In the latter half of last week VMware released security updates for the following products:
- vCenter Server v6.0 (prior to 6.0 U2)
- vCenter Server 5.5 U3a – U3c
- vCloud Director version 5.5.5 for Windows
- vRealize Automation Identity Appliance version 6.2.4 for Linux
- Client Integration Plugin for Apple Mac OS X and Windows
These updates resolve a potential man-in-the-middle-attack (MiTM)(defined) that is caused by an error in how the VMware Client Integration Plugin handles session content. This issue was assigned the CVE number (defined) CVE-2016-2076
Why Should This Issue Be Considered Important?
If an attacker were to successfully exploit this issue it may lead to the disclosure of the information within the client session between the server (as a result of the man-in-the-middle-attack). This issue could also result in the session between the client and the server becoming hijacked if the user of the vSphere Web Client were to visit a malicious website.
How Can I Protect Myself From This Issue?
VMware have released updates to resolve this issue within the affected products. Please refer to VMware’s security advisory to download the necessary updates.
Please note that both the server side (namely (i.e. vCenter Server, vCloud Director, and vRealize Automation Identity Appliance) and client side devices (i.e. Client Integration Plugin (CIP) of the vSphere Web Client) that communicate during a session must be separately updated to protect against this issue.
A step by install checklist to perform these updates for the affected products is also provided in the above mentioned advisory.