VMware product updates address critical and important security issues.

a. Critical JMX issue when deserializing authentication credentials

The RMI server of Oracle JRE JMX deserializes any class when deserializing authentication credentials. This may allow a remote, unauthenticated attacker to cause deserialization flaws and execute their commands.

Workarounds CVE-2016-3427

vCenter Server

Apply the steps of VMware Knowledge Base article 2145343 to vCenterServer 6.0 on Windows. See the table below for the specific vCenterServer 6.0 versions on Windows this applies to.

vCloud Director

No workaround identified

vSphere Replication

No workaround identified

vRealize Operations Manager (non-appliance)

The non-appliance version of vRealize Operations Manager (vROps), which can be installed on Windows and Linux has no default firewall. In order to remove the remote exploitation possibility, access to the following external ports will need to be blocked on the system where the non-appliance version of vROps is installed:

- vROps 6.2.x: port 9004, 9005, 9006, 9007, 9008

- vROps 6.1.x: port 9004, 9005, 9007, 9008

- vROps 6.0.x: port 9004, 9005

Note: These ports are already blocked by default in the applianceversion of vROps.

vRealize Infrastructure Navigator

No workaround identified

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-3427 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.