VMware vSphere Update Manager Java Vulnerability (VMSA-2015-0003)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote host has an update manager installed that is affected by
a Java Runtime Environment (JRE) vulnerability.

Description :

The version of VMware vSphere Update Manager installed on the remote
Windows host is 5.0 prior to Update 3d, 5.1 prior to Update 3a, 5.5
prior to Update 2e, or 6.0 prior to 6.0.0a. It is, therefore, affected
by a vulnerability related to the bundled version of Oracle JRE prior
to 1.7.0_76. A flaw exists in the JSSE component due to improper
ChangeCipherSpec tracking during SSL/TLS handshakes. This can be
exploited by a man-in-the-middle attacker to cause an unencrypted
connection to be established.

Note that the application was formerly named vCenter Update Manager.

See also :

http://www.vmware.com/security/advisories/VMSA-2015-0003.html
http://www.nessus.org/u?65907755
http://www.nessus.org/u?bfac928a
http://www.nessus.org/u?227f6681
http://www.nessus.org/u?7c26cddb

Solution :

Upgrade vSphere Update Manager to 5.0 Update 3d / 5.1 Update 3a / 5.5
Update 2e / 6.0.0a or later.

Risk factor :

Medium / CVSS Base Score : 4.0
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVSS Temporal Score : 3.5
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Windows

Nessus Plugin ID: 83184 ()

Bugtraq ID: 72169

CVE ID: CVE-2014-6593

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now