-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2015.2542.6
     VMware vCenter and ESXi updates address critical security issues
                               15 June 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware vCenter and ESXi
Publisher:         VMWare
Operating System:  VMware ESX Server
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-5177 CVE-2015-2342 CVE-2015-1047

Reference:         ESB-2015.2323

Original Bulletin: 
   http://www.vmware.com/security/advisories/VMSA-2015-0007.html

Revision History:  June     15 2016: Updated security advisory to add that vCenter Server 5.0 U3g running on Windows addresses CVE-2105-2342 without the need to install the additional patch.
                   April    28 2016: Updated security advisory to add that vCenter Server 5.5 U3d running on Windows addresses CVE-2105-2342 without the need to install the additional patch.
                   February 15 2016: Updated security advisory to add that an additional patch is required on vCenter Server 5.0 U3e, 5.1 U3b and 5.5 U3/U3a/U3b running on Windows to remediate CVE-2015-2342.
                   October  21 2015: Updated security advisory to reflect that CVE-2015-2342 is fixed in an earlier vCenter Server version (6.0.0b) than originally reported (6.0 U1) and that the port required to exploit the vulnerability is blocked in the appliance versions of the software (5.1 and above).
                   October   7 2015: Updated security advisory in conjunction with the release of ESXi 5.5 U3a on 2015-10-06. Added a note to section 3.a to alert customers to a non-security issue in ESXi 5.5 U3 that is addressed in ESXi 5.5 U3a
                   October   2 2015: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2015-0007.6
Synopsis:    VMware vCenter and ESXi updates address critical security
             issues
Issue date:  2015-10-01
Updated on:  2016-06-14
CVE number:  CVE-2015-5177 CVE-2015-2342 CVE-2015-1047
- - ------------------------------------------------------------------------

1. Summary

   VMware vCenter and ESXi updates address critical security issues.

   NOTE: See section 3.b for a critical update on an incomplete fix
   for the JMX RMI issue.

2. Relevant Releases

   VMware ESXi 5.5 without patch ESXi550-201509101-SG
   VMware ESXi 5.1 without patch ESXi510-201510101-SG
   VMware ESXi 5.0 without patch ESXi500-201510101-SG

   VMware vCenter Server 6.0 prior to version 6.0.0b
   VMware vCenter Server 5.5 prior to version 5.5 update 3
   VMware vCenter Server 5.1 prior to version 5.1 update u3b
   VMware vCenter Server 5.0 prior to version 5.0 update u3e


3. Problem Description

   a. VMWare ESXi OpenSLP Remote Code Execution

      VMware ESXi contains a double free flaw in OpenSLP's
      SLPDProcessMessage() function. Exploitation of this issue may
      allow an unauthenticated attacker to remotely execute code on
      the ESXi host.

      VMware would like to thank Qinghao Tang of QIHU 360 for reporting
      this issue to us.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2015-5177 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

        VMware          Product Running   Replace with/
        Product         Version on        Apply Patch
        =============   =======   =======   =================
        ESXi            6.0       ESXi      not affected
        ESXi            5.5       ESXi      ESXi550-201509101-SG*
        ESXi            5.1       ESXi      ESXi510-201510101-SG
        ESXi            5.0       ESXi      ESXi500-201510101-SG

        * Customers who have installed the complete set of ESXi 5.5 U3
        Bulletins, please review VMware KB 2133118. KB 2133118 documents
        a known non-security issue and provides a solution.

   b. VMware vCenter Server JMX RMI Remote Code Execution

      VMware vCenter Server contains a remotely accessible JMX RMI
      service that is not securely configured. An unauthenticated remote
      attacker who is able to connect to the service may be able to use
      it to execute arbitrary code on the vCenter Server. A local attacker
      may be able to elevate their privileges on vCenter Server.

      vCenter Server Appliance (vCSA) 5.1, 5.5 and 6.0 has remote access
      to the JMX RMI service (port 9875) blocked by default.

      VMware would like to thank Doug McLeod of 7 Elements Ltd and an
      anonymous researcher working through HP's Zero Day Initiative for
      reporting this issue to us.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2015-2342 to this issue.

      CRITICAL UPDATE

      VMSA-2015-0007.2 and earlier versions of this advisory documented
      that CVE-2015-2342 was addressed in vCenter Server 5.0 U3e,
      5.1 U3b, and 5.5 U3. Subsequently, it was found that the fix for
      CVE-2015-2342 in vCenter Server 5.0 U3e, 5.1 U3b, and
      5.5 U3/U3a/U3b running on Windows was incomplete and did not
      address the issue.
      In order to address the issue on these versions of vCenter Server
      Windows, an additional patch must be installed. This additional
      patch is available from VMware Knowledge Base (KB) article
      2144428. Alternatively, updating to vCenter Server 5.0 U3g,
      5.1 U3d, and 5.5 U3d running on Windows will remediate the issue.
      In case the Windows Firewall is enabled on the system that has
      vCenter Server Windows installed, remote exploitation of
      CVE-2015-2342 is not possible. Even if the Windows Firewall is
      enabled, users are advised to install the additional patch in
      order to remove the local privilege elevation.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware                  Product    Running   Replace with/
      Product                 Version    on        Apply Patch
      =============           =======    =======   ===============
      VMware vCenter Server   6.0        Any       6.0.0b and above
      VMware vCenter Server   5.5        Windows   (5.5 U3/U3a/U3b + KB*)
                                                   or 5.5 U3d
      VMware vCenter Server   5.5        Linux     5.5 U3 and above
      VMware vCenter Server   5.1        Windows   (5.1 U3b + KB*)
                                                   or 5.1 U3d
      VMware vCenter Server   5.1        Linux     5.1 U3b and above
      VMware vCenter Server   5.0        Windows   (5.0 U3e + KB*)
                                                   or 5.0 U3g
      VMware vCenter Server   5.0        Linux     5.0 U3e and above

