==================================================================== CERT-Renater Note d'Information No. 2016/VULN223 _____________________________________________________________________ DATE : 25/05/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware vCenter Server versions 6, 5, prior to 6.0 update 2, 5.5 update 3d, 5.1 update 3d. ====================================================================== http://lists.vmware.com/pipermail/security-announce/2016/000326.html ____________________________________________________________________ - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2016-0006 Synopsis: VMware vCenter Server updates address an important cross-site scripting issue Issue date: 2016-05-24 Updated on: 2016-05-24 (Initial Advisory) CVE number: CVE-2016-2078 1. Summary VMware vCenter Server updates address an important cross-site scripting issue. 2. Relevant Releases vCenter Server 6.0 prior to 6.0 update 2 vCenter Server 5.5 prior to 5.5 update 3d vCenter Server 5.1 prior to 5.1 update 3d 3. Problem Description a. Reflected cross-site scripting issue through flash parameter injection The vSphere Web Client contains a reflected cross-site scripting vulnerability that occurs through flash parameter injection. An attacker can exploit this issue by tricking a victim into clicking a malicious link. VMware would like to thank John Page aka hyp3rlinx for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-2078 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============ ========== ========== ============= vCenter Server 6.0 Window 6.0 U2* vCenter Server 6.0 Linux not affected vCenter Server 5.5 Window 5.5 U3d* vCenter Server 5.5 Linux not affected vCenter Server 5.1 Window 5.1 U3d* vCenter Server 5.1 Linux not affected vCenter Server 5.0 any not affected *Client side component of the vSphere Web Client does not need to be updated to remediate CVE-2016-2078. Updating the vCenter Server is sufficient to remediate this issue. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Server -------------- Downloads and Documentation: https://www.vmware.com/go/download-vsphere 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2078 - ------------------------------------------------------------------------ 6. Change log 2016-05-24 VMSA-2016-0006 Initial security advisory in conjunction with the release of VMware vCenter Server 5.1 U3d on 2016-05-24. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories http://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2016 VMware Inc. All rights reserved. ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================