[Security-announce] UPDATE : VMSA-2015-0003.9 – VMware product updates address critical information disclosure issue in JRE.

VMware product updates address critical information disclosure issue in JRE

VMware Security Advisory
Advisory ID: VMSA-2015-0003.9
Synopsis: VMware product updates address critical information disclosure issue in JRE
Issue date: 2015-04-02
Updated on: 2015-07-02
CVE numbers: CVE-2014-6593, for other CVEs see JRE reference
1. Summary
VMware product updates address critical information disclosure issue in JRE.
2. Relevant Releases
Horizon View 6.x or 5.x
Horizon Workspace Portal Server 2.1 or 2.0
Horizon DaaS Platform 6.1.4 or 5.4.5
vCloud Networking and Security prior to
vCloud Connector 2.7
vCloud Usage Meter 3.3
vCenter Site Recovery Manager prior to
vCenter Server 6.0, 5.5, 5.1 or 5.0
vRealize Operations Manager 6.0
vCenter Operations Manager 5.8.x or 5.7.x
vCenter Support Assistant 5.5.1.x
vRealize Application Services 6.2 or 6.1
vCloud Application Director 6.0
vRealize Automation 6.2 or 6.1
vCloud Automation Center 6.0.1
vSphere Replication prior to, or
vRealize Automation 6.2.x or 6.1.x
vRealize Code Stream 1.1 or 1.0
vFabric Postgres, or
vRealize Hyperic 5.8.x, 5.7.x or 5.0.x
vSphere AppHA Prior to 1.1.x
vSphere Big Data Extensions 2.1 and 2.0
vCenter Chargeback Manager 2.7 or 2.6
vRealize Business Adv/Ent 8.1 or 8.0
vRealize Business Standard prior to 1.1.x or 1.0.x
NSX for vSphere 6.1
NSX for Multi-Hypervisor  prior to 4.2.4
vCloud Director prior to 5.5.3
vCloud Director Service Providers prior to
vRealize Configuration Manager 5.7.x or 5.6.x
vRealize Orchestrator 6.0, 5.5 or
vRealize Infrastructure 5.8 or 5.7
vRealize Log Insight 2.5, 2.0, 1.5 or 1.0
vSphere Management Assistant 5.5 or 5.1
vSphere Update Manager 6.0, 5.5, 5.1 or 5.0
EVO:RAIL prior to 1.2.1
3. Problem Description
a. Oracle JRE Update

Oracle JRE is updated in VMware products to address a critical security issue that existed in earlier releases of Oracle JRE.

VMware products running JRE 1.7 Update 75 or newer and JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593, as documented in the Oracle Java SE Critical Patch Update Advisory of January 2015.

