VMware vSphere Update Manager Java Vulnerability (VMSA-2015-0003)
Medium Nessus Plugin ID 83184
SynopsisThe remote host has an update manager installed that is affected by a Java Runtime Environment (JRE) vulnerability.
DescriptionThe version of VMware vSphere Update Manager installed on the remote Windows host is 5.0 prior to Update 3d, 5.1 prior to Update 3a, 5.5 prior to Update 2e, or 6.0 prior to 6.0.0a. It is, therefore, affected by a vulnerability related to the bundled version of Oracle JRE prior to 1.7.0_76. A flaw exists in the JSSE component due to improper ChangeCipherSpec tracking during SSL/TLS handshakes. This can be exploited by a man-in-the-middle attacker to cause an unencrypted connection to be established.
Note that the application was formerly named vCenter Update Manager.
SolutionUpgrade vSphere Update Manager to 5.0 Update 3d / 5.1 Update 3a / 5.5 Update 2e / 6.0.0a or later.