VMware Fixes Java Information Disclosure Vulnerability

VMware has issued an update to a number of its products fixing an information disclosure bug in Oracle’s Java runtime environment.

Virtual Machine maker VMware has updated a slew of its offerings in order to address a critical information disclosure vulnerability in the Oracle’s Java runtime environment (JRE).

The update essentially installs the latest version of JRE into VMware systems where the old version of JRE was affected by CVE-2014-6593. The newer JRE versions fix other bugs as well, but the Full Disclosure entry for VMware is only concerned with CVE-2014-6593, which could allow information disclosure inside certain VMware environments.

VMware products operating on JRE 1.7 update 75 and newer and JRE 1.6 update 91 and newer are not impacted by this vulnerability.

CVE-2014-6593 is also known as “SKIP” or “SKIP-TLS.”

Affected VMware produicts include, Horizon View 6.x or 5.x, Horizon Workspace Portal Server 2.1 or 2.0, vCenter Operations Manager 5.8.x or 5.7.x, vCloud Automation Center 6.0.1, vSphere Replication prior to 5.8.0.2 or 5.6.0.3, vRealize Automation 6.2.x or 6.1.x, vRealize Code Stream 1.1 or 1.0, vRealize Hyperic 5.8.x, 5.7.x or 5.0.x, vSphere AppHA Prior to 1.1.x, vRealize Business Standard prior to 1.1.x or 1.0.x, NSX for Multi-Hypervisor prior to 4.2.4, vRealize Configuration Manager 5.7.x or 5.6.x and vRealize Infrastructure 5.8 or 5.7.

The patch resolving this JRE issue is pending for a number of VMware products. You can find a list of mitigation options on the Full Disclosure mailing list.

Suggested articles