-Site Scripting (XSS) attack. Exploitation of this issue may lead to the compromise of a vRA user's client workstation...
Solution: Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
VMware vRealize Automation 6.2.4
Downloads and Documentation:
- https://my.vmware.co..._automation/6_2
VMware vRealize Business Advanced and Enterprise 8.2.5
Downloads and Documentation:
- https://my.vmware.co...ze_business/8_2
___

- http://www.securityt....com/id/1035270
CVE Reference: CVE-2015-2344, CVE-2016-2075
Mar 15 2016
Fix Available:  Yes  Vendor Confirmed:  Yes
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the target user's client workstation, access data recently submitted by the target user via web form to the system, or take actions on the system acting as the target user.
Solution: The vendor has issued a fix (vRealize Automation 6.2.4 for Linux; vRealize Business Advanced and Enterprise 8.2.5 for Linux)...
___

- https://www.us-cert....urity-Updates-0
March 16, 2016
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 16 March 2016 - 02:42 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#137 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 14 April 2016 - 07:05 PM

FYI...

VMSA-2016-0004 - VMware product updates address a critical security issue - Plugin
- https://www.vmware.c...-2016-0004.html
2016-04-14
Synopsis: VMware product updates address a critical security issue in the VMware Client Integration Plugin
CVE numbers: CVE-2016-2076
Summary: VMware vCenter Server, vCloud Director (vCD), vRealize Automation (vRA) Identity Appliance, and the Client Integration Plugin (CIP) updates address a critical security issue.
Relevant Releases: vCenter Server 6.0, vCenter Server 5.5 U3a, U3b, U3c, vCloud Director 5.5.5, vRealize Automation Identity Appliance 6.2.4
Problem Description:
a. Critical VMware Client Integration Plugin incorrect session handling
The VMware Client Integration Plugin does not handle session content in a safe way. This may allow for a Man in the Middle attack or Web session hijacking in case the user of the vSphere Web Client visits a malicious Web site.
  The vulnerability is present in versions of CIP that shipped with:
   - vCenter Server 6.0 (any 6.0 version up to 6.0 U2)
   - vCenter Server 5.5 U3a, U3b, U3c
   - vCloud Director 5.5.5
   - vRealize Automation Identity Appliance 6.2.4
  In order to remediate the issue, both the server side (i.e. vCenter Server, vCloud Director, and vRealize Automation Identity Appliance) and the client side (i.e. CIP of the vSphere Web Client) will need to be updated.
  The steps to remediate the issue are as follows:
   A) Install an updated version of:
       - vCenter Server
       - vCloud Director
       - vRealize Automation Identity Appliance
   b ) After step A), update the Client Integration Plugin on the system from which the vSphere Web Client is used.
 Updating the plugin on vSphere and vRA Identity Appliance is explained in VMware Knowledge Base article 2145066.
 Updating the plugin on vCloud Director is initiated by a prompt when connecting the vSphere Web Client to the updated version of vCloud Director.
   The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-2076 to this issue.
Solution: Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
 vCenter Server
   Downloads and Documentation:
- https://www.vmware.c...ownload-vsphere
- http://pubs.vmware.c...ease-notes.html
 vCloud Director 5.5.6
   Downloads and Documentation:
- https://www.vmware.c...vcloud-director
- http://pubs.vmware.c...rector_556.html
 VMware vRealize Automation 6.2.4.1
Downloads and Doumentation:
- https://my.vmware.co..._automation/6_2
  (select "Go to Downloads" and scroll down to "Security Update")
- http://pubs.vmware.c...ease-notes.html
5. References
- http://cve.mitre.org...e=CVE-2016-2076
VMware Knowledge Base article 2145066
- https://kb.vmware.com/kb/2145066
___

- https://www.us-cert....ecurity-Updates
April 14, 2016
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 15 April 2016 - 04:49 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#138 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 18 May 2016 - 07:19 AM

FYI...

