VMSA-2016-0005.5

VMware product updates address critical and important security issues

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
 VMSA-2016-0005.5
VMware Security Advisory Synopsis:
 VMware product updates address critical and important security issues.
VMware Security Advisory Issue date:
 2016-05-17
VMware Security Advisory Updated on:
 2016-11-22
VMware Security Advisory CVE numbers:
 CVE-2016-3427, CVE-2016-2077
1. Summary

VMware product updates address critical and important security issues

 

2. Relevant Releases

vCenter Server 6.0 on Windows without workaround of KB 2145343

vCenter Server 6.0 on Linux (VCSA) prior to 6.0.0b

vCenter Server 5.5 prior to 5.5 U3d (on Windows), 5.5 U3 (VCSA)

vCenter Server 5.1 prior to 5.1 U3b

vCenter Server 5.0 prior to 5.0 U3e

 

vCloud Director prior to 8.0.1.1

vCloud Director prior to 5.6.5.1

vCloud Director prior to 5.5.6.1

 

vSphere Replication prior to 6.1.1

vSphere Replication prior to 6.0.0.3

vSphere Replication prior to 5.8.1.2

vSphere Replication prior to 5.6.0.6

vRealize Operations Manager 6.x (non-appliance version)

 

vRealize Infrastructure Navigator prior to 5.8.6

 

VMware Workstation prior to 11.1.3

 

VMware Player prior to 7.1.3

 

3. Problem Description

a. Critical JMX issue when deserializing authentication credentials

The RMI server of Oracle JRE JMX deserializes any class when deserializing authentication credentials. This may allow a remote, unauthenticated attacker to cause deserialization flaws and execute their commands.

 

Workarounds CVE-2016-3427

 

vCenter Server

Apply the steps of VMware Knowledge Base article 2145343 to vCenterServer 6.0 on Windows. See the table below for the specific vCenterServer 6.0 versions on Windows this applies to.

 

vCloud Director

No workaround identified

 

vSphere Replication

No workaround identified

 

vRealize Operations Manager (non-appliance)

The non-appliance version of vRealize Operations Manager (vROps), which can be installed on Windows and Linux has no default firewall. In order to remove the remote exploitation possibility, access to the following external ports will need to be blocked on the system where the non-appliance version of vROps is installed:

- vROps 6.2.x: port 9004, 9005, 9006, 9007, 9008

- vROps 6.1.x: port 9004, 9005, 9007, 9008

- vROps 6.0.x: port 9004, 9005

Note: These ports are already blocked by default in the applianceversion of vROps.

 

vRealize Infrastructure Navigator

No workaround identified

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-3427 to this issue.

 

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Replace with/ Apply Patch
VMware Product vCenter Server
Product Version 6.0
Running on Windows
Replace with/ Apply Patch (6.0.0b + KB 2145343 *) or 6.0 U2a
VMware Product vCenter Server
Product Version 6.0
Running on Linux
Replace with/ Apply Patch 6.0.0b
VMware Product vCenter Server
Product Version 5.5
Running on Windows
Replace with/ Apply Patch (5.5 U3b + KB 2144428 **) or 5.5 U3d
VMware Product vCenter Server
Product Version 5.5
Running on Linux
Replace with/ Apply Patch 5.5 U3
VMware Product vCenter Server
Product Version 5.1
Running on Windows
Replace with/ Apply Patch (5.1 U3b + KB 2144428 **) or 5.1 U3d
VMware Product vCenter Server
Product Version 5.1
Running on Linux
Replace with/ Apply Patch 5.1 U3b
VMware Product vCenter Server
Product Version 5.0
Running on Windows
Replace with/ Apply Patch (5.0 U3e + KB 2144428 **) or 5.0 U3g
VMware Product vCenter Server
Product Version 5.0
Running on Linux
Replace with/ Apply Patch 5.0 U3e
VMware Product vCloud Director
Product Version 8.0.x
Running on Linux
Replace with/ Apply Patch 8.0.1.1
VMware Product vCloud Director
Product Version 5.6.x
Running on Linux
Replace with/ Apply Patch 5.6.5.1
VMware Product vCloud Director
Product Version 5.5.x
Running on Linux
Replace with/ Apply Patch 5.5.6.1
VMware Product vSphere Replication
Product Version 6.1.x
Running on Linux
Replace with/ Apply Patch 6.1.1 ***
VMware Product vSphere Replication
Product Version 6.0.x
Running on Linux
Replace with/ Apply Patch 6.0.0.3 ***
VMware Product vSphere Replication
Product Version 5.8.x
Running on Linux
Replace with/ Apply Patch 5.8.1.2 ***
VMware Product vSphere Replication
Product Version 5.6.x
Running on Linux
Replace with/ Apply Patch 5.6.0.6 ***
VMware Product vROps non-appliance
Product Version 6.x
Running on All
Replace with/ Apply Patch Apply workaround
VMware Product vROps non-appliance
Product Version 6.x
Running on Linux
Replace with/ Apply Patch Not affected
VMware Product vRealize Infrastructure Navigator
Product Version 5.8.x
Running on All
Replace with/ Apply Patch 5.8.6

* Remote and local exploitation is feasible on vCenter Server 6.0 and 6.0.0a for Windows. Remote exploitation is not feasible on vCenter Server 6.0.0b (and above) for Windows but local exploitation is. The local exploitation possibility can be removed by applying the steps of KB 2145343 to vCenter Server 6.0.0b (and above) for Windows or by updating to vCenter Server 6.0 U2a for Windows.

