VMSA-2016-0006

VMware vCenter Server updates address an important cross-site scripting issue.

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
  VMSA-2016-0006
VMware Security Advisory Synopsis:
  VMware vCenter Server updates address an important cross-site scripting issue
VMware Security Advisory Issue date:
  2016-05-24
VMware Security Advisory Updated on:
  2016-05-24
VMware Security Advisory CVE numbers:
  CVE-2016-2078
1. Summary

VMware vCenter Server updates address an important cross-site scripting issue.

2. Relevant Releases

vCenter Server 6.0 prior to 6.0 update 2

vCenter Server 5.5 prior to 5.5 update 3d

vCenter Server 5.1 prior to 5.1 update 3d

3. Problem Description

a. Reflected cross-site scripting issue through flash parameter injection     

 

The vSphere Web Client contains a reflected cross-site scripting vulnerability that occurs through flash parameter injection. An attacker can exploit this issue by tricking a victim into clicking a malicious link. VMware would like to thank John Page aka hyp3rlinx for reporting this issue to us.      

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-2078 to this issue.    

 

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

 

VMware Product
Product Version
Running on
Replace with/ Apply Patch
VMware Product vCenter Server
Product Version 6.0
Running on Windows
Replace with/ Apply Patch 6.0 U2*
VMware Product vCenter Server
Product Version 6.0
Running on Linux
Replace with/ Apply Patch Not Affected
VMware Product vCenter Server
Product Version 5.5
Running on Windows
Replace with/ Apply Patch 5.5 U3d*
VMware Product vCenter Server
Product Version 5.5
Running on Linux
Replace with/ Apply Patch Not affected
VMware Product vCenter Server
Product Version 5.1
Running on Windows
Replace with/ Apply Patch 5.1 U3d*
VMware Product vCenter Server
Product Version 5.1
Running on Linux
Replace with/ Apply Patch Not Affected
VMware Product vCenter Server
Product Version 5.0
Running on Any
Replace with/ Apply Patch Not affected

*Client side component of the vSphere Web Client does not need to be updated to remediate CVE-2016-2078. Updating the vCenter Server is sufficient to remediate this issue.

4. Solution

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

 

vCenter Server

--------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere

 

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2078

 

6. Change log

2016-05-24 VMSA-2016-0006
Initial security advisory in conjunction with the release of VMware vCenter Server 5.1 U3d on 2016-05-24.

 

7. Contact

 

E-mail list for product security notifications and announcements:

 

http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

 

security-announce@lists.vmware.com

bugtraq@securityfocus.com

fulldisclosure@seclists.org

 

E-mail: security@vmware.com

PGP key at: https://kb.vmware.com/kb/1055

 

VMware Security Advisories

http://www.vmware.com/security/advisories

 

Consolidated list of VMware Security Advisories

http://kb.vmware.com/kb/2078735

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2016 VMware Inc. All rights reserved.

Sign up for Security Advisories

Enter your email address: