VMSA-2015-0003:VMware product updates address CRITICAL information disclosure issue in JRE.

VMware

0 more products

23449

31 March 2015

31 March 2015

CLOSED

CRITICAL

CVE-2014-6593

VMSA-2015-0003.14

VMware product updates address critical information disclosure issue in JRE

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
 VMSA-2015-0003.14
VMware Security Advisory Synopsis:
 VMware product updates address critical information disclosure issue in JRE
VMware Security Advisory Issue date:
 2015-04-02
VMware Security Advisory Updated on:
 2015-12-18
VMware Security Advisory CVE numbers:
  CVE-2014-6593, for other CVEs see JRE reference
1. Summary


VMware product updates address critical information disclosure issue in JRE.

 
2. Relevant Releases

 

Horizon View 6.x or 5.x
Horizon Workspace Portal Server 2.1 or 2.0
Horizon DaaS Platform 6.1.4 or 5.4.5
vCloud Networking and Security prior to 5.5.4.1
vCloud Connector 2.7
vCloud Usage Meter 3.3
vCenter Site Recovery Manager prior to 5.5.1.5, 5.1.3.1 or 5.0.3.3
vCenter Server 6.0, 5.5, 5.1 or 5.0
vRealize Operations Manager 6.0
vCenter Operations Manager 5.8.x or 5.7.x
vCenter Support Assistant 5.5.1.x
vRealize Application Services 6.2 or 6.1
vCloud Application Director 6.0
vRealize Automation 6.2 or 6.1
vCloud Automation Center 6.0.1
vSphere Replication prior to 5.8.0.2, 5.6.0.3, 5.5.1.5 or 5.1.3.1
vRealize Automation 6.2.x or 6.1.x
vRealize Code Stream 1.1 or 1.0
vFabric Postgres 9.3.6.0, 9.2.10.0 or 9.1.15.0
vRealize Hyperic 5.8.x, 5.7.x or 5.0.x
vSphere AppHA Prior to 1.1.x
vSphere Big Data Extensions 2.1 and 2.0
vSphere Data Protection 6.0 and 5.8
vCenter Chargeback Manager 2.7 or 2.6
vRealize Business Adv/Ent 8.1 or 8.0
vRealize Business Standard prior to 1.1.x or 1.0.x
NSX for vSphere 6.1
NSX for Multi-Hypervisor  prior to 4.2.4 
vCloud Director prior to 5.5.3
vCloud Director Service Providers prior to 5.6.4.1
vCenter Application Discovery Manager 7.0
vRealize Configuration Manager 5.7.x or 5.6.x
vRealize Orchestrator 6.0, 5.5 or 5.1.3.1
vRealize Infrastructure 5.8 or 5.7
vRealize Log Insight 2.5, 2.0, 1.5 or 1.0
vSphere Management Assistant 5.5 or 5.1
vSphere Update Manager 6.0, 5.5, 5.1 or 5.0
EVO:RAIL prior to 1.2.1

 

3. Problem Description

a. Oracle JRE Update

Oracle JRE is updated in VMware products to address a critical security issue that existed in earlier releases of Oracle JRE.

VMware products running JRE 1.7 Update 75 or newer and JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593, as documented in the Oracle Java SE Critical Patch Update Advisory of January 2015.

This advisory also includes the other security issues that are addressed  in JRE 1.7 Update 75 and JRE 1.6 Update 91. The References section provides a link to the JRE advisory.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-6593 to this issue. This issue is also known as "SKIP" or "SKIP-TLS".

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Replace with/ Apply Patch**
VMware ProductHorizon View
Product Version6.x
Running on
Replace with/ Apply Patch**6.1
VMware ProductHorizon View
Product Version5.x
Running on
Replace with/ Apply Patch**5.3.4
VMware ProductHorizon Workspace Portal Server
Product Version2.1, 2.0
Running on
Replace with/ Apply Patch**2.1.1
VMware Product
Product Version
Running on
Replace with/ Apply Patch**
VMware ProductHorizon DaaS Platform
Product Version6.1
Running on
Replace with/ Apply Patch**6.1.4
VMware ProductHorizon DaaS Platform
Product Version5.4
Running on
Replace with/ Apply Patch**5.4.5
VMware ProductvCloud Networking and Security
Product Version5.5
Running on
Replace with/ Apply Patch**5.5.4.1*
VMware ProductvCloud Connector
Product Version2.7
Running on
Replace with/ Apply Patch**2.7.1*
VMware ProductvCloud Usage Meter
Product Version3.3
Running on
Replace with/ Apply Patch**3.3.3*
VMware ProductvCenter Site Recovery Manager
Product Version5.5.x
Running on
Replace with/ Apply Patch**5.5.1.5***
VMware ProductvCenter Site Recovery Manager
Product Version5.1.x
Running on
Replace with/ Apply Patch**5.1.3.1***
VMware ProductvCenter Site Recovery Manager
Product Version5.0.x
Running on
Replace with/ Apply Patch**5.0.3.3***
VMware Product
Product Version
Running on
Replace with/ Apply Patch**
VMware ProductvCenter Server
Product Version6.0
Running on any
Replace with/ Apply Patch**6.0.0a
VMware ProductvCenter Server
Product Version5.5
Running on any
Replace with/ Apply Patch**Update 2e
VMware ProductvCenter Server
Product Version5.1
Running on any
Replace with/ Apply Patch**Update 3a
VMware ProductvCenter Server
Product Version5.0
Running on any
Replace with/ Apply Patch**Update 3d
VMware Product
Product Version
Running on
Replace with/ Apply Patch**
VMware Product
Product Version
Running on
Replace with/ Apply Patch**
VMware ProductvCenter Support Assistant
Product Version5.5.1.x
Running on
Replace with/ Apply Patch**6.0
VMware Product
Product Version
Running on
Replace with/ Apply Patch**
VMware Product
Product Version
Running on
Replace with/ Apply Patch**
VMware Product
Product Version
Running on
Replace with/ Apply Patch**
VMware ProductvPostgres
Product Version9.3.x
Running on
Replace with/ Apply Patch**9.3.6.0
VMware ProductvPostgres
Product Version9.2.x
Running on
Replace with/ Apply Patch**9.2.10.0
VMware ProductvPostgres
Product Version9.1.x
Running on
Replace with/ Apply Patch**9.1.15.0
VMware Product
Product Version
Running on
Replace with/ Apply Patch**
VMware ProductvSphere Replication
Product Version5.8.0
Running on
Replace with/ Apply Patch**5.8.0.2
VMware ProductvSphere Replication
Product Version5.6.0
Running on
Replace with/ Apply Patch**5.6.0.3
VMware ProductvSphere Replication
Product Version5.5.0
Running on
Replace with/ Apply Patch**5.5.1.5
VMware ProductvSphere Replication
Product Version5.1
Running on
Replace with/ Apply Patch**5.1.3.1
VMware Product
Product Version
Running on
Replace with/ Apply Patch**
VMware Product
Product Version
Running on
Replace with/ Apply Patch**
VMware ProductvSphere Data Protection
Product Version6.0
Running on
Replace with/ Apply Patch**6.1*
VMware ProductvSphere Data Protection
Product Version5.8
Running on
Replace with/ Apply Patch**5.8.3*
VMware ProductvSphere Data Protection
Product Version5.5
Running on
Replace with/ Apply Patch**no patch planned*
VMware ProductvSphere Data Protection
Product Version5.1
Running on
Replace with/ Apply Patch**no patch planned*
VMware Product
Product Version
Running on
Replace with/ Apply Patch**
VMware Product
Product Version
Running on
Replace with/ Apply Patch**
VMware Product
Product Version
Running on
Replace with/ Apply Patch**
VMware ProductNSX for vSphere
Product Version6.1
Running on
Replace with/ Apply Patch**6.1.4*
VMware ProductNSX for Multi-Hypervisor
Product Version4.2.x
Running on
Replace with/ Apply Patch**4.2.4*
VMware ProductvCloud Director
Product Version5.5.x
Running on
Replace with/ Apply Patch**5.5.3*
VMware ProductvCloud Director For Service Providers
Product Version5.6.4
Running on
Replace with/ Apply Patch**5.6.4.1*
VMware Product
Product Version
Running on
Replace with/ Apply Patch**
VMware ProductvCenter Application Discovery Manager
Product Version7.0
Running on
Replace with/ Apply Patch**7.1*
VMware Product
Product Version
Running on
Replace with/ Apply Patch**
VMware Product
Product Version
Running on
Replace with/ Apply Patch**
VMware Product
Product Version
Running on
Replace with/ Apply Patch**
VMware ProductvRealize Orchestrator
Product Version5.1
Running on
Replace with/ Apply Patch**5.1.3.1*
VMware Product
Product Version
Running on
Replace with/ Apply Patch**
VMware Product
Product Version
Running on
Replace with/ Apply Patch**
VMware ProductvSphere Management Assistant
Product Version5.5.x
Running on
Replace with/ Apply Patch**5.5.0.4
VMware ProductvSphere Management Assistant
Product Version5.1.x
Running on
Replace with/ Apply Patch**5.1.0.3
VMware ProductvSphere Update Manager
Product Version6.0
Running on
Replace with/ Apply Patch**6.0.0a*
VMware ProductvSphere Update Manager
Product Version5.5
Running on
Replace with/ Apply Patch**Update 2e*
VMware ProductvSphere Update Manager
Product Version5.1
Running on
Replace with/ Apply Patch**Update 3a*
VMware ProductvSphere Update Manager
Product Version5.0
Running on
Replace with/ Apply Patch**Update 3d*
VMware ProductEVO:RAIL
Product Version1.2.0
Running on
Replace with/ Apply Patch**1.2.1*

