a. Critical JMX issue when deserializing authentication credentials
The RMI server of Oracle JRE JMX deserializes any class when deserializing authentication credentials. This may allow a remote, unauthenticated attacker to cause deserialization flaws and execute their commands.
Workarounds CVE-2016-3427
vCenter Server
Apply the steps of VMware Knowledge Base article 2145343 to vCenterServer 6.0 on Windows. See the table below for the specific vCenterServer 6.0 versions on Windows this applies to.
vCloud Director
No workaround identified
vSphere Replication
No workaround identified
vRealize Operations Manager (non-appliance)
The non-appliance version of vRealize Operations Manager (vROps), which can be installed on Windows and Linux has no default firewall. In order to remove the remote exploitation possibility, access to the following external ports will need to be blocked on the system where the non-appliance version of vROps is installed:
- vROps 6.2.x: port 9004, 9005, 9006, 9007, 9008
- vROps 6.1.x: port 9004, 9005, 9007, 9008
- vROps 6.0.x: port 9004, 9005
Note: These ports are already blocked by default in the applianceversion of vROps.
vRealize Infrastructure Navigator
No workaround identified
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-3427 to this issue.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.