VMSA-2017-0004:VMware product updates resolve remote code execution vulnerability via Apache Struts 2
VMSA-2017-0004.7
VMware product updates resolve remote code execution vulnerability via Apache Struts 2
VMware Security Advisory
1. Summary
VMware product updates resolve remote code execution vulnerability via Apache Struts 2
2. Relevant Products
- Horizon Desktop as-a-Service Platform (DaaS)
- VMware vCenter Server (vCenter)
- vRealize Operations Manager (vROps)
- vRealize Hyperic Server (Hyperic)
3. Problem Description
Remote code execution vulnerability via Apache Struts 2
Multiple VMware products contain a remote code execution vulnerability due to the use of Apache Struts 2. Successful exploitation of this issue may result in the complete compromise of an affected product.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-5638 to this issue.
Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Mitigation/ Workaround
4. Solution
Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
Horizon Desktop as-a-Service Platform 7.0.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON_DAAS_700&productId=638&rPId=14833
https://kb.vmware.com/kb/2149495
Horizon Desktop as-a-Service Platform 6.1.6
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN&productId=405&rPId=6527
https://kb.vmware.com/kb/2149500
Horizon Desktop as-a-Service Platform 6.1.x
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN&productId=405&rPId=6527
https://kb.vmware.com/kb/2149588
VMware vCenter Server 6.5b
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VC650B&productId=614&rPId=15190
VMware vCenter Server 6.0u3a
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VC60U3&productId=491&rPId=15373
https://kb.vmware.com/kb/2149434
vRealize Operations Manager 6.x
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VROPS-650&productId=637&rPId=14777
https://my.vmware.com/web/vmware/details?downloadGroup=VROPS-640&productId=612&rPId=13944
https://my.vmware.com/web/vmware/details?downloadGroup=VROPS-630&productId=600&rPId=12625
https://my.vmware.com/web/vmware/details?downloadGroup=VROPS-621&productId=563&rPId=11131
https://kb.vmware.com/kb/2149591
https://kb.vmware.com/kb/2149472
vRealize Hyperic Server 5.x
Downloads and Documentation:
https://kb.vmware.com/kb/2149543
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638 https://struts.apache.org/docs/s2-045.html
https://struts.apache.org/docs/s2-046.html
https://kb.vmware.com/kb/2149434
https://kb.vmware.com/kb/2149449
https://kb.vmware.com/kb/2149472
https://kb.vmware.com/kb/2149495
https://kb.vmware.com/kb/2149588
https://kb.vmware.com/kb/2149543
https://kb.vmware.com/kb/2149591
6. Change log
2017-03-13: VMSA-2017-0004
Initial security advisory in conjunction with the release of workarounds for VMware vCenter Server 6.5 and 6.0.
2017-03-14: VMSA-2017-0004.1
Security advisory update removing workaround for VMware vCenter Server 6.5 due to customer reported issues.
2017-03-14: VMSA-2017-0004.2
Security advisory update in conjunction with the release of VMware vCenter Server 6.5b.
2017-03-15: VMSA-2017-0004.3
Security advisory update in conjunction with the release of HorizonDesktop as-a-Service Platform 6.1.6 fixes and a vRealize Operations Manager workaround.
2017-03-16: VMSA-2017-0004.4
Security advisory update in conjunction with the release of Horizon Desktop as-a-Service Platform 7.0.0 fixes.
2017-03-21: VMSA-2017-0004.5
Security advisory update in conjunction with the release of HorizonDesktop as-a-Service Platform 6.1.5 fixes and vCenter 6.0u3a.
2017-03-23: VMSA-2017-0004.6
Security advisory update in conjunction with the release of vRealize Hyperic Server 5.8.6 and 5.8.5 fixes.
2017-03-28: VMSA-2017-0004.7
Security advisory update in conjunction with the release of vRealize Operations Manager 6.2.1, 6.3, 6.4 and 6.5 fixes.
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
E-mail: [email protected]
PGP key at:
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Copyright 2017 VMware Inc. All rights reserved.