VMware product updates address information disclosure issue.

2015-11-1800:00:00

www.vmware.com

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.009 Low

EPSS

Percentile

82.3%

JSON

a. vCenter Server, vCloud Director, Horizon View information disclosure issue VMware products that use Flex BlazeDS may be affected by a flaw in the processing of XML External Entity (XXE) requests. A specially crafted XML request sent to the server could lead to unintended information be disclosed. VMware would like to thank Matthias Kaiser of Code White GmbH and Ilyass El Hadi of KPMG-EGYDE for independently reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-3269 to this issue.

The product updates listed in the table below have also been determined to address a XML External Entity (XXE) Processing and Server Side Request Forgery vulnerability in Flex BlazeDS.

VMware would like to thank James Kettle of PortSwigger Web Security for reporting these issues to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-5255 to these issues.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

CPENameOperatorVersion
vcenter serverlt5.5 update 3
vcenter serverlt5.1 update u3b
vcenter serverlt5.0 update u3e
vcloud directorlt9.1.0.2
vcloud directorlt9.0.0.3
vcloud directorlt5.6.4
vcloud directorlt5.5.3
horizon viewlt6.1
horizon viewlt5.3.4

Name	Operator	Version
vcenter server	lt	5.5 update 3
vcenter server	lt	5.1 update u3b
vcenter server	lt	5.0 update u3e
vcloud director	lt	9.1.0.2
vcloud director	lt	9.0.0.3
vcloud director	lt	5.6.4
vcloud director	lt	5.5.3
horizon view	lt	6.1
horizon view	lt	5.3.4