VMware product updates address information disclosure vulnerabilities

a. vSphere Client XML External Entity vulnerability

The vSphere Client contains an XML External Entity (XXE) vulnerability. This issue can lead to information disclosure if a vSphere Client user is tricked into connecting to a malicious instance of vCenter Server or ESXi.

There are no known workarounds for this issue.

VMware would like to thank Vladimir Ivanov, Andrey Evlanin, Mikhail Stepankin, Artem Kondratenko, Arseniy Sharoglazov of Positive Technologies for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-7458 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.