Last week VMware released advisory VMSA-2016-0004 for a critical security issue found in the Client Integration Plugin which is found in versions of vCenter, vCloud Director and vRealize Automation. From going through the advisory the Client Integration Plugin does not handle session content in a “safe way” which may allow for a Man in the Middle attack or Web session hijacking in case the user of the vSphere Web Client visits a malicious Web site.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-2076 to this issue.
The systems at most risk are those who expose vSphere Web Clients on 5.5 U3x and 6.0 prior to Update 2 and those publicly running instances of vCloud Director 5.5.5 and vRA 6.2.4. For Service Providers, this issue does not present in vCloud Director SP 5.6.x. vCD SP 8.0.0 did not ship with a vulnerable CIP version while vCD SP 8.0.1 shipped with the updated version of the CIP.
vCloud Director 5.5.6 Released:
- vSphere support: vCloud Director 5.5.6 adds support for vSphere 60u2 in backward compatibility mode.
- NSX support: vCloud Director 5.5.6 supports NSX versions 6.2.2 and 6.1.6.
- vCloud Networking and Security support: vCloud Director 5.5.6 supports vCloud Networking and Security versions 5.5.4.2.
- browser support: vCloud Director 5.5.6 adds browser support for Microsoft Internet Explorer 11.
- Guest operating system customization support: vCloud Director 5.5.6 adds customization support for the following guest operating systems. Red Hat Enterprise Linux 7.2/7.1/6.7
Good to see that the vCD team is still keeping tabs on the non SP form of the platform even though it’s been pulled from general availability for some time now. If you are still running vCD 5.5.x you need upgrade to 5.5.6 and patch that CIP security hole. After install you will also need to let all your end users know the Client Integration Plugin will need to be updated on all systems from which the vSphere Web Client is used to connect to vCenter Server, vCloud Director and vRealize Automation Identity Manager.
For more on what the Client Integration Client does, I’ve linked below a William Lam that explains it in great detail.
http://www.virtuallyghetto.com/2015/12/what-is-the-vmware-client-integration-plugin-cip.html
References:
http://www.vmware.com/security/advisories/VMSA-2016-0004.html
http://www.cvedetails.com/cve/CVE-2016-2076/
http://pubs.vmware.com/Release_Notes/en/vcd/556/rel_notes_vcloud_director_556.html