========================== ========================== ================== CERT-Renater Note d'Information No. 2015/VULN192 _____________________________________________________________________ DATE : 17/09/2015 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware vCenter Server versions 6.0, 5.5. ========================== ========================== ==================== http://www.vmware.com/security/advisories/VMSA-2015-0006.html _____________________________________________________________________ ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2015-0006 Synopsis: VMware vCenter Server updates address a LDAP certificate validation issue Issue date: 2015-09-16 Updated on: 2015-09-16 CVE number: CVE-2015-6932 ------------------------------------------------------------------------ 1. Summary VMware vCenter Server updates address a LDAP certificate validation issue. 2. Relevant Releases VMware vCenter Server prior to version 6.0 update 1 VMware vCenter Server prior to version 5.5 update 3 3. Problem Description VMware vCenter Server LDAP certificate validation vulnerability VMware vCenter Server does not validate the certificate when binding= to an LDAP server using TLS. Exploitation of this vulnerability may allow an attacker that is able to intercept traffic between vCenter Server and the LDAP server to capture sensitive information. The Common Vulnerabilities and Exposures project (cve.mitre.org) has= assigned the identifier CVE-2015-6932 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ===== === ======= ============= === VMware vCenter Server 6.0 Any 6.0 u1 VMware vCenter Server 5.5 Any 5.5 u3 VMware vCenter Server 5.1 Any not affected VMware vCenter Server 5.0 Any not affected 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Server -------------------------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6932 ------------------------------------------------------------------------ 6. Change log 2015-09-16 VMSA-2015-0006 Initial security advisory. ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2015 VMware Inc. All rights reserved. ========================== ========================== ======= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================== ========================== ======== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ========================== ========================== ========