News
VMware Patches Critical Java Flaw
VMware Inc. last week released a
security update for the Oracle Java
runtime environment (JRE).
The fix, which patches a
critically rated information disclosure flaw in JRE known as "SKIP-TLS," should
only be applied for those running older versions of Oracle software. Those
running
JRE 1.7 Update 75 or newer
and JRE 1.6 Update 91 or newer are already protected from the flaw and no
security updates are needed, according to
a
security advisory released by VMware.
SKIP-TLS includes multiple bugs in the TLS/SSL protocols that can lead to errors
when an unknown message is managed by a client or server. If the issues were
leveraged with the aid of a malicious server, a man-in-the-middle attack could
occur.
Last week's security update
addresses the issue in the following VMware offerings:
-
Horizon View 6.x or 5.x
-
Horizon Workspace Portal Server 2.1 or 2.0
-
vCenter Operations Manager 5.8.x or 5.7.x
-
vCloud Automation Center 6.0.1
-
vSphere Replication prior to 5.8.0.2 or 5.6.0.3
-
vRealize Automation 6.2.x or 6.1.x
-
vRealize Code Stream 1.1 or 1.0
-
vRealize Hyperic 5.8.x, 5.7.x or 5.0.x
-
vSphere AppHA Prior to 1.1.x
-
vRealize Business Standard prior to 1.1.x or 1.0.x
-
NSX for Multi-Hypervisor prior to 4.2.4
-
vRealize Configuration Manager 5.7.x or 5.6.x
-
vRealize Infrastructure 5.8, 5.7
While VMware has applied the fix to many of its products, the company said the
security update is still pending for some, including the Horizon DaaS Platform
6.1, vCloud Networking and Security, vCloud Site Recovery Manager 5.5.x and
vRealize Operations Manager 6.0, to name a few.