New advisory for you and this one looks like a beast, I mean it seems to affect every VMware product other than vSphere ESXi. But to be fair this is more of an issue with Oracle JRE than the overlaying applications stack. And relate to an issue documented in Oracle’s Critical Patch Update Advisory of January 2015 which contained 169 security fixes. It is strongly recommended by Oracle that the patch is installed and by VMware that this patch is applied to any and all of the affected products listed below:
| Synopsis: | VMware product updates address critical information disclosure issue in JRE. |
| Issue date: | 2015-04-02 |
| Updated on: | 2015-04-09 |
| CVE number: | CVE-2014-6593, for other CVEs see JRE reference |
- SummaryVMware product updates address critical information disclosure issue in JRE.2. Relevant Releases
Horizon View 6.x or 5.x
Horizon Workspace Portal Server 2.1 or 2.0
Horizon DaaS Platform 6.1.4 or 5.4.5
vRealize Operations Manager 6.0
vCenter Operations Manager 5.8.x or 5.7.x
vRealize Application Services 6.2 or 6.1
vCloud Application Director 6.0
vRealize Automation 6.2 or 6.1
vCloud Automation Center 6.0.1
vSphere Replication prior to 5.8.0.2 or 5.6.0.3
vRealize Automation 6.2.x or 6.1.x
vRealize Code Stream 1.1 or 1.0
vRealize Hyperic 5.8.x, 5.7.x or 5.0.x
vSphere AppHA Prior to 1.1.x
vCenter Chargeback Manager 2.7 or 2.6
vRealize Business Standard prior to 1.1.x or 1.0.x
NSX for Multi-Hypervisor prior to 4.2.4
vCloud Director prior to 5.5.3
vCloud Director Service Providers prior to 5.6.4.1
vRealize Configuration Manager 5.7.x or 5.6.x
vRealize Infrastructure 5.8 or 5.7
vRealize Log Insight 2.5, 2.0, 1.5 or 1.0
3. Problem Description
a. Oracle JRE Update
Oracle JRE is updated in VMware products to address a critical security issue that existed in earlier releases of Oracle JRE.
VMware products running JRE 1.7 Update 75 or newer and JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593, as documented in the Oracle Java SE Critical Patch Update Advisory of January 2015.
This advisory also includes the other security issues that are addressed in JRE 1.7 Update 75 and JRE 1.6 Update 91. The References section provides a link to the JRE advisory.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-6593 to this issue. This issue is also known as “SKIP” or “SKIP-TLS”.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
| VMware Product | Product Version | Running on | Replace with/ Apply Patch** |
| Horizon View | 6.x | Any | 6.1 |
| Horizon View | 5.x | Any | 5.3.4 |
| Horizon Workspace Portal Server | 2.1 ,2.0 | Any | 2.1.1 |
| Horizon DaaS Platform | 6.1 | Any | 6.1.4 |
| Horizon DaaS Platform | 6.0 | Any | Patch pending |
| Horizon DaaS Platform | 5.4 | Any | 5.4.5 |
| vCloud Networking and Security | 5.5 | Any | Patch pending* |
| vCloud Connector | 2.7 | Any | Patch pending* |
| vCloud Usage Meter | 3.3 | Any | Patch pending* |
| vCenter Site Recovery Manager | 5.5.x | Any | patch pending*** |
| vCenter Site Recovery Manager | 5.1.x | Any | patch pending*** |
| vCenter Site Recovery Manager | 5.0.x | Any | patch pending*** |
| vCenter Server | 6.0 | Any | Patch pending |
| vCenter Server | 5.5 | Any | Patch pending |
| vCenter Server | 5.1 | Any | Patch pending |
| vCenter Server | 5.0 | Any | Patch pending |
| vRealize Operations Manager | 6.0 | Any | KB2112028 |
| vRealize Operations Manager | 5.8.x | Any | KB2111172 |
| vRealize Operations Manager | 5.7.x | Any | KB2111172 |