 

** See VMSA-2015-0007 for details. vCenter Server 5.5 U3d, 5.1 U3d, and 5.0 U3g running on Windows address CVE-2016-3427 without the need to install the additional patch of KB 2144428 documented in VMSA-2015-0007.

 

*** vSphere Replication is affected if its vCloud Tunneling Agent is running, which is not enabled by default. This agent is used in environments that replicate data between the cloud and an on-premise datacenter.

 

b. Important VMware Workstation and Player for Windows host privilege escalation vulnerability.

VMware Workstation and Player for Windows do not properly reference one of their executables. This may allow a local attacker on the host to elevate their privileges.

VMware would like to thank Andrew Smith of Sword & Shield Enterprise Security for reporting this issue to us.

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-2077 to this issue.

Column 4 of the following table lists the action required tto remediate the vulnerability in each release, if a solution is available.

 

VMware Product
Product Version
Running on
Replace with/ Apply Patch
VMware Product VMware Workstation
Product Version 12.x.x.
Running on Any
Replace with/ Apply Patch not affected
VMware Product VMware Workstation
Product Version 11.x.x
Running on Windows
Replace with/ Apply Patch 11.1.3
VMware Product VMware Workstation
Product Version 11.x.x
Running on Linux
Replace with/ Apply Patch not affected
VMware Product VMware Player
Product Version 12.x.x
Running on Any
Replace with/ Apply Patch not affected
VMware Product VMware Player
Product Version 7.x.x
Running on Windows
Replace with/ Apply Patch 7.1.3
VMware Product VMware Player
Product Version 7.x.x
Running on Linux
Replace with/ Apply Patch not affected

4. Solution

 

Please review the patch/release notes for your product andversion and verify the checksum of your downloaded file.

 

vCenter Server

--------------

Downloads and Documentation:

https://www.vmware.com/go/download-vsphere

 

vCloud Director

---------------

Downloads and Documentation:

https://www.vmware.com/go/download/vcloud-director

 

vSphere Replication

-------------------

Downloads and Documentation:

https://my.vmware.com/web/vmware/get-download?downloadGroup=VR611

https://my.vmware.com/web/vmware/get-download?downloadGroup=VR6003

https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5812

https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5606

https://www.vmware.com/support/pubs/vsphere-replication-pubs.htm

 

vRealize Infrastructure Navigator

---------------------------------

Downloads and Documentation:https://my.vmware.com/web/vmware/details?downloadGroup=VIN_586&productId=542&rPId=11127

 

VMware Workstation

-------------------------

Downloads and Documentation:

https://www.vmware.com/go/downloadworkstation

 

VMware Player

-------------

Downloads and Documentation:https://www.vmware.com/go/downloadplayer

 

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2077

 

VMware Security Advisory VMSA-2015-0007

http://www.vmware.com/security/advisories/VMSA-2015-0007.html

 

VMware Knowledge Base article 2145343

kb.vmware.com/kb/2145343

 

VMware Knowledge Base article 2144428

kb.vmware.com/kb/2144428

 

6. Change log 

2016-05-17 VMSA-2016-0005

Initial security advisory in conjunction with the release of VMware vCloud Director 8.0.1.1, 5.6.5.1, and 5.5.6.1, and vSphere Replication 6.0.0.3, 5.8.1.2, and 5.6.0.6 on 2016-05-17.

 

2016-05-24 VMSA-2016-0005.1

Updated security advisory in conjunction with the release of vSphere 5.1 U3d on 2016-05-24. vCenter Server 5.1 U3d running on Windows addresses CVE-2016-3427 without the need to install the additional patch.

 

2016-05-27 VMSA-2016-0005.2

Updated security advisory in conjunction with the release of vSphere Replication 6.1.1 on2016-05-26.

 

2016-06-03 VMSA-2016-0005.3

Updated security advisory in conjunction with the release of vRealize Infrastructure Navigator 5.8.6 on 2016-06-02.

 

2016-06-14 VMSA-2016-0005.4

Updated security advisory in conjunction with the release of vSphere 5.0 U3g on 2016-06-14. vCenter Server 5.0 U3g running on Windows addresses CVE-2016-3427 without the need to install the additional patch.

 

2016-11-22 VMSA-2016-0005.5

Updated security advisory in conjunction with the release of vSphere 6.0 U2a on 2016-11-22. vCenter Server 6.0 U2a running on Windows addresses CVE-2016-3427 without the need to install the additional patch.

 

7. Contact

 

E-mail list for product security notifications and announcements:

 

http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

 

security-announce@lists.vmware.com

bugtraq@securityfocus.com

fulldisclosure@seclists.org

 

E-mail: security@vmware.com

PGP key at: https://kb.vmware.com/kb/1055

 

VMware Security Advisories

http://www.vmware.com/security/advisories

 

Consolidated list of VMware Security Advisories

http://kb.vmware.com/kb/2078735

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2016 VMware Inc. All rights reserved.