VMware product updates address critical information disclosure issue in JRE.

2015-04-0200:00:00

www.vmware.com

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:P/A:N

0.698 Medium

EPSS

Percentile

98.0%

JSON

a. Oracle JRE Update

Oracle JRE is updated in VMware products to address a critical security issue that existed in earlier releases of Oracle JRE. VMware products running JRE 1.7 Update 75 or newer and JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593, as documented in the Oracle Java SE Critical Patch Update Advisory of January 2015. This advisory also includes the other security issues that are addressed in JRE 1.7 Update 75 and JRE 1.6 Update 91. The References section provides a link to the JRE advisory.The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-6593 to this issue. This issue is also known as “SKIP” or “SKIP-TLS”. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

CPENameOperatorVersion
horizon viewlt6.1
horizon viewlt5.3.4
horizon workspace portal serverlt2.1.1
horizon daas platformlt6.1.4
horizon daas platformlt5.4.5
vcloud networking and securitylt5.5.4.1
vcloud connectorlt2.7.1
vcloud usage meterlt3.3.3
vcenter site recovery managerlt5.5.1.5
vcenter site recovery managerlt5.1.3.1

Name	Operator	Version
horizon view	lt	6.1
horizon view	lt	5.3.4
horizon workspace portal server	lt	2.1.1
horizon daas platform	lt	6.1.4
horizon daas platform	lt	5.4.5
vcloud networking and security	lt	5.5.4.1
vcloud connector	lt	2.7.1
vcloud usage meter	lt	3.3.3
vcenter site recovery manager	lt	5.5.1.5
vcenter site recovery manager	lt	5.1.3.1