VMSA-2016-0005 - updates address critical and important security issues
- https://www.vmware.c...-2016-0005.html
2016-05-17
Relevant Releases
   vCenter Server 6.0 prior to 6.0 U2
   vCenter Server 5.5 prior to 5.5 U3d (on Windows), 5.5 U3 (VCSA)
   vCenter Server 5.1 prior to 5.1 U3b
   vCenter Server 5.0 prior to 5.0 U3e
   vCloud Director prior to 8.0.1.1
   vCloud Director prior to 5.6.5.1
   vCloud Director prior to 5.5.6.1
   vSphere Replication prior to 6.0.0.3
   vSphere Replication prior to 5.8.1.2
   vSphere Replication prior to 5.6.0.6
   vRealize Operations Manager 6.x (non-appliance version)
   VMware Workstation prior to 11.1.3
   VMware Player prior to 7.1.3
Problem Description:
a. Critical JMX issue when deserializing authentication credentials:
The RMI server of Oracle JRE JMX deserializes any class when deserializing authentication credentials. This may allow a remote, unauthenticated attacker to cause deserialization flaws and execute their commands.
Workarounds CVE-2016-3427:
vCenter Server:
Apply the steps of VMware Knowledge Base article 2145343 to vCenterServer 6.0 on Windows. See the table below for the specific vCenter Server 6.0 versions on Windows this applies to.
vCloud Director: No workaround identified
vSphere Replication: No workaround identified
vRealize Operations Manager (non-appliance):
The non-appliance version of vRealize Operations Manager (vROps), which can be installed on Windows and Linux has no default firewall. In order to remove the remote exploitation possibility, access to the following external ports will need to be blocked on the system where the non-appliance version of vROps is installed:
      - vROps 6.2.x: port 9004, 9005, 9006, 9007, 9008
      - vROps 6.1.x: port 9004, 9005, 9007, 9008
      - vROps 6.0.x: port 9004, 9005
Note: These ports are already blocked by default in the appliance version of vROps.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-3427 to this issue...
b. Important VMware Workstation and Player for Windows host privilege escalation vulnerability.
VMware Workstation and Player for Windows do not properly reference one of their executables. This may allow a local attacker on the host to elevate their privileges...
Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
vCenter Server:
Downloads and Documentation: https://www.vmware.c...ownload-vsphere
vCloud Director:
Downloads and Documentation: https://www.vmware.c...vcloud-director
vSphere Replication:
Downloads and Documentation:
- https://my.vmware.co...oadGroup=VR6003
- https://my.vmware.co...oadGroup=VR5812
- https://my.vmware.co...oadGroup=VR5606
- https://www.vmware.c...ation-pubs.html
VMware Workstation:
Downloads and Documentation: https://www.vmware.c...loadworkstation
VMware Player:
Downloads and Documentation: https://www.vmware.c.../downloadplayer
___

> https://isc.sans.edu...l?storyid=21071
2016-05-17 - "... Not all products are affected and not all affected products already has a patch. If there is not a patch, there is a workaround..."

> http://www.securityt....com/id/1035900
CVE Reference: https://web.nvd.nist...d=CVE-2016-2077
May 17 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Workstation prior to 11.1.3, Player prior to 7.1.3
Description: A vulnerability was reported in VMware Workstation and Player for Windows. A local user on the host system can gain elevated privileges on the host system.
The system does not properly reference an executable. A local user on the host system can gain elevated privileges on the host system...
Impact: A local user on the host system can gain elevated privileges on the host system.
Solution: The vendor has issued a fix (Workstation 11.1.3, Player 7.1.3)...
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 18 May 2016 - 11:03 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#139 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 25 May 2016 - 04:20 AM

FYI...

VMSA-2016-0006 - VMware vCenter Server updates - important cross-site scripting issue
- https://www.vmware.c...-2016-0006.html
2016-05-24
Summary: VMware vCenter Server updates address an important cross-site scripting issue.
Relevant Releases
vCenter Server 6.0 prior to 6.0 update 2
vCenter Server 5.5 prior to 5.5 update 3d
vCenter Server 5.1 prior to 5.1 update 3d
Problem Description
a. Reflected cross-site scripting issue through flash parameter injection. The vSphere Web Client contains a reflected cross-site scripting vulnerability that occurs through flash parameter injection. An attacker can exploit this issue by tricking a victim into clicking a malicious link.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-2078 to this issue...
Solution: Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
vCenter Server: Downloads and Documentation:
- https://www.vmware.c...ownload-vsphere
Consolidated list of VMware Security Advisories
- http://kb.vmware.com/kb/2078735
___

- http://www.securityt....com/id/1035961
CVE Reference: https://cve.mitre.or...e=CVE-2016-2078
May 25 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.1.x prior to 5.1 update 3d, 5.5.x prior to 5.5 update 3d, 6.0.x prior to 6.0 update 2
Description: A vulnerability was reported in VMware vCenter Server. A remote user can conduct cross-site scripting attacks...
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the VMware vCenter interface, access data recently submitted by the target user via web form to the interface, or take actions on the interface acting as the target user.
Solution: The vendor has issued a fix (5.1 U3d, 5.5 U3d, 6.0 U2)...
___

