NEW VMSA-2016-0006 VMware vCenter Server updates address an important cross-site scripting issue

VMware Security Advisory
Advisory ID: VMSA-2016-0006
Synopsis: VMware vCenter Server updates address an important cross-site scripting issue
Issue date: 2016-05-24
Updated on: 2016-05-24
CVE numbers: CVE-2016-2078
1. Summary
VMware vCenter Server updates address an important cross-site scripting issue.
2. Relevant Releases
vCenter Server 6.0 prior to 6.0 update 2
vCenter Server 5.5 prior to 5.5 update 3d
vCenter Server 5.1 prior to 5.1 update 3d
3. Problem Description
a. Reflected cross-site scripting issue through flash parameter injectionThe vSphere Web Client contains a reflected cross-site scripting vulnerability
that occurs through flash parameter injection. An attacker can exploit this issue
by tricking a victim into clicking a malicious link.VMware would like to thank John Page aka hyp3rlinx for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-2078 to this issue.

Column 4 of the following table lists the action required to remediate
the vulnerability in each release, if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
vCenter Server 6.0 Windows 6.0 U2*
vCenter Server 6.0 Linux Not Affected
vCenter Server 5.5 Windows 5.5 U3d*
vCenter Server 5.5 Linux Not Affected
vCenter Server 5.1 Windows 5.1 U3d*
vCenter Server 5.1 Linux Not Affected
vCenter Server 5.0 Any Not Affected
  *Client side component of the vSphere Web Client does not need to be updated
to remediate CVE-2016-2078. Updating the vCenter Server is sufficient to
remediate this issue. 
4. Solution
   Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.vCenter Server
————–
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2078
6. Change log
2016-05-24 VMSA-2016-0006
Initial security advisory in conjunction with the release of VMware
vCenter Server 5.1 U3d on 2016-05-24.

Created on May 25, 2016 by Rick Scherer

Posted under Alert.

This blog has 8,695 views.

Tags: , , , ,

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Leave a Comment

Name (required)

Email (required)

Website

Comments

More Blog Post