*     The severity of critical is lowered to important for this product as is not considered Internet facing
**   Knowledge Base (KB) articles provides details of the patches and how to install them.
*** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not include JRE but they include the vSphere Replication appliance  which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include JRE nor the vSphere Replication appliance.

4. Solution

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

Horizon View 6.1, 5.3.4:
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productId=492
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&productId=396

VMware Workspace Portal 2.1.1
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=501&rPId=7586
Documentation:
https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.html

Horizon DaaS Platform 6.1.4
Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN&productId=405&rPId=6527

Horizon DaaS Platform 5.4.5
Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM-540&productId=398&rPId=5214

vCloud Networking and Security 5.5.4.1
Download: https://my.vmware.com/web/vmware/details?productId=360&rPId=7625&downloadGroup=VCNS5541
Documentation: https://www.vmware.com/support/vshield/doc/releasenotes_vshield_5541.html

vCloud Connector 2.7.1
Downloads and Documentation:
http://www.vmware.com/support/hybridcloud/doc/hybridcloud_271_rel_notes.html

vCloud Usage Meter 3.3.3
Download: https://my.vmware.com/en/group/vmware/get-download?downloadGroup=UMSV333

vCenter Site Recovery Manager 5.5.1.5, 5.1.3.1, 5.0.3.3
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=SRM5515&productId=357&rPId=7774
https://my.vmware.com/group/vmware/details?downloadGroup=SRM5131&productId=291&rPId=9236
https://my.vmware.com/group/vmware/details?downloadGroup=SRM5033&productId=238&rPId=6626

Documentation:
https://www.vmware.com/support/srm/srm-releasenotes-5-5-1.html
https://www.vmware.com/support/srm/srm-releasenotes-5-1-3.html
https://www.vmware.com/support/srm/srm-releasenotes-5-0-3.html

vCenter Server 6.0, 5.5, 5.1, 5.0
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere

vRealize Operations Manager 6.0.1
Downloads and Documentation: http://kb.vmware.com/kb/2111898

vCenter Support Assistant 6.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VCSA600&productId=491

vRealize Application Services 6.2, 6.1
Downloads and Documentation: http://kb.vmware.com/kb/2111981

NSX for vSphere 6.1
Downloads and Documentation: https://my.vmware.com/web/vmware/details?productId=417&downloadGroup=NSX-V-614

NSX for Multi-Hypervisor 4.2.4
Downloads and Documentation: https://my.vmware.com/web/vmware/info/slug/networking_security/vmware_nsx/4_x

vCloud Application Director 6.0
Downloads and Documentation: http://kb.vmware.com/kb/2111981

vCloud Director for Service Providers 5.6.4.1
Downloads and Documentation: https://www.vmware.com/support/pubs/vcd_sp_pubs.html

vCenter Operations Manager  5.8.5, 5.7.4
Downloads and Documentation:
http://kb.vmware.com/kb/2111172

vCenter Application Discovery Manager 7.1
Download: https://my.vmware.com/web/vmware/details?downloadGroup=VADM-710-VA&productId=300&rPId=8646
Documentation: https://www.vmware.com/support/adm/doc/vcenter-application-discovery-manager-71-release-notes.html

vCloud Automation Center 6.0.1.2
Downloads and Documentation:
http://kb.vmware.com/kb/2111658

vSphere Replication 5.8.0.2, 5.6.0.3, 5.5.1.5
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5515
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5131

Documentation:
http://kb.vmware.com/kb/2112025
http://kb.vmware.com/kb/2112022
http://kb.vmware.com/kb/2112012

vRealize Automation 6.2.1, 6.1.1
Downloads and Documentation:
http://kb.vmware.com/kb/2111658

vRealize Code Stream 1.1, 1.0
Downloads and Documentation:
http://kb.vmware.com/kb/2111658

vFabric Postgres
Downloads
https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_936&productId=373&rPId=7787
https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_92_10&productId=325&rPId=7788
https://my.vmware.com/group/vmware/details?downloadGroup=VFPG_91_15&productId=274&rPId=7789

vRealize Hyperic 5.8.4, 5.7.2, 5.0.3
Downloads and Documentation:
http://kb.vmware.com/kb/KB2111337

vSphere AppHA 1.1.1
Downloads and Documentation:
http://kb.vmware.com/kb/2111336

vSphere Big Data Extensions 2.1 and 2.0
Downloads and Documentation: http://kb.vmware.com/kb/2116604

vSphere Data Protection 6.1
Downloads: https://my.vmware.com/web/vmware/details?productId=491&downloadGroup=VDP61
Documentation: http://pubs.vmware.com/Release_Notes/en/vdp/61/vdp_610_releasenotes.html

vSphere Data Protection 5.8.3
Downloads: https://my.vmware.com/group/vmware/details?productId=353&rPId=8950&downloadGroup=VDP58_3
Documentation: https://www.vmware.com/support/pubs/vdr_pubs.html

vCenter Chargeback Manager 2.7
Downloads and Documentation: http://kb.vmware.com/kb/2112011

vCenter Chargeback Manager 2.6
Downloads and Documentation: http://kb.vmware.com/kb/2113178

vRealize Business Adv/Ent 8.1, 8.0
Downloads and Documentation: http://kb.vmware.com/kb/2112258

vRealize Business Standard 6.0, 1.1 , 1.0
Downloads and Documentation:
http://kb.vmware.com/kb/2111802

vCenter Configuration Manager 5.7.3
Downloads and Documentation:
http://kb.vmware.com/kb/2111670

vRealize Infrastructure Navigator 5.8.4
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=476

vRealize Infrastructure Navigator 5.7
Downloads and Documentation:
http://kb.vmware.com/kb/2111334

vRealize Orchestrator 6.0, 5.5
Downloads and Documentation: http://kb.vmware.com/kb/2112028

vRealize Orchestrator 5.1.3.1
Download: https://my.vmware.com/group/vmware/get-download?downloadGroup=VSP51-VCL-VCOVA-51U3A
Documentation: https://www.vmware.com/support/pubs/orchestrator_pubs.html

vSphere Management Assistant 5.5.0.4
Download: https://my.vmware.com/web/vmware/details?downloadGroup=VMA550&productId=352
Documentation: http://kb.vmware.com/kb/2112648

vSphere Management Assistant 5.1.0.3
Download: https://my.vmware.com/web/vmware/details?downloadGroup=VSP510-VMA-510&productId=285
Documentation: http://kb.vmware.com/kb/2112647

vSphere Update Manager 6.0, 5.5, 5.1, 5.0
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere

EVO:RAIL 1.2.1
Downloads and Documentation:
https://my.vmware.com/group/vmware/details?productId=442&downloadGroup=EVORAIL1_2_1

6. Change log


2015-04-02 VMSA-2015-0003
Initial security advisory in conjunction with the release of VMware Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5; vCenter Operations Manager 5.7.4; vCloud Automation Center 6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0; vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1; vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches released on 2015-04-02.

2015-04-09 VMSA-2015-0003.1
Updated security advisory in conjunction with the release of VMware Horizon DaaS Platform 6.1.4, 5.4.5; vRealize Operations Manager 6.0; vRealize Application Services 6.2; vRealize Application Services 6.1; vCloud Application Director 6.0; vCenter Chargeback Manager 2.7, 2.6; vCloud Director For Service Providers 5.6.4.1; vRealize Log Insight 2.5, 2.0, 1.5, 1.0 Patches released on 2015-04-09

2015-04-13 VMSA-2015-0003.2
Updated Security advisory in conjunction with the release of vRealize Business Adv/Ent 8.1, 8.0 Patches released on 2015-04-13.

2015-04-16 VMSA-2015-0003.3
Updated Security advisory in conjunction with the release of vCloud Connector 2.7.1; vCloud Usage Meter 3.3.3; vCenter Server 6.0, 5.5; vSphere Update Manager 6.0, 5.5 patches released on 2015-04-16.

2015-04-17 VMSA-2015-0003.4
Updated Security advisory in conjunction with the release of vCenter Site Recovery Manager 5.5.1.5 patches released on 2015-04-16.

2015-04-23 VMSA-2015-0003.5
Updated Security advisory in conjunction with the release of NSX for Multi-Hypervisor 4.2.4 and vFabric Postgres 9.3.6.0, 9.2.10.0 or 9.1.15.0 patches released on 2015-04-23.


2015-04-30 VMSA-2015-0003.6
Updated Security advisory in conjunction with the release of vCloud Networking and Security 5.5.4.1, vCenter Server 5.1 Update 3a, vCenter Server 5.0 Update 3d, vRealize Orchestrator 5.1.3.1, vSphere Update Manager 5.1 Update 3a and vSphere Update Manager 5.0 Update 3d patches released on 2015-04-30.

2015-05-07 VMSA-2015-0003.7
Updated Security advisory in conjunction with the release of vCenter Support Assistant 6.0, vSphere Big Data Extensions 2.1 and 2.0, NSX for vSphere 6.1.4 patches released on 2015-05-07.

2015-05-08 VMSA-2015-0003.8
Updated Security advisory in conjunction with the release of vSphere Management Assistant 5.5 and 5.1 patches released on 2015-05-08.

2015-07-02 VMSA-2015-0003.9
Updated Security advisory in conjunction with the release of EVO:RAIL 1.2.1 patches released on 2015-07-02.

2015-08-14 VMSA-2015-0003.10
Updated Security advisory in conjunction with the release of vCenter Application Discovery Manager 7.1.0 patches released on 2015-08-13.

2015-09-10 VMSA-2015-0003.11
Updated Security advisory in conjunction with the release of VMware vSphere Data Protection 6.1 released on 2015-09-10.

2015-10-15 VMSA-2015-0003.12
Updated Security advisory in conjunction with the release of vSphere Replication 5.1.3.1 and vCenter Site Recovery Manager 5.1.3.1 released on 2015-10-15.

2015-10-20 VMSA-2015-0003.13
Updated Security advisory in conjunction with the release of vSphere Data Protection 5.8.3 released on 2015-10-20.

2015-10-30 VMSA-2015-0003.14
Updated Security advisory in conjunction with the release of vCenter Site Recovery Manager 5.0.3.3 released on 2015-10-29.

2015-12-18 VMSA-2015-0003.15
Updated Security advisory indicating vSphere Data Protection 5.5 and 5.1 have no patches planned.

7. Contact


E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  • security-announce at lists.vmware.com
  • bugtraq at securityfocus.com
  • fulldisclosure at seclists.org

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

Twitter
https://twitter.com/VMwareSRC

Copyright 2015 VMware Inc.  All rights reserved.