Updated:

VMSA-2015-0007.5 - VMware vCenter and ESXi updates address critical security issues
- https://www.vmware.c...-2015-0007.html
Updated on: 2016-05-24
Change log: 2016-05-24 VMSA-2015-0007.5
Updated security advisory to add that vCenter Server 5.1 U3d running on Windows addresses CVE-2105-2342 without the need to install the additional patch.

VMSA-2016-0005.1 - VMware product updates address critical and important security issues
- https://www.vmware.c...-2016-0005.html
Updated on: 2016-05-24
Change log: 2016-05-24 VMSA-2016-0005.1
Updated security advisory in conjunction with the release of vSphere 5.1 U3d on 2016-05-24. vCenter Server 5.1 U3d running on Windows addresses CVE-2016-3427 without the need to install the additional patch.
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 26 May 2016 - 06:51 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#140 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 June 2016 - 01:53 PM

FYI...

See: http://www.spywarein...-2016/?p=798168
Microsoft 'Convenience Update' and VMware VMXNet3 Incompatibilities
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#141 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 10 June 2016 - 05:42 AM

FYI...

VMSA-2016-0007 - VMware NSX and vCNS product updates address a critical information disclosure vuln
- https://www.vmware.c...-2016-0007.html
2016-06-09
Summary: VMware NSX and vCNS product updates address a critical information    
disclosure vulnerability.
Relevant Releases:
NSX 6.2 prior to 6.2.3  
NSX 6.1 prior to 6.1.7      
vCNS 5.5.4 prior to 5.5.4.3
Problem Description:
a. VMware NSX and vCNS critical information disclosure vulnerability VMware NSX and vCNS with SSL-VPN enabled contain a critical input validation vulnerability.
This issue may allow a remote attacker to gain access to sensitive information.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-2079 to this issue...
Solution: Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
VMware NSX Downloads:
- https://www.vmware.c...oad-nsx-vsphere
Documentation:    
- https://www.vmware.c...s/nsx_pubs.html
vCNS Downloads:    
- https://www.vmware.c...download-vcd-ns
Documentation:    
- https://www.vmware.c...hield_pubs.html

- http://www.securityt....com/id/1036077
CVE Reference: CVE-2016-2079
Jun 10 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.5.4.x prior to 5.5.4.3 ...
Impact: A remote user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (5.5.4.3)...
___

VMSA-2016-0008 - VMware vRealize Log Insight addresses important and moderate security issues
- https://www.vmware.c...-2016-0008.html
2016-06-09
Summary: VMware vRealize Log Insight addresses important and moderate security issues.
Relevant Releases: VMware vRealize Log Insight prior to 3.3.2
Problem Description:
a. Important stored cross-site scripting issue in VMware vRealize Log Insight
VMware vRealize Log Insight contains a vulnerability that may allow for a stored cross-site scripting attack. Exploitation of this issue may lead to the hijack of an authenticated user's session...
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-2081 to this issue...
Solution: Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
VMware vRealize Log Insight 3.3.2
Downloads and Documentation: Download VMware vRealize Log Insight
References: CVE-2016-2081, CVE-2016-2082
> https://my.vmware.co...=573&rPId=11613

- http://www.securityt....com/id/1036078
CVE Reference: CVE-2016-2081, CVE-2016-2082
Jun 10 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): vRealize Log Insight 2.x and 3.x prior to 3.3.2 ...
Impact: A remote user can take actions on the target system acting as the target authenticated user.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the VMware vRealize software, access data recently submitted by the target authenticated user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (3.3.2)...
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 10 June 2016 - 06:18 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#142 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 June 2016 - 05:31 AM

FYI...

