SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   VMware vCenter Vendors:   VMware
(VMware Issues Fix for VMware vCenter Orchestrator) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
SecurityTracker Alert ID:  1034494
SecurityTracker URL:  http://securitytracker.com/id/1034494
CVE Reference:   CVE-2015-6934   (Links to External Site)
Date:  Dec 18 2015
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): vCenter Orchestrator 5.x; vCenter Operations 5.x; vCenter Application Discovery Manager (vADM) 7.x
Description:   A vulnerability was reported in Apache Commons Components. A remote user can execute arbitrary code on the target system. VMware vCenter Orchestrator, vCenter Operations, and vCenter Application Discovery Manager (vADM) are affected.

A remote user can send specially crafted data to an application or application server that uses or includes the Java 'InvokerTransformer.class' to deserialize data to execute arbitrary code on the target system.

Applications that deserialize untrusted Java objects may be affected.

Applications that use other libraries (e.g., Groovy, Spring) may also be affected.

Application servers (e.g., WebLogic, WebSphere, JBoss) may be affected.

Steve Breen of Foxglove reported details of this vulnerability.

The advisory is available at:

http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#commons

Christopher Frohoff and Gabriel Lawrence originally reported this vulnerability [at AppSecCali 2015 in January 2015].

The original advisory is available at:

http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   VMware has issued a fix for VMware vCenter Orchestrator (See KB2141244).

A fix is pending for vCenter Operations and vCenter Application Discovery Manager (vADM).

The VMware advisory is available at:

http://www.vmware.com/security/advisories/VMSA-2015-0009.html

Vendor URL:  www.vmware.com/security/advisories/VMSA-2015-0009.html (Links to External Site)
Cause:   Access control error

Message History:   This archive entry is a follow-up to the message listed below.
Nov 9 2015 Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System



 Source Message Contents

Subject:  [Security-announce] NEW : VMSA-2015-0009 : VMware product updates address a critical deserialization vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2015-0009
Synopsis:    VMware product updates address a critical deserialization
             vulnerability 
Issue date:  2015-12-18
Updated on:  2015-12-18 (Initial Advisory)
CVE number:  CVE-2015-6934

- ------------------------------------------------------------------------

1. Summary

   VMware product updates address a critical deserialization 
   vulnerability
 
2. Relevant Releases

   vRealize Orchestrator 6.x
   vCenter Orchestrator 5.x

3. Problem Description 

   a. Deserialization vulnerability

   A deserialization vulnerability involving Apache Commons-collections
   and a specially constructed chain of classes exists. Successful 
   exploitation could result in remote code execution, with the 
   permissions of the application using the Commons-collections library.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has 
   assigned the identifier CVE-2015-6934 to this issue.

   Column 4 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is 
   available.

   VMware                         Product    Running   Replace with/
   Product                        Version    on        Apply Patch
   =====================          =======    =======   =================
   vRealize Orchestrator          7.0        Any       Not Affected
   vRealize Orchestrator          6.x        Any       See KB2141244
   vCenter Orchestrator           5.x        Any       See KB2141244
   
   vRealize Operations            6.x        Windows   Patch Pending *
   vCenter Operations             5.x        Windows   Patch Pending *

   vCenter Application            7.x        Any       Patch Pending
   Discovery Manager (vADM) 

   * Exploitation of the issue on vRealize Operations 
     and vCenter Operations is limited to local privilege escalation.
   
4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   vRealize Orchestrator 6.x and 
   vCenter Orchestrator 5.x
   Downloads and Documentation:
   http://kb.vmware.com/kb/2141244

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6934

- ------------------------------------------------------------------------

6. Change log

   2015-12-18 VMSA-2015-0009 Initial security advisory in conjunction 
   with the release of vRealize Orchestrator 6.x and vCenter 
   Orchestrator 5.x patches on 2015-12-18.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2015 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 16127)
Charset: utf-8

wj8DBQFWdE+lDEcm8Vbi9kMRAof5AJ98+2YWBOBUdQqTs3iXLzgP2bG6sgCdExfu
ibmrI7HVp13hVX5fsMB5Qis=
=lzgH
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
http://lists.vmware.com/mailman/listinfo/security-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC