News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
April 16, 2014, 05:46:52
Pages: 1 ... 6 7 [8]   Go Down
  Print  
Topic: VMware svr and client multiple vulns - updates available  (Read 28679 times)
0 Members and 1 Guest are viewing this topic.
« Reply #105 on: March 12, 2014, 07:21:42 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 7972



FYI...

VMSA-2014-0002 - VMware vSphere updates - third party libraries
- http://www.vmware.com/security/advisories/VMSA-2014-0002.html
2014-03-11 - "Summary: VMware has updated vSphere third party libraries... The NTP daemon has a DDoS vulnerability in the handling of the "monlist" command. An attacker may send a forged request to a vulnerable NTP server resulting in an amplified response to the intended target of the DDoS attack... Mitigation for this issue is documented in VMware Knowledge Base article 2070193*...
* http://kb.vmware.com/kb/2070193

vCenter Server 5.5 - Release Notes:
- https://www.vmware.com/support/vsphere5/doc/vsphere-vcenter-server-55u1-release-notes.html

ESXi 5.5
- http://kb.vmware.com/kb/2065826
___

- https://secunia.com/advisories/57388/
Release Date: 2014-03-12
Criticality: Highly Critical
Where: From remote
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access...

- https://secunia.com/advisories/57393/
Release Date: 2014-03-12
Criticality: Highly Critical
Where: From remote
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access...

 Exclamation
« Last Edit: March 12, 2014, 08:12:02 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
.
« Reply #106 on: April 11, 2014, 04:49:32 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 7972



FYI...

VMSA-2014-0003 - VMware vSphere Client updates address security vulns
- http://www.vmware.com/security/advisories/VMSA-2014-0003.html
2014-04-10
Synopsis: VMware vSphere Client updates address security vulnerabilities
CVE numbers: CVE-2014-1209, CVE-2014-1210
Summary: VMware vSphere Client updates address security vulnerabilities
Relevant Releases: vSphere Client 5.1, 5.0, 4.1, 4.0
Problem Description: vSphere Client Insecure Client Download
vSphere Client contains a vulnerability in accepting an updated vSphere Client file from an untrusted source. The vulnerability may allow a host to direct vSphere Client to download and execute an arbitrary file from any URI. This issue can be exploited if the host has been compromised or if a user has been tricked into clicking a malicious link... table lists the action required to remediate the vulnerability in each release, if a solution is available...
(More detail available at the vmware URL above.)
___

- http://www.securitytracker.com/id/1030055
CVE Reference: CVE-2014-1209, CVE-2014-1210
Apr 11 2014
Impact: Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): vSphere Client 4.0, 4.1, 5.0, 5.1 ...
Solution: The vendor has issued a fix (5.0 Update 3, 5.1 Update 2; For versions 4.x, use vSphere Client 4.0 or 4.1 from ESX/EXSi)...
The vendor's advisory is available at:
- http://www.vmware.com/security/advisories/VMSA-2014-0003.html

 Exclamation
« Last Edit: April 12, 2014, 18:03:49 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
.
« Reply #107 on: April 14, 2014, 10:17:52 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 7972



FYI...

VMSA-2014-0004 - VMware product updates address OpenSSL security vulnerabilities
- http://www.vmware.com/security/advisories/VMSA-2014-0004.html
2014-04-14
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0076 - 4.3
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 - 5.0
___

VMware OpenSSL TLS/DTLS Heartbeat Vulnerabilities - Multiple Products ...
- https://secunia.com/advisories/57770/
Release Date: 2014-04-14
Criticality: Moderately Critical
Where: From remote
Impact: Exposure of sensitive information ...
Original Advisory:
- http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=2076225
Purpose: The VMware Security Engineering, Communications, and Response group (vSECR) is investigating the OpenSSL issue dubbed "Heartbleed" (CVE-2014-0160).
This article reflects the status of the ongoing investigation.
Resolution: The following is a response to the current situation with the software security vulnerability dubbed Heartbleed:
The VMware Security and Engineering teams are working on remediation for the VMware products that have been impacted. VMware is acutely aware of the seriousness of the Heartbleed vulnerability, and all available resources are being directed toward a resolution amidst this industry-wide situation. VMware plans to release updated products and patches for all affected products in this article by April 19th. Please check this article for any updates or exceptions to this timeframe. See the lists below for affected products, and refer to the Resolution/mitigation section for steps to protect your systems while updates are being prepared...
- http://blog.socialcast.com/socialcast-response-to-heartbleed-aka-cve-2014-0160/
Apr 9, 2014

 Exclamation  Sad
« Last Edit: April 15, 2014, 03:30:23 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
.
 
Pages: 1 ... 6 7 [8]   Go Up
  Print  
 
Jump to:  

Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Page created in 0.326 seconds with 20 queries.