This advisory also includes the other security issues that are addressed  in JRE 1.7 Update 75 and JRE 1.6 Update 91. The References section provides a link to the JRE advisory.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-6593 to this issue. This issue is also known as “SKIP” or “SKIP-TLS”.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch**
Horizon View 6.x 6.1
Horizon View 5.x 5.3.4
Horizon Workspace Portal Server 2.1, 2.0 2.1.1
Horizon DaaS Platform 6.1 6.1.4
Horizon DaaS Platform 5.4 5.4.5
vCloud Networking and Security 5.5*
vCloud Connector 2.7 2.7.1*
vCloud Usage Meter 3.3 3.3.3*
vCenter Site Recovery Manager 5.5.x***
vCenter Site Recovery Manager 5.1.x patch pending***
vCenter Site Recovery Manager 5.0.x patch pending***
vCenter Server 6.0 any 6.0.0a
vCenter Server 5.5 any Update 2e
vCenter Server 5.1 any Update 3a
vCenter Server 5.0 any Update 3d
vRealize Operations Manager 6.0 KB2111898
vCenter Operations Manager 5.8.x KB2111172
vCenter Operations Manager 5.7.x KB2111172
vCenter Support Assistant 5.5.1.x 6.0
vRealize Application Services 6.2 KB2111981
vRealize Application Services 6.1 KB2111981
vCloud Application Director 6.0 KB2111981
vCloud Application Director 5.2 KB2111981
vRealize Automation 6.2 KB2111658
vRealize Automation 6.1 KB2111658
vCloud Automation Center 6.0.1 KB2111658
vRealize Code Stream 1.1 KB2111658
vRealize Code Stream 1.0 KB2111658
vPostgres 9.3.x
vPostgres 9.2.x
vPostgres 9.1.x
vSphere Replication 5.8.0
vSphere Replication 5.6.0
vSphere Replication 5.5.0
vSphere Replication 5.1 patch pending
vRealize Hyperic 5.8 KB2111337
vRealize Hyperic 5.7 KB2111337
vRealize Hyperic 5.0 KB2111337
vSphere AppHA 1.1 KB2111336
vSphere Big Data Extensions 2.1 KB2116604*
vSphere Big Data Extensions 2.0 KB2116604*
vSphere Data Protection 6.0 patch pending*
vSphere Data Protection 5.8 patch pending*
vSphere Data Protection 5.5 patch pending*
vSphere Data Protection 5.1 patch pending*
vCenter Chargeback Manager 2.7 KB2112011*
vCenter Chargeback Manager 2.6 KB2113178*
vRealize Business Adv/Ent 8.1 KB2112258*
vRealize Business Adv/Ent 8.0 KB2112258*
vRealize Business Standard 6.0 KB2111802
vRealize Business Standard 1.1 KB2111802
vRealize Business Standard 1.0 KB2111802
NSX for vSphere 6.1 6.1.4*
NSX for Multi-Hypervisor 4.2.x 4.2.4*
vCloud Director 5.5.x 5.5.3*
vCloud Director For Service Providers 5.6.4*
vCenter Application Discovery Manager 7.0 patch pending*
vRealize Configuration Manager 5.7.x KB2111670
vRealize Configuration Manager 5.6 KB2111670
vRealize Infrastructure Navigator 5.8 5.8.4*
vRealize Infrastructure Navigator 5.7 KB2111334*
vRealize Orchestrator 6.0 KB2112028*
vRealize Orchestrator 5.5 KB2112028*
vRealize Orchestrator 5.1*
vRealize Log Insight 2.5 KB2113235*
vRealize Log Insight 2.0 KB2113235*
vRealize Log Insight 1.5 KB2113235*
vRealize Log Insight 1.0 KB2113235*
vSphere Management Assistant 5.5.x
vSphere Management Assistant 5.1.x
vSphere Update Manager 6.0 6.0.0a*
vSphere Update Manager 5.5 Update 2e*
vSphere Update Manager 5.1 Update 3a*
vSphere Update Manager 5.0 Update 3d*
EVO:RAIL 1.2.0 1.2.1*

*     The severity of critical is lowered to important for this product as is not considered Internet facing
**   Knowledge Base (KB) articles provides details of the patches and how to install them.
*** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not include JRE but they include the vSphere Replication appliance  which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include JRE nor the vSphere Replication appliance.

4. Solution
Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
Horizon View 6.1, 5.3.4:

VMware Workspace Portal 2.1.1

Horizon DaaS Platform 6.1.4
Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN&productId=405&rPId=6527

Horizon DaaS Platform 5.4.5
Download: https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM-540&productId=398&rPId=5214

vCloud Networking and Security
Download: https://my.vmware.com/web/vmware/details?productId=360&rPId=7625&downloadGroup=VCNS5541
Documentation: https://www.vmware.com/support/vshield/doc/releasenotes_vshield_5541.html

vCloud Connector 2.7.1
Downloads and Documentation:

vCloud Usage Meter 3.3.3
Download: https://my.vmware.com/en/group/vmware/get-download?downloadGroup=UMSV333

vCenter Site Recovery Manager


vCenter Server 6.0, 5.5, 5.1, 5.0
Downloads and Documentation:

vRealize Operations Manager 6.0.1
Downloads and Documentation: http://kb.vmware.com/kb/2111898

vCenter Support Assistant 6.0
Downloads and Documentation:

vRealize Application Services 6.2, 6.1
Downloads and Documentation: http://kb.vmware.com/kb/2111981

NSX for vSphere 6.1
Downloads and Documentation: https://my.vmware.com/web/vmware/details?productId=417&downloadGroup=NSX-V-614

NSX for Multi-Hypervisor 4.2.4
Downloads and Documentation: https://my.vmware.com/web/vmware/info/slug/networking_security/vmware_nsx/4_x

vCloud Application Director 6.0
Downloads and Documentation: http://kb.vmware.com/kb/2111981

vCloud Director for Service Providers
Downloads and Documentation: https://www.vmware.com/support/pubs/vcd_sp_pubs.html

vCenter Operations Manager  5.8.5, 5.7.4
Downloads and Documentation:

vCloud Automation Center
Downloads and Documentation:

vSphere Replication,,


vRealize Automation 6.2.1, 6.1.1
Downloads and Documentation:

vRealize Code Stream 1.1, 1.0
Downloads and Documentation:

vFabric Postgres

vRealize Hyperic 5.8.4, 5.7.2, 5.0.3
Downloads and Documentation:

vSphere AppHA 1.1.1
Downloads and Documentation:

vSphere Big Data Extensions 2.1 and 2.0
Downloads and Documentation: http://kb.vmware.com/kb/2116604

