Executive Summary
| Summary | |
|---|---|
| Title | VMware product updates address a critical security issue in the VMware Client Integration Plugin |
| Informations | |||
|---|---|---|---|
| Name | VMSA-2016-0004 | First vendor Publication | 2016-04-14 |
| Vendor | VMware | Last vendor Modification | 2016-04-14 |
| Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 6.8 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| a. Critical VMware Client Integration Plugin incorrect session handling The VMware Client Integration Plugin does not handle session content in a safe way. This may allow for a Man in the Middle attack or Web session hijacking in case the user of the vSphere Web Client visits a malicious Web site. The vulnerability is present in versions of CIP that shipped with: - vCenter Server 6.0 (any 6.0 version up to 6.0 U2) - vCenter Server 5.5 U3a, U3b, U3c - vCloud Director 5.5.5 - vRealize Automation Identity Appliance 6.2.4 In order to remediate the issue, both the server side (i.e. vCenter Server, vCloud Director, and vRealize Automation Identity Appliance) and the client side (i.e. CIP of the vSphere Web Client) will need to be updated. The steps to remediate the issue are as follows: A) Install an updated version of: - vCenter Server, - vCloud Director, - vRealize Automation Identity Appliance, B) Subsequently update the Client Integration Plugin on the system from which the vSphere Web Client is used. Updating the plugin on vSphere and vRA Identity Appliance is explained in VMware Knowledge Base article 2145066. Updating the plugin on vCloud Director is initiated by a prompt when connecting the vSphere Web Client to the updated version of vCloud Director. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-2076 to this issue. |
Original Source
| Url : http://www.vmware.com/security/advisories/VMSA-2016-0004.html |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-287 | Improper Authentication |
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2016-04-26 | Name : A virtualization management application installed on the remote host is affec... File : vmware_vcenter_vmsa-2016-0004.nasl - Type : ACT_GATHER_INFO |
| 2016-04-26 | Name : A virtualization appliance installed on the remote host is affected by a sess... File : vmware_vcloud_director_vmsa-2016-0004.nasl - Type : ACT_GATHER_INFO |
| 2016-01-08 | Name : The remote OracleVM host is missing a security update. File : oraclevm_OVMSA-2016-0004.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2016-05-10 17:35:40 |
|
| 2016-04-28 13:28:17 |
|
| 2016-04-15 21:37:34 |
|
| 2016-04-15 00:23:47 |
|