VMSA-2016-0009 - VMware vCenter Server updates - reflective cross-site scripting issue
- https://www.vmware.c...-2016-0009.html
2016-06-14
Summary: VMware vCenter Server updates address an important refelctive cross-site scripting issue.
Relevant Releases:
   vCenter Server 5.5 prior to 5.5 update 2d
   vCenter Server 5.1 prior to 5.1 update 3d
   vCenter Server 5.0 prior to 5.0 update 3g
Problem Description:
 Important vCenter Server reflected cross-site scripting issue
   The vSphere Web Client contains a reflected cross-site scripting
   vulnerability due to a lack of input sanitization. An attacker can
   exploit this issue by tricking a victim into clicking a malicious
   link...
   The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-6931 to this issue...
Solution: Please review the patch/release notes for your product and version and verify the checksum of your downloaded file...
Downloads and Documentation:
- https://www.vmware.c...ownload-vsphere

- http://www.securityt....com/id/1036112
CVE Reference: CVE-2015-6931
Jun 15 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.0 prior to 5.0 update 3g, 5.1 prior to 5.1 update 3d, 5.5 prior to 5.5 update 2d ...
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the VMware vCenter Server software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (5.0 U3g, 5.1 U3d, 5.5 U2d)...
___

- https://www.us-cert....ecurity-Updates
June 15, 2016
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 15 June 2016 - 01:46 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#143 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 05 August 2016 - 06:49 AM

FYI...

VMSA-2016-0010 - VMware product updates address multiple important security issues
- https://www.vmware.c...-2016-0010.html
Aug 4, 2016
Summary: VMware product updates address a DLL hijacking issue in Windows-based VMware Tools and an HTTP Header injection issue in vCenter Server and ESXi.
Relevant Products:
    VMware vCenter Server
    VMware vSphere Hypervisor (ESXi)
    VMware Workstation Pro
    VMware Workstation Player
    VMware Fusion
    VMware Tools
Problem Description:
a. DLL hijacking issue in Windows-based VMware Tools
b. HTTP Header injection issue in vCenter Server and ESXi
Solution: Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
vCenter Server: Downloads and Documentation:  
- https://www.vmware.c...ownload-vsphere
ESXi 6.0: Downloads:
- https://www.vmware.c...indPatch.portal
Documentation:
- http://kb.vmware.com/kb/2142192- (CVE-2016-5331)
- http://kb.vmware.com/kb/2142193- (CVE-2016-5330)
ESXi 5.5: Downloads:  
- https://www.vmware.c...indPatch.portal
Documentation: http://kb.vmware.com/kb/2144370
ESXi 5.1: Downloads:
- https://www.vmware.c...indPatch.portal
Documentation: http://kb.vmware.com/kb/2141434
ESXi 5.0: Downloads: https://www.vmware.c...indPatch.portal
Documentation: http://kb.vmware.com/kb/2144027
VMware Workstation Pro 12.1.1: Downloads and Documentation:
- https://www.vmware.c...dworkstationpro
VMware Workstation Player 12.1.1: Downloads and Documentation:  
- https://www.vmware.c.../downloadplayer
VMware Fusion 8.1.1: Downloads and Documentation:
- https://www.vmware.c.../downloadfusion
VMware Tools 10.0.6: Downloads:
- https://my.vmware.co...6&productId=491
Documentation: http://pubs.vmware.c...ease-notes.html
References:
- http://cve.mitre.org...e=CVE-2016-5330
- http://cve.mitre.org...e=CVE-2016-5331
___

- http://www.securityt....com/id/1036543
CVE Reference: CVE-2016-5331
Aug 5 2016

- http://www.securityt....com/id/1036544
CVE Reference: CVE-2016-5330, CVE-2016-5331
Aug 5 2016

- http://www.securityt....com/id/1036545
CVE Reference: CVE-2016-5330, CVE-2016-5331
Aug 5 2016
___

- https://www.us-cert....curity-Update-0
Aug 05, 2016
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 05 August 2016 - 02:57 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#144 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 13 August 2016 - 03:22 AM

FYI...

VMSA-2016-0011 - vRealize Log Insight update addresses directory traversal vuln
- https://www.vmware.c...-2016-0011.html
Aug 12, 2016
CVE numbers: CVE-2016-5332
Summary: vRealize Log Insight update addresses directory traversal vulnerability.
Relevant Products: vRealize Log Insight
Problem Description: vRealize Log Insight contains a vulnerability that may allow for a directory traversal attack. Exploitation of this issue may lead to a partial information disclosure. There are no known workarounds for this issue...
Solution: Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
vRealize Log Insight 3.6.0
Downloads and Documentation:
- https://my.vmware.co...=598&rPId=12336
___

- http://www.securityt....com/id/1036619
CVE Reference: CVE-2016-5330, CVE-2016-5332
Aug 12 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.x, 3.x ...
Impact: A remote user can view files on the target system.
Solution: The vendor has issued a fix (3.6.0)...
 