vCenter Chargeback Manager 2.7
Downloads and Documentation: http://kb.vmware.com/kb/2112011

vCenter Chargeback Manager 2.6
Downloads and Documentation: http://kb.vmware.com/kb/2113178

vRealize Business Adv/Ent 8.1, 8.0
Downloads and Documentation: http://kb.vmware.com/kb/2112258

vRealize Business Standard 6.0, 1.1 , 1.0
Downloads and Documentation:

vCenter Configuration Manager 5.7.3
Downloads and Documentation:

vRealize Infrastructure Navigator 5.8.4

vRealize Infrastructure Navigator 5.7
Downloads and Documentation:

vRealize Orchestrator 6.0, 5.5
Downloads and Documentation: http://kb.vmware.com/kb/2112028

vRealize Orchestrator
Download: https://my.vmware.com/group/vmware/get-download?downloadGroup=VSP51-VCL-VCOVA-51U3A
Documentation: https://www.vmware.com/support/pubs/orchestrator_pubs.html

vSphere Management Assistant
Download: https://my.vmware.com/web/vmware/details?downloadGroup=VMA550&productId=352
Documentation: http://kb.vmware.com/kb/2112648

vSphere Management Assistant
Download: https://my.vmware.com/web/vmware/details?downloadGroup=VSP510-VMA-510&productId=285
Documentation: http://kb.vmware.com/kb/2112647

vSphere Update Manager 6.0, 5.5, 5.1, 5.0
Downloads and Documentation:

EVO:RAIL 1.2.1
Downloads and Documentation:

6. Change log

2015-04-02 VMSA-2015-0003
Initial security advisory in conjunction with the release of VMware Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5; vCenter Operations Manager 5.7.4; vCloud Automation Center; vSphere Replication,; vRealize Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0; vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1; vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches released on 2015-04-02.

2015-04-09 VMSA-2015-0003.1
Updated security advisory in conjunction with the release of VMware Horizon DaaS Platform 6.1.4, 5.4.5; vRealize Operations Manager 6.0; vRealize Application Services 6.2; vRealize Application Services 6.1; vCloud Application Director 6.0; vCenter Chargeback Manager 2.7, 2.6; vCloud Director For Service Providers; vRealize Log Insight 2.5, 2.0, 1.5, 1.0 Patches released on 2015-04-09

2015-04-13 VMSA-2015-0003.2
Updated Security advisory in conjunction with the release of vRealize Business Adv/Ent 8.1, 8.0 Patches released on 2015-04-13.

2015-04-16 VMSA-2015-0003.3
Updated Security advisory in conjunction with the release of vCloud Connector 2.7.1; vCloud Usage Meter 3.3.3; vCenter Server 6.0, 5.5; vSphere Update Manager 6.0, 5.5 patches released on 2015-04-16.

2015-04-17 VMSA-2015-0003.4
Updated Security advisory in conjunction with the release of vCenter Site Recovery Manager patches released on 2015-04-16.

2015-04-23 VMSA-2015-0003.5
Updated Security advisory in conjunction with the release of NSX for Multi-Hypervisor 4.2.4 and vFabric Postgres, or patches released on 2015-04-23.
2015-04-30 VMSA-2015-0003.6
Updated Security advisory in conjunction with the release of vCloud Networking and Security, vCenter Server 5.1 Update 3a, vCenter Server 5.0 Update 3d, vRealize Orchestrator, vSphere Update Manager 5.1 Update 3a and vSphere Update Manager 5.0 Update 3d patches released on 2015-04-30.

2015-05-07 VMSA-2015-0003.7
Updated Security advisory in conjunction with the release of vCenter Support Assistant 6.0, vSphere Big Data Extensions 2.1 and 2.0, NSX for vSphere 6.1.4 patches released on 2015-05-07.

2015-05-08 VMSA-2015-0003.8
Updated Security advisory in conjunction with the release of vSphere Management Assistant 5.5 and 5.1 patches released on 2015-05-08.

2015-07-02 VMSA-2015-0003.9
Updated Security advisory in conjunction with the release of EVO:RAIL 1.2.1 patches released on 2015-07-02.

7. Contact
E-mail list for product security notifications and announcements:

This Security Advisory is posted to the following lists:

  • security-announce at lists.vmware.com
  • bugtraq at securityfocus.com
  • fulldisclosure at seclists.org

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories

VMware Security Response Policy

VMware Lifecycle Support Phases



Created on July 2, 2015 by Rick Scherer

Posted under Alert.

This blog has 6,102 views.

Tags: , , , ,

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Leave a Comment

Name (required)

Email (required)



More Blog Post