-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0964
                         VMware Security Advisory
                               15 April 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           vCenter Server
                   vCloud Director
                   vRealize Automation Identity Appliance
Publisher:         VMWare
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Access Privileged Data         -- Remote with User Interaction
                   Provide Misleading Information -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-2076  

Original Bulletin: 
   http://www.vmware.com/security/advisories/VMSA-2016-0004.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2016-0004
Synopsis:    VMware product updates address a critical security issue in
             the VMware Client Integration Plugin
Issue date:  2016-04-14
Updated on:  2016-04-14 (Initial Advisory)
CVE number:  CVE-2016-2076 
 
1. Summary

   VMware vCenter Server, vCloud Director (vCD), vRealize Automation
   (vRA) Identity Appliance, and the Client Integration Plugin (CIP) 
   updates address a critical security issue.

2. Relevant Releases

   vCenter Server 6.0
   vCenter Server 5.5 U3a, U3b, U3c
  
   vCloud Director 5.5.5
   
   vRealize Automation Identity Appliance 6.2.4

3. Problem Description

   a. Critical VMware Client Integration Plugin incorrect session
      handling

   The VMware Client Integration Plugin does not handle session content
   in a safe way. This may allow for a Man in the Middle attack or Web
   session hijacking in case the user of the vSphere Web Client visits
   a malicious Web site.

   The vulnerability is present in versions of CIP that shipped with:
   - vCenter Server 6.0 (any 6.0 version up to 6.0 U2)
   - vCenter Server 5.5 U3a, U3b, U3c
   - vCloud Director 5.5.5
   - vRealize Automation Identity Appliance 6.2.4

   In order to remediate the issue, both the server side (i.e. vCenter
   Server, vCloud Director, and vRealize Automation Identity Appliance)
   and the client side (i.e. CIP of the vSphere Web Client) will need
   to be updated.

   The steps to remediate the issue are as follows:
   A) Install an updated version of:
      - vCenter Server,
      - vCloud Director,
      - vRealize Automation Identity Appliance,
   B) Subsequently update the Client Integration Plugin on the system
      from which the vSphere Web Client is used. 
      Updating the plugin on vSphere and vRA Identity Appliance is
      explained in VMware Knowledge Base article 2145066.
      Updating the plugin on vCloud Director is initiated by a prompt
      when connecting the vSphere Web Client to the updated version of
      vCloud Director.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has 
   assigned the identifier CVE-2016-2076 to this issue.

   Column 4 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is 
   available.

   VMware                  Product        Running   Replace with/
   Product                 Version        on        Apply Patch
   ======================  =============  =======   =============
   
   vCenter Server          6.0            any       6.0 U2 *
   vCenter Server          5.5 U3a - U3c  any       5.5 U3d *
   vCenter Server          5.1            any       not affected
   vCenter Server          5.0            any       not affected  

   vCloud Director         8.0.x          Windows   not affected **
   vCloud Director         5.6.x          Windows   not affected
   vCloud Director         5.5.5          Windows   5.5.6 *

   vRA Identity Appliance  7.x            Linux     not affected
   vRA Identity Appliance  6.2.4          Linux     6.2.4.1 *

   Client Integration      see text       Windows,  see item B above
   Plugin                  above          Mac OS
   
   * After installing the updated version, the Client Integration Plugin
     will need to be updated on all systems from which the vSphere Web
     Client is used to connect to vCenter Server, vCloud Director and
     vRealize Automation Identity Manager.

  ** vCloud Director 8.0.0 did not ship with a vulnerable CIP version,
      and vCloud Director 8.0.1 shipped with the updated version of the
      CIP.

4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   vCenter Server
   --------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere
  
http://pubs.vmware.com/Release_Notes/en/vsphere/55/vsphere-vcenter-server-5
5u3d-release-notes.html

   vCloud Director
   ---------------
   Downloads and Documentation:
   https://www.vmware.com/go/download/vcloud-director
  
http://pubs.vmware.com/Release_Notes/en/vcd/556/rel_notes_vcloud_director_5
56.html

   VMware vRealize Automation 6.2.4.1
   ----------------------------------
   Downloads and Documentation:
  
https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_manage
ment/vmware_vrealize_automation/6_2
   (select "Go to Downloads" and scroll down to "Security Update")
  
http://pubs.vmware.com/Release_Notes/en/vra/vrealize-automation-624-release
- - -notes.html


5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2076

   VMware Knowledge Base article 2145066
   kb.vmware.com/kb/2145066

- - ------------------------------------------------------------------------

6. Change log

   2016-04-14 VMSA-2016-0004
   Initial security advisory in conjunction with the release of VMware 
   vSphere 5.5 U3d and vCloud Director 5.5.6 on 2016-04-14.

- - ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2016 VMware Inc.  All rights reserved.

- -----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFXD+2rDEcm8Vbi9kMRAkavAJ9Jh0+7d46fu6t24ZTbfi+gZqNhNACfbiip
CTomNkThpHn4T6WPTz8LAuw=
=DZIG
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVxA7O36ZAP0PgtI9AQLaYw//Uk6Crn9Wwgt6p7ohoIRHUu8emjF8Qgmn
fnfDvvygTBR96qGGpYk8LLy/Aw5kh4PV3El6Lg+Vokxlt//fPv6D4xDdY5LueNcz
F1I7qtGm9B1TL6poHrxygawQfGb+AI6sbtfSNJFOeIVCkIYqbAlZcTly4ko85TcE
Iuldff/BtZanR04nTCwa8dI4ludUobZc0dCgTMr8O0+P6S/ThESVlCRdjBlo3DlC
dxwQ4MZOEvh8pSBB/Yi2LQvwjb+YJq3yh1tjjnUyKwQpwggL5+8lA6xQ0hPXkTny
I+SQZVabhdqY6ZO927kec3V1F7E803HG+ErbnqFPsuD9KObh4k+bt5kbtw+YDpgu
HSsogsbhfNjTlpJnKNtzE9TUMr9VAWAFldCbsKPu+qplwCjRHaZYlaNtKMBl2je4
WuooZHJe9RgrD6Xb8WWoY8oTAUGQz/n5KDAyMT1LkvJkZ9I/k11/tkck7IqRzy5d
zfrpdRPT968Lrde75gBVrawyNzmoP/zIM4d4IlRG212q5J1bd5F2kTmUlzRpX4au
FhMvF9pirNZTTyRkM83M6u5e1uXc9xQ90E2vp+T+A8XHQ2QWuK1m6No69FKIekLv
uy17v7uANdgJZw6vhUpMMNlXwjOn2qFtgKgqZUG1BUYzBoWwc45138lzIWkjz4DW
vwovNnztKYM=
=qBNb
-----END PGP SIGNATURE-----