:ph34r:


Edited by AplusWebMaster, 13 August 2016 - 03:57 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#145 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 16 August 2016 - 06:04 AM

FYI...

VMSA-2016-0012 - VMware Photon OS OVA default public ssh key
- https://www.vmware.c...-2016-0012.html
2016-08-15
1. Summary: VMware Photon OS OVA contains a default public ssh key.
2. Relevant Products:
    VMware Photon OS OVA 1.0
3. Problem Description
a. VMware Photon OS OVA default public ssh key  
A public ssh key used in the Photon OS build environment was inadvertently left in the original Photon OS 1.0 OVAs. This issue would have allowed anyone with the corresponding private key to access any Photon OS system built from the original 1.0 OVAs.
The issue was discovered internally and the original OVAs have been replaced by updated OVAs. All instances of the corresponding private key have been deleted within VMware.    
Customers that have downloaded a Photon OS 1.0 OVA before August 14, 2016 should review the Photon OS OVAs release notes for the workaround or should download a new OVA and replace all existing instances with new instances built from the updated Photon OS 1.0 OVAs. These release notes also document a test for when an OVA is affected.
This issue is only present in the original Photon OS 1.0 OVAs and is not present in other Photon OS deliverables...
References: CVE-2016-5332
Photon OS OVA Release Notes: https://github.com/v...er/CHANGELOG.md

- http://www.securityt....com/id/1036628
CVE Reference: CVE-2016-5333
Aug 16 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Photon OS ...
Impact: A remote user can gain access to the target system.
Solution: The vendor has replaced the original OVAs with updated OVAs that do not include the default public ssh key as of August 14, 2016...
 

:ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#146 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 24 August 2016 - 04:26 AM

FYI...

VMSA-2016-0013 - VMware Identity Manager and vRealize Automation updates address multiple security issues
- https://www.vmware.c...-2016-0013.html
2016-08-23
CVE numbers: CVE-2016-5335, CVE-2016-5336
1.Summary: VMware Identity Manager and vRealize Automation updates address multiple security issues
2. Relevant Products
    VMware Identity Manager
    vRealize Automation
3. Problem Description:
a. VMware Identity Manager local privilege escalation vulnerability  
VMware Identity Manager and vRealize Automation both contain a vulnerability that may allow for a local privilege escalation. Exploitation of this issue may lead to an attacker with access to a low-privileged account to escalate their privileges to that of root.  
The Common Vulnerabilities and Exposures project (cve.mitre.org) has reserved the identifier CVE-2016-5335 for this issue...
b. vRealize Automation remote code execution vulnerability      
vRealize Automation contains a vulnerability that may allow for remote code execution. Exploitation of this issue may lead to an attacker gaining access to a low-privileged account on the appliance.     
The Common Vulnerabilities and Exposures project (cve.mitre.org) has reserved the identifier CVE-2016-5336 for this issue...
4. Solution: Please review the patch/release notes for your product and version and verify the checksum of your downloaded file...
VMware Identity Manager 2.7...
vRealize Automation 7.1...
___

- http://www.securityt....com/id/1036685
CVE Reference: CVE-2016-5335, CVE-2016-5336
Aug 24 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.0.x ...
Impact: A local user can obtain root privileges on the target system.
A remote user can execute arbitrary code on the target system.
Solution: The vendor has issued a fix (7.1).
Also, a workaround for the remote code execution is described at:
- https://kb.vmware.com/kb/2146585
KB: 2146585 - Updated: Aug 23, 2016
____

VMSA-2015-0009.4 - VMware product updates address a critical deserialization vuln
- https://www.vmware.c...-2015-0009.html
Updated on: 2016-08-23
2016-08-23 VMSA-2015-0009.4 - "Updated security advisory to reflect that the appliance version of vRealize Operations 6.x -is- affected (earlier versions of this advisory said 'Not affected')..."
___

- https://www.us-cert....ecurity-Updates
Aug 24, 2016
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 25 August 2016 - 05:09 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#147 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 14 September 2016 - 05:30 AM

FYI...