| vCenter Support Assistant | 5.5.1.x | Any | Patch pending |
| vRealize Application Services | 6.2 | Any | KB2111981 |
| vRealize Application Services | 6.1 | Any | KB2111981 |
| vCloud Application Director | 6.0 | Any | KB2111981 |
| vCloud Application Director | 5.2 | Any | KB2111981 |
| vRealize Automation | 6.2 | Any | KB2111658 |
| vRealize Automation | 6.1 | Any | KB2111658 |
| vCloud Automation Center | 6.0.1 | Any | KB2111658 |
| vRealize Code Stream | 1.1 | Any | KB2111658 |
| vRealize Code Stream | 1.0 | Any | KB2111658 |
| vPostgres | 9.3.x | Any | Patch pending |
| vPostgres | 9.2.x | Any | Patch pending |
| vPostgres | 9.1.x | Any | Patch pending |
| vSphere Replication | 5.8.1 | Any | Patch pending |
| vSphere Replication | 5.8.0 | Any | 5.8.0.2 |
| vSphere Replication | 5.6.0 | Any | 5.6.0.3 |
| vSphere Replication | 5.1 | Any | Patch pending |
| vSphere Storage Appliance | 5.x | Any | Patch pending* |
| vRealize Hyperic | 5.8 | Any | KB2111337 |
| vRealize Hyperic | 5.7 | Any | KB2111337 |
| vRealize Hyperic | 5.0 | Any | KB2111337 |
| vSphere AppHA | 1.1 | Any | KB2111336 |
| vSphere Big Data Extensions | 2.1 | Any | Patch pending* |
| vSphere Big Data Extensions | 2.0 | Any | Patch pending* |
| vSphere Data Protection | 6.0 | Any | Patch pending* |
| vSphere Data Protection | 5.8 | Any | Patch pending* |
| vSphere Data Protection | 5.5 | Any | Patch pending* |
| vSphere Data Protection | 5.1 | Any | Patch pending* |
| vCenter Chargeback Manager | 2.7 | Any | KB2112011* |
| vCenter Chargeback Manager | 2.6 | Any | KB2113178* |
| vRealize Business Adv/Ent | 8.1 | Any | Patch pending* |
| vRealize Business Adv/Ent | 8.0 | Any | Patch pending* |
| vRealize Business Standard | 6.0 | Any | KB2111802 |
| vRealize Business Standard | 1.1 | Any | KB2111802 |
| vRealize Business Standard | 1.0 | Any | KB2111802 |
| NSX for vSphere | 6.1 | Any | Patch pending* |
| NSX for Multi-Hypervisor | 4.2 | Any | 4.2.4* |
| vCloud Director | 5.5.x | Any | 5.5.3* |
| vCloud Director For Service Providers | 5.6.4 | Any | 5.6.4.1* |
| vCenter Application Discovery Manager | 7.0 | Any | Patch pending* |
| vRealize Configuration Manager | 5.7.x | Any | KB2111670 |
| vRealize Configuration Manager | 5.6 | Any | KB2111670 |
| vRealize Infrastructure Navigator | 5.8 | Any | 5.8.4 |
| vRealize Infrastructure Navigator | 5.7 | Any | KB2111334* |
| vRealize Orchestrator | 6.0 | Any | Patch pending* |
| vRealize Orchestrator | 5.2 | Any | Patch pending* |
| vRealize Orchestrator | 5.1 | Any | Patch pending* |
| vShield | 5.5 | Any | Patch pending* |
| vRealize Log Insight | 2.5 | Any | KB2113235* |
| vRealize Log Insight | 2.0 | Any | KB2113235* |
| vRealize Log Insight | 1.5 | Any | KB2113235* |
| vRealize Log Insight | 1.0 | Any | KB2113235* |
| vSphere Management Assistant | 5.x | Any | Patch pending |
| vSphere Update Manager | 6.0 | Any | Patch pending* |
| vSphere Update Manager | 5.5 | Any | Patch pending* |
| vSphere Update Manager | 5.1 | Any | Patch pending* |
| vSphere Update Manager | 5.0 | Any | Patch pending* |
* The severity of critical is lowered to important for this product as is not considered Internet facing
** Knowledge Base (KB) articles provides details of the patches and how to install them.
*** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not include JRE but they include the vSphere Replication appliance which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include JRE nor the vSphere Replication appliance.
