VMware product updates address a critical security issue in the VMware Client Integration Plugin
|VMware Security Advisory|
|Synopsis:||VMware product updates address a critical security issue in the VMware Client Integration Plugin|
|Updated on:||2016-04-14 (Initial Advisory)|
VMware vCenter Server, vCloud Director (vCD), vRealize Automation (vRA)
Identity Appliance, and the Client Integration Plugin (CIP) updates address
a critical security issue.
vCenter Server 6.0 prior to 6.0 U2
vCenter Server 5.5 U3a, U3b, U3c
vCloud Director 5.5.5
vRealize Automation Identity Appliance 6.2.4
a. Critical VMware Client Integration Plugin incorrect session handling
The VMware Client Integration Plugin does not handle session content
in a safe way. This may allow for a Man in the Middle attack or Web
session hijacking in case the user of the vSphere Web Client visits
a malicious Web site.
The vulnerability is present in versions of CIP that shipped with:
– vCenter Server 6.0 (any 6.0 version prior to 6.0 U2)
– vCenter Server 5.5 U3a, U3b, U3c
– vCloud Director 5.5.5
– vRealize Automation Identity Appliance 6.2.4
In order to remediate the issue, both the server side (i.e. vCenter
Server, vCloud Director, and vRealize Automation Identity Appliance)
and the client side (i.e. CIP of the vSphere Web Client) will need
to be updated.
The steps to remediate the issue are as follows:
A) Install an updated version of:
– vCenter Server
– vCloud Director
– vRealize Automation Identity Appliance
B) After step A), update the Client Integration Plugin on the system
from which the vSphere Web Client is used.
Updating the plugin on vSphere and vRA Identity Appliance is
explained in VMware Knowledge Base article 2145066.
Updating the plugin on vCloud Director is initiated by a prompt
when connecting the vSphere Web Client to the updated version of
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-2076 to this issue.
Column 4 of the following table lists the action required to remediate the
vulnerability in each release, if a solution is available.
|vCenter Server||6.0||any||6.0 U2 *|
|vCenter Server||5.5 U3a – U3c||any||5.5 U3d *|
|vCenter Server||5.1||any||not affected|
|vCenter Server||5.0||any||not affected|
|vCloud Director||8.0.x||Linux||not affected **|
|vCloud Director||5.6.x||Linux||not affected|
|vCloud Director||5.5.5||Linux||5.5.6 *|
|vRA Identity Appliance||7.x||Linux||not affected|
|vRA Identity Appliance||6.2.4||Linux||220.127.116.11 *|
|Client Integration Plugin||see text above||Windows, Mac OS||see item B above|
* After installing the updated version, the Client Integration Plugin
will need to be updated on all systems from which the vSphere Web
Client is used to connect to vCenter Server, vCloud Director and
vRealize Automation Identity Manager.
** vCloud Director 8.0.0 did not ship with a vulnerable CIP version, and
vCloud Director 8.0.1 shipped with the updated version of the CIP.
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
vCloud Director 5.5.6
Downloads and Documentation:
VMware vRealize Automation 18.104.22.168
Downloads and Doumentation:
(select “Go to Downloads” and scroll down to “Security Update”)
VMware Knowledge Base article 2145066
Initial security advisory in conjunction with the release of VMware
vSphere 5.5 U3d and vCloud Director 5.5.6 on 2016-04-14.
Created on April 14, 2016 by Rick Scherer
Posted under Alert.
This blog has 20,648 views.