VMSA-2016-0014 - VMware ESXi, Workstation, Fusion, and Tools updates address multiple security issues
- https://www.vmware.c...-2016-0014.html
2016-09-13
CVE numbers: CVE-2016-7081, CVE-2016-7082, CVE-2016-7083, CVE-2016-7084, CVE-2016-7079, CVE-2016-7080, CVE-2016-7085, CVE-2016-7086
1. Summary: VMware ESXi, Workstation, Fusion, and Tools updates address multiple security issues
2. Relevant Products
- ESXi
- VMware Workstation Pro
- VMware Workstation Player
- VMware Fusion
- VMware Tools
3. Problem Description
a. VMware Workstation heap-based buffer overflow vulnerabilities via Cortado ThinPrint
VMware Workstation contains vulnerabilities that may allow a Windows-based Virtual Machine (VM) to trigger a heap-based buffer overflow. Exploitation of these issues may lead to arbitrary code execution in VMware Workstation running on Windows.
Exploitation is only possible if virtual printing has been enabled in VMware Workstation. This feature is not enabled by default. VMware Knowledge Base article 2146810* documents the procedure for enabling and disabling this feature...
* https://kb.vmware.co...ernalId=2146810
b. VMware Workstation memory corruption vulnerabilities via Cortado Thinprint      
VMware Workstation contains vulnerabilities that may allow a Windows-based virtual machine (VM) to corrupt memory. This includes improper handling of EMF files (CVE-2016-7082), TrueType fonts embedded in EMFSPOOL (CVE-2016-7083), and JPEG2000 images (CVE-2016-7084) in tpview.dll. Exploitation of these issues may lead to arbitrary code execution in VMware Workstation running on Windows.
Exploitation is only possible if virtual printing has been enabled in VMware Workstation. This feature is not enabled by default. VMware Knowledge Base article 2146810* documents the procedure for enabling and disabling this feature.
c. VMware Tools NULL pointer dereference vulnerabilities      
The graphic acceleration functions used in VMware Tools for OSX handle memory incorrectly. Two resulting NULL pointer dereference vulnerabilities may allow for local privilege escalation on Virtual Machines that run OSX.
The issues can be remediated by installing a fixed version of VMware Tools on affected OSX VMs directly. Alternatively the fixed version of Tools can be installed through ESXi or Fusion after first updating to a version of ESXi or Fusion that ships with a fixed version of VMware Tools...
d. VMware Workstation installer DLL hijacking issue      
Workstation installer contains a DLL hijacking issue that exists due to some DLL files loaded by the application improperly. This issue may allow an attacker to load a DLL file of the attacker's choosing that could execute arbitrary code...
4. Solution: Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
VMware ESXi 6.0
Downloads: https://www.vmware.c...indPatch.portal
Documentation: https://kb.vmware.com/kb/2145816
VMware ESXi 5.5
Downloads: https://www.vmware.c...indPatch.portal
Documentation: https://kb.vmware.com/kb/2144370
VMware Workstation Pro 12.5.0
Downloads and Documentation: https://www.vmware.c...loadworkstation
VMware Workstation Player 12.5.0
Downloads and Documentation: https://www.vmware.c.../downloadplayer
VMware Fusion 8.5.0
Downloads and Documentation: https://www.vmware.c.../downloadfusion
VMware Tools 10.0.9
Downloads and Documentation: https://my.vmware.co...oup=VMTOOLS1009
___

- http://www.securityt....com/id/1036804
CVE Reference: CVE-2016-7079, CVE-2016-7080
Sep 14 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): VMware Tools 9.x, 10.x; running on OS X guest virtual machines ...
Impact: A local user on an OS X guest system can obtain elevated privileges on the guest system.
Solution: The vendor has issued a fix (VMware Tools 10.0.9)...

- http://www.securityt....com/id/1036805
CVE Reference: CVE-2016-7081, CVE-2016-7082, CVE-2016-7083, CVE-2016-7084, CVE-2016-7085, CVE-2016-7086
Sep 14 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Impact: A local user on the guest system can gain elevated privileges on the host system.
A local user on the host system can obtain elevated privileges on the host system.
Solution: The vendor has issued a fix (Workstation Pro 12.5.0, Player 12.5.0)...
___

- https://www.us-cert....ecurity-Updates
Sep 16, 2016
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 16 September 2016 - 04:45 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#148 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 07 October 2016 - 04:09 AM

FYI...