4. Solution
Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
Horizon View 6.1, 5.3.4: Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productID=492
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&prodictID=396
VMware Workspace Portal 2.1.1: Download:
https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=501&rPId=7586
Documentation:
https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.html
Horizon DaaS Platform 6.1.4 Download:
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN&productId=405&rPId=6527
Horizon DaaS Platform 5.4.5 Download:
vRealize Operations Manager 6.0.1 Downloads and Documentation:
http://kb.vmware.com/kb/2112028
vRealize Application Services 6.2, 6.1 Downloads and Documentation:
http://kb.vmware.com/kb/2111981
vCloud Application Director 6.0 Downloads and Documentation:
http://kb.vmware.com/kb/2111981
vCloud Director for Service Providers 5.6.4.1 Downloads and Documentation:
https://www.vmware.com/support/pubs/vcd_sp_pubs.html
vCenter Operations Manager 6.0, 5.8.5, 5.7.4 Downloads and Documentation:
http://kb.vmware.com/kb/2111172
vCloud Automation Center 6.0.1.2 Downloads and Documentation:
http://kb.vmware.com/kb/2111685
vSphere Replication 5.8.0.2, 5.6.0.3 Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603
Documentation:
http://kb.vmware.com/kb/2112025
http://kb.vmware.com/kb/2112022
vRealize Automation 6.2.1, 6.1.1 Downloads and Documentation:
http://kb.vmware.com/kb/2111658
vRealize Code Stream 1.1, 1.0 Downloads and Documentation:
http://kb.vmware.com/kb/2111685
vRealize Hyperic 5.8.4, 5.7.2, 5.0.3 Downloads and Documentation:
http://kb.vmware.com/kb/KB2111337
vSphere AppHA 1.1.1 Downloads and Documentation:
http://kb.vmware.com/kb/2111336
vCenter Chargeback Manager 2.7 Downloads and Documentation:
http://kb.vmware.com/kb/2112011
vCenter Chargeback Manager 2.6 Downloads and Documentation:
http://kb.vmware.com/kb/2113178
vRealize Business Standard 6.0, 1.1 , 1.0 Downloads and Documentation:
http://kb.vmware.com/kb/2111802
vRealize Configuration Manager 5.7.3 Downloads and Documentation:
http://kb.vmware.com/kb/2111670
vRealize Infrastructure Navigator 5.8.4 Download:
https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=476
vRealize Infrastructure Navigator 5.7 Downloads and Documentation:
http://kb.vmware.com/kb/2111334
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593
JRE:- Oracle Java SE Critical Patch Update Advisory of January 2015
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
6. Change log
2015-04-02 VMSA-2015-0003
Initial security advisory in conjunction with the release of VMware Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5; vCenter Operations Manager 5.7.4; vCloud Automation Center 6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0; vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1; vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches released on 2015-04-02.
2015-04-09 VMSA-2015-0003.1
Initial security advisory in conjunction with the release of VMware Horizon DaaS Platform 6.1.4, 5.4.5; vRealize Operations Manager 6.0; vRealize Application Services 6.2; vRealize Application Services 6.1; vCloud Application Director 6.0; vCenter Chargeback Manager 2.7, 2.6; vCloud Director For Service Providers 5.6.4.1; vRealize Log Insight 2.5, 2.0, 1.5, 1.0 Patches released on 2015-04-09.
7. ContactE-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
- security-announce at lists.vmware.com
- bugtraq at securityfocus.com
- fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2015 VMware Inc. All rights reserved.
