====================================================================

                               CERT-Renater

                   Note d'Information No. 2016/VULN396
_____________________________________________________________________

DATE                : 23/11/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running VMware vCenter Server versions
                          6.5, 6.0, 5.5,
                       vSphere Client versions 6.0, 5.5,
                       vRealize Automation versions 7.x, 6.x.

=====================================================================
http://lists.vmware.com/pipermail/security-announce/2016/000360.html
____________________________________________________________________

- 
---------------------------------------------------------------------------
- ---
                         VMware Security Advisory

Advisory ID: VMSA-2016-0022
Severity:    Important
Synopsis:    VMware product updates address information disclosure
              vulnerabilities
Issue date:  2016-11-22
Updated on:  2016-11-22 (Initial Advisory)
CVE number:  CVE-2016-7458, CVE-2016-7459, CVE-2016-7460

1. Summary

    VMware vCenter Server, vSphere Client, and vRealize Automation
    updates address information disclosure vulnerabilities.

2. Relevant Products

    VMware vCenter Server
    VMware vSphere Client
    vRealize Automation

3. Problem Description

    a. vSphere Client XML External Entity vulnerability

    The vSphere Client contains an XML External Entity (XXE)
    vulnerability.
    This issue can lead to information disclosure if a vSphere Client
    user is tricked into connecting to a malicious instance of vCenter
    Server or ESXi.

    There are no known workarounds for this issue.

    VMware would like to thank Vladimir Ivanov, Andrey Evlanin, Mikhail
    Stepankin, Artem Kondratenko, Arseniy Sharoglazov of Positive
    Technologies for reporting this issue to us.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the identifier CVE-2016-7458 to this issue.

    Column 5 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware          Product Running             Replace with/  Mitigation
    Product         Version on       Severity   Apply Patch *  Workaround
    ==============  ======= =======  =========  =============  ==========
    vSphere Client  6.0     Windows  Important  6.0 U2a        None
    vSphere Client  5.5     Windows  Important  5.5 U3e        None

    * In order to remediate the vulnerability, the vSphere Client will
      need to be uninstalled and re-installed. A fixed version of vSphere
      Client can be obtained from:
      - vCenter Server 6.0 U2a
      - vCenter Server 5.5 U3e
      - VMware Knowledge Base article 2089791
      The build numbers of the fixed client versions may be found in
      VMware Knowledge Base article 2089791.


b. vCenter Server XML External Entity vulnerability

    vCenter Server contains an XML External Entity (XXE) vulnerability in
    the Log Browser, the Distributed Switch setup, and the Content
    Library. A specially crafted XML request issued to the server may
    lead to unintended information disclosure.

    There are no known workarounds for this issue.

    VMware would like to thank Vladimir Ivanov, Andrey Evlanin, Mikhail
    Stepankin, Artem Kondratenko, Arseniy Sharoglazov of Positive
    Technologies, and Lukasz Plonka for independently for reporting this
    issue to us.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the identifier CVE-2016-7459 to this issue.

    Column 5 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware          Product Running             Replace with/  Mitigation
    Product         Version on       Severity   Apply Patch    Workaround
    ==============  ======= =======  =========  =============  ==========
    vCenter Server  6.5     Any      N/A        Not affected   N/A
    vCenter Server  6.0     Any      Important  6.0 U2a        None
    vCenter Server  5.5     Any      Important  5.5 U3e        None

c. vCenter Server and vRealize Automation XML External Entity
    vulnerability

    vCenter Server and vRealize Automation contain an XML External
    Entity (XXE) vulnerability in the Single Sign-On functionality. A
    specially crafted XML request issued to the server may lead to a
    Denial of Service or to unintended information disclosure.

    There are no known workarounds for this issue.

    VMware would like to thank Vladimir Ivanov, Andrey Evlanin, Mikhail
    Stepankin, Artem Kondratenko, Arseniy Sharoglazov of Positive
    Technologies for reporting this issue to us.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the identifier CVE-2016-7460 to this issue.

    Column 5 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware          Product Running             Replace with/  Mitigation
    Product         Version on       Severity   Apply Patch    Workaround
    ==============  ======= =======  =========  =============  ==========
    vCenter Server  6.5     Any      N/A        Not affected   N/A
    vCenter Server  6.0     Any      Important  6.0 U2a        None
    vCenter Server  5.5     Any      Important  5.5 U3e        None

    vRealize        7.x     VA       N/A        Not affected   N/A
    Automation
    vRealize        6.x     VA       Important  6.2.5          None
    Automation

4. Solution

    Please review the patch/release notes for your product and version
    and verify the checksum of your downloaded file.

    vCenter Server
    Downloads and Documentation:
    https://www.vmware.com/go/download-vsphere

    vRealize Automation
    Downloads and Documentation:

https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_manage
ment/vmware_vrealize_automation/6_2


5. References

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7458
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7459
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7460

    VMware Knowledge Base article 2089791
    https://kb.vmware.com/kb/2089791

- ------------------------------------------------------------------------

6. Change log

    2016-11-22
    VMSA-2016-0022 Initial security advisory in conjunction with the
    release of vSphere 6.0 U2a on 2016-11-22.

- ------------------------------------------------------------------------

7. Contact

    E-mail list for product security notifications and announcements:
    http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

    This Security Advisory is posted to the following lists:

     security-announce at lists.vmware.com
     bugtraq at securityfocus.com
     fulldisclosure at seclists.org

    E-mail: security at vmware.com
    PGP key at: https://kb.vmware.com/kb/1055

    VMware Security Advisories
    http://www.vmware.com/security/advisories

    VMware Security Response Policy
    https://www.vmware.com/support/policies/security_response.html

    VMware Lifecycle Support Phases
    https://www.vmware.com/support/policies/lifecycle.html

    Twitter
    https://twitter.com/VMwareSRC


==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================