VMware Patches Critical Java Flaw

VMware Inc. last week released a security update  for the Oracle Java runtime environment (JRE).

The fix, which patches a critically rated information disclosure flaw in JRE known as "SKIP-TLS," should only be applied for those running older versions of Oracle software. Those running JRE 1.7 Update 75 or newer and JRE 1.6 Update 91 or newer are already protected from the flaw and no security updates are needed, according to a security advisory released by VMware.         

SKIP-TLS includes multiple bugs in the TLS/SSL protocols that can lead to errors when an unknown message is managed by a client or server. If the issues were leveraged with the aid of a malicious server, a man-in-the-middle attack could occur.

Last week's security update addresses the issue in the following VMware offerings:

  • Horizon View 6.x or 5.x

  • Horizon Workspace Portal Server  2.1 or 2.0

  • vCenter Operations Manager 5.8.x or 5.7.x

  • vCloud Automation Center 6.0.1

  • vSphere Replication prior to or

  • vRealize Automation 6.2.x or 6.1.x

  • vRealize Code Stream 1.1 or 1.0

  • vRealize Hyperic 5.8.x, 5.7.x or 5.0.x

  • vSphere AppHA Prior to 1.1.x

  • vRealize Business Standard prior to 1.1.x or 1.0.x

  • NSX for Multi-Hypervisor  prior to 4.2.4 

  • vRealize Configuration Manager 5.7.x or 5.6.x   

  • vRealize Infrastructure 5.8, 5.7

While VMware has applied the fix to many of its products, the company said the security update is still pending for some, including the Horizon DaaS Platform 6.1, vCloud Networking and Security, vCloud Site Recovery Manager 5.5.x and vRealize Operations Manager 6.0, to name a few.


About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


Subscribe on YouTube