VMSA-2016-0004:VMware product updates address a CRITICAL security issue in the VMware Client Integration Plugin

VMware

0 more products

23475

12 April 2016

12 April 2016

CLOSED

CRITICAL

CVE-2016-2076

 

VMSA-2016-0004

VMware product updates address a critical security issue in the VMware Client Integration Plugin

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
 VMSA-2016-0004
VMware Security Advisory Synopsis:
 VMware product updates address a critical security issue in the VMware Client Integration Plugin
VMware Security Advisory Issue date:
 2016-04-14
VMware Security Advisory Updated on:
 2016-04-14 (Initial Advisory)
VMware Security Advisory CVE numbers:
 CVE-2016-2076
1. Summary

VMware vCenter Server, vCloud Director (vCD), vRealize Automation (vRA) Identity Appliance, and the Client Integration Plugin (CIP) updates address a critical security issue.

 

2. Relevant Releases

vCenter Server 6.0 prior to 6.0 U2
vCenter Server 5.5 U3a, U3b, U3c
vCloud Director 5.5.5
vRealize Automation Identity Appliance 6.2.4

 

3. Problem Description

a. Critical VMware Client Integration Plugin incorrect session handling
The VMware Client Integration Plugin does not handle session content in a safe way. This may allow for a Man in the Middle attack or Web session hijacking in case the user of the vSphere Web Client visits a malicious Web site.


The vulnerability is present in versions of CIP that shipped with:

 

- vCenter Server 6.0 (any 6.0 version prior to 6.0 U2)
- vCenter Server 5.5 U3a, U3b, U3c
- vCloud Director 5.5.5
- vRealize Automation Identity Appliance 6.2.4

 

In order to remediate the issue, both the server side (i.e. vCenter

 

Server, vCloud Director, and vRealize Automation Identity Appliance) and the client side (i.e. CIP of the vSphere Web Client) will need to be updated.

 

The steps to remediate the issue are as follows:

 

A) Install an updated version of:
- vCenter Server
- vCloud Director

- vRealize Automation Identity Appliance

 

B) After step A), update the Client Integration Plugin on the system from which the vSphere Web Client is used. Updating the plugin on vSphere and vRA Identity Appliance is explained in VMware Knowledge Base article 2145066. Updating the plugin on vCloud Director is initiated by a prompt when connecting the vSphere Web Client to the updated version of vCloud Director.


The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-2076 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Replace with/ Apply Patch
VMware ProductvCenter Server
Product Version6.0
Running on any
Replace with/ Apply Patch6.0 U2 *
VMware ProductvCenter Server
Product Version5.5 U3a - U3c
Running on any
Replace with/ Apply Patch5.5 U3d *
VMware ProductvCenter Server
Product Version5.1
Running on any
Replace with/ Apply Patchnot affected
VMware ProductvCenter Server
Product Version5.0
Running on any
Replace with/ Apply Patchnot affected
VMware ProductvCloud Director
Product Version8.0.x
Running on Linux
Replace with/ Apply Patchnot affected **
VMware ProductvCloud Director
Product Version5.6.x
Running on Linux
Replace with/ Apply Patchnot affected
VMware ProductvCloud Director
Product Version5.5.5
Running on Linux
Replace with/ Apply Patch5.5.6 *
VMware ProductvRA Identify Appliance
Product Version7.x
Running on Linux
Replace with/ Apply Patchnot affected
VMware ProductvRA Identity Appliance
Product Version6.2.4
Running on Linux
Replace with/ Apply Patch6.2.4.1 *
VMware ProductClient Integration Plugin
Product Versionsee text above
Running on Windows, Mac OS
Replace with/ Apply Patchsee item B above

 

 

* After installing the updated version, the Client Integration Plugin will need to be updated on all systems from which the vSphere Web Client is used to connect to vCenter Server, vCloud Director and vRealize Automation Identity Manager.

 

** vCloud Director 8.0.0 did not ship with a vulnerable CIP version, andvCloud Director 8.0.1 shipped with the updated version of the CIP.

4. Solution

 

Please review the patch/release notes for your product andversion and verify the checksum of your downloaded file.

 

vCenter Server

 

Downloads and Documentation:

https://www.vmware.com/go/download-vsphere

http://pubs.vmware.com/Release_Notes/en/vsphere/55/vsphere-vcenter-server-55u3d-release-notes.html

 

vCloud Director 5.5.6

 

Downloads and Documentation:

https://www.vmware.com/go/download/vcloud-director

http://pubs.vmware.com/Release_Notes/en/vcd/556/rel_notes_vcloud_director_556.html

 

 
VMware vRealize Automation 6.2.4.1
Downloads and Doumentation:
https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_management/vmware_vrealize_automation/6_2
(select "Go to Downloads" and scroll down to "Security Update")
http://pubs.vmware.com/Release_Notes/en/vra/vrealize-automation-624-release-notes.html

 

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2076

VMware Knowledge Base article 2145066
kb.vmware.com/kb/2145066

6. Change log

2016-04-14 VMSA-2016-0004
Initial security advisory in conjunction with the release of VMware vSphere 5.5 U3d and vCloud Director 5.5.6 on 2016-04-14.

 

7. Contact

 

E-mail list for product security notifications and announcements:

http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

[email protected]

[email protected]

[email protected]

 

E-mail: [email protected]

PGP key at: https://kb.vmware.com/kb/1055

 

VMware Security Advisories

http://www.vmware.com/security/advisories

 

Consolidated list of VMware Security Advisories

http://kb.vmware.com/kb/2078735

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2016 VMware Inc. All rights reserved.