Virtualization software giant VMware has issued an urgent security advisory to users of more than a dozen of its virtualization products. The company has released a host of product updates – with several patches pending – to address what it called a “critical information disclosure issue in JRE [the Java runtime environment].”
The medium-severity vulnerability in Oracle JRE (CVE-2014-6593) can lead to unauthorized disclosure or alteration of information, but MITRE has rated the exploit as highly complex to execute. The advisory results from the improper handling of the ChangeCipherSpec in Oracle JRE, also known as “SKIP” or “SKIP-TLS,” explained Kieron Shorrock, a senior program manager for product security at VMware. The vulnerability can allow a man-in-the-middle attack to interfere with the SSL protocol’s authentication handshake, thereby allowing a successful attack to “result in impersonation of the server or in communication over plaintext between client and server,” he wrote in the VMware security blog.
“VMware products operating on JRE 1.7 update 75 and newer and JRE 1.6 update 91 and newer are not impacted by this vulnerability,” noted an analysis by Threatpost, published by security vendor Kaspersky Lab.
The following VMware products are affected by the Oracle JRE vulnerability:
- Horizon View 6.x or 5.x
- Horizon Workspace Portal Server 2.1 or 2.0
- vCenter Operations Manager 5.8.x or 5.7.x
- vCloud Automation Center 6.0.1
- vSphere Replication prior to 188.8.131.52 or 184.108.40.206
- vRealize Automation 6.2.x or 6.1.x
- vRealize Code Stream 1.1 or 1.0
- vRealize Hyperic 5.8.x, 5.7.x or 5.0.x
- vSphere AppHA Prior to 1.1.x
- vRealize Business Standard prior to 1.1.x or 1.0.x
- NSX for Multi-Hypervisor prior to 4.2.4
- vRealize Configuration Manager 5.7.x or 5.6.x
- vRealize Infrastructure 5.8, 5.7
“We have reviewed CVE-2014-6593 and determined that it is a critical security issue if an application initiates communication over an untrusted network,” Shorrock advised. “Because of this, VMware is updating JRE in products that may face the Internet first, followed by updating JRE in products that are typically deployed in a datacenter but don’t communicate outside,” he added.
Shorrock also noted the security advisory will be republished when new patches or product releases addressing the vulnerability are made available for its software that was not updated before the advisory was issued.