     * An additional patch provided in VMware KB article 2144428 must be
       installed on vCenter Server Windows 5.0 U3e, 5.1 U3b, 5.5 U3,
       5.5 U3a, and 5.5 U3b in order to remediate CVE-2015-2342.
       This patch is not needed when updating to 5.0 U3g, 5.1 U3d or
       5.5 U3d, or when installing 5.0 U3g, 5.1 U3d or 5.5 U3d.

   c. VMware vCenter Server vpxd denial-of-service vulnerability

      VMware vCenter Server does not properly sanitize long heartbeat
      messages. Exploitation of this issue may allow an unauthenticated
      attacker to create a denial-of-service condition in the vpxd
      service.

      VMware would like to thank the Google Security Team for reporting
      this issue to us.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2015-1047 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware                       Product    Running   Replace with/
      Product                      Version    on        Apply Patch
      =============                =======    =======   ==============
      VMware vCenter Server        6.0        Any       not affected
      VMware vCenter Server        5.5        Any       5.5u2
      VMware vCenter Server        5.1        Any       5.1u3
      VMware vCenter Server        5.0        Any       5.0u3e


4. Solution

   Please review the patch/release notes for your product and version
   and verify the checksum of your downloaded file.

   ESXi
   --------------------------------
   Downloads:
   https://www.vmware.com/patchmgr/findPatch.portal

   Documentation:
   http://kb.vmware.com/kb/2110247
   http://kb.vmware.com/kb/2114875
   http://kb.vmware.com/kb/2120209

   vCenter Server
   --------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere


5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5177
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2342
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1047

   VMware Knowledge Base articles
   http://kb.vmware.com/kb/2133118
   http://kb.vmware.com/kb/2144428

- - ------------------------------------------------------------------------

6. Change log


   2015-10-01 VMSA-2015-0007
   Initial security advisory in conjunction with ESXi 5.0, 5.1 patches
   and VMware vCenter Server 5.1 u3b, 5.0 u3e on 2015-10-01.

   2015-10-06 VMSA-2015-0007.1
   Updated security advisory in conjunction with the release of ESXi 5.5
   U3a on 2015-10-06. Added a note to section 3.a to alert customers to
   a non-security issue in ESXi 5.5 U3 that is addressed in ESXi 5.5 U3a.

   2015-10-20 VMSA-2015-0007.2
   Updated security advisory to reflect that CVE-2015-2342 is fixed in
   an earlier vCenter Server version (6.0.0b) than originally reported
   (6.0 U1) and that the port required to exploit the vulnerability is
   blocked in the appliance versions of the software (5.1 and above).

   2016-02-12 VMSA-2015-0007.3
   Updated security advisory to add that an additional patch is required
   on vCenter Server 5.0 U3e, 5.1 U3b and 5.5 U3/U3a/U3b running on
   Windows to remediate CVE-2015-2342.

   2016-04-27 VMSA-2015-0007.4
   Updated security advisory to add that vCenter Server 5.5 U3d running on
   Windows addresses CVE-2105-2342 without the need to install the
   additional patch.

   2016-05-24 VMSA-2015-0007.5
   Updated security advisory to add that vCenter Server 5.1 U3d running on
   Windows addresses CVE-2105-2342 without the need to install the
   additional patch.

   2016-06-14 VMSA-2015-0007.6
   Updated security advisory to add that vCenter Server 5.0 U3g running on
   Windows addresses CVE-2105-2342 without the need to install the
   additional patch.

- - ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2015 VMware Inc.  All rights reserved.

- -----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFXYOI+DEcm8Vbi9kMRAo5NAKDXxOUz7aLdAbLN91d35cTgWjnBUwCgmYEe
UBtln1x1l7M8vaPkawZdpNE=
=c1Np
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV2D1BIx+lLeg9Ub1AQjtMQ//bG/V3d/H99FZhMbTTCVYnOxLUcEci2Kq
60WMJ5iUZ+/6Zdj8d+FyFdjLA0UT7YFGRrW5lMtYNb8SGBo8o20QosxB/9Ey1q2g
1SIn2C1eyustZR0bB9LDRsqhLMP8UF1QyUiiTRXYKlUdbmdVCif6xB6HAUCtfv8C
bquCjKjb0dgi0S8jXc9KFqYxBllB6T+peC49WBc7axKbPyYZ59XdNdPYN5gnCi7/
HKo7zXRnBhPcM3svLmnIQLiIDJtLH8Gwuod9GHRnpnUUJsMY9oWGBdUoapt7GUBT
6s43SPi89/tAmZGXP73Lunq03WXF3yzStCP7x4IZbN5Cm8BA6aQVxovRtn2mNbuo
zVddmxHusFXgkCoimf/ooghVVNtllXwRj3KH/epznAwi/73Er7fcnPCATkjamh16
+wX73Db7mebbVs2trc9rk62qEIzbubTsygChNFKCp+Dm/Nbl/YP5sDUv73c3hp+e
jvNuXjElMhZypStrTjWfZrV9+z+dtUwVoYya993VP4mh1wYmp/HX6vIL1D7qAJrq
7nFSJoV+3yUytfLPHDw1/bc7faiaXeyVAU9blCcRBA7UCvO7IUIIseZBHPg97YUl
ifgee1qDUFsvJC+hZv9ABbUWlidGvadj5M2ksTgLifqsFjnJsM3Nk8jW93swoPKk
nZQECi4wkig=
=TeLa
-----END PGP SIGNATURE-----