VMSA-2016-0015 - VMware Horizon View updates address directory traversal vuln
- https://www.vmware.c...-2016-0015.html
2016-10-06
CVE-2016-7087
1. Summary: VMware Horizon View updates address directory traversal vulnerability.
2. Relevant Products: VMware Horizon View
3. Problem Description: VMware Horizon View updates address directory traversal vulnerability
VMware Horizon View contains a vulnerability that may allow for a directory traversal on the Horizon View Connection Server. Exploitation of this issue may lead to a partial information disclosure...
4. Solution: Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
VMware Horizon View 7.0.1 / Downloads and Documentation:
- https://my.vmware.co...are_horizon/7_0
VMware Horizon View 6.2.3 / Downloads and Documentation:
- https://my.vmware.co...are_horizon/6_2
VMware Horizon View 5.3.7 / Downloads and Documentation:
- https://my.vmware.co...n_with_view/5_3
Change log:
2016-10-06 VMSA-2016-0015 Initial security advisory in conjunction with the release of VMware Horizon View 5.3.7 on 2016-10-06...
___

- http://www.securityt....com/id/1036972
CVE Reference: CVE-2016-7087
Oct 7 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.x, 6.x, 7.x
Impact: A remote user can view potentially sensitive information on the target system.
Solution: The vendor has issued a fix (5.3.7, 6.2.3, 7.0.1)...
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#149 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 12 October 2016 - 06:01 AM

FYI...

VMSA-2016-0016 - vRealize Operations (vROps) updates address privilege escalation vuln
- https://www.vmware.c...-2016-0016.html
2016-10-11
Severity: Critical
1. Summary: vRealize Operations (vROps) updates address privilege escalation vulnerability.
2. Relevant Products: vRealize Operations (vROps)
3. Problem Description: vROps privilege escalation issue:
vROps contains a privilege escalation vulnerability. Exploitation of this issue may allow a vROps user who has been assigned a low-privileged role to gain full access over the application. In addition it may be possible to stop and delete Virtual Machines managed by vCenter...
4. Solution: Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
vRealize Operations: Downloads and Documentation:
- https://my.vmware.co..._operations/6_3
5. References:
- http://cve.mitre.org...e=CVE-2016-7457
- https://kb.vmware.com/kb/2147215
- https://kb.vmware.com/kb/2147247
- https://kb.vmware.com/kb/2147246
- https://kb.vmware.com/kb/2147248
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#150 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 26 October 2016 - 04:58 AM

FYI...

VMSA-2016-0017 - VMware product updates address multiple information disclosure issues
- https://www.vmware.c...-2016-0017.html
2016-10-25
CVE numbers: CVE-2016-5328, CVE-2016-5329
1. Summary: VMware product updates address information disclosure issues in VMware Fusion and VMware Tools running on Mac OS X.
2. Relevant Products:
    VMware Fusion
    VMware Tools   
3. Problem Description:
a. VMware Tools Information disclosure issue in Mac OS X Virtual  Machines  
An information disclosure vulnerability is present in VMware Tools running on Mac OS X VMs. Successful exploitation of this issue may allow a privileged local user on a system where System Integrity Protection (SIP) is enabled, to obtain kernel memory addresses to bypass the kASLR protection mechanism. SIP is default enabled in the latest versions of Mac OS X. There are no known workarounds for this issue...
b. VMware Fusion Information disclosure:
An information disclosure vulnerability is present in VMware Fusion. Successful exploitation of this issue may allow a privileged local user on a system where System Integrity Protection (SIP) is enabled, to obtain kernel memory addresses to bypass the kASLR protection mechanism. SIP is default enabled in the latest versions of Mac OS X. There are no known workarounds for this issue...
4. Solution:
Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
VMware Fusion 8.5  
Downloads and Documentation:
- https://www.vmware.c.../downloadfusion
VMware Tools 10.1.0
Downloads:
- https://my.vmware.co...0&productId=491
Documentation:
- http://pubs.vmware.c...ease-notes.html

- http://www.securityt....com/id/1037102
CVE Reference: CVE-2016-5328
Oct 26 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): VMware Tools 9.x, 10.x; running on OS X guest virtual machines ...
Impact: A local user can bypass ASLR protections on the target system.
Solution: The vendor has issued a fix (VMware Tools 10.1.0)...

- http://www.securityt....com/id/1037103
CVE Reference: CVE-2016-5329
Oct 26 2016
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Fusion 8.x ...
Impact: A local user can bypass ASLR protections on the target system.
Solution: The vendor has issued a fix (VMware Fusion 8.5)...
 

:ph34r:


Edited by AplusWebMaster, 26 October 2016 - 06:03 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.




Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!