First patch didn’t patch so isn’t a patch on the new patch
There’s egg on face down VMware way after the company ‘fessed up that a patch it delivered last year didn’t completely work.
The problem the patch failed to patch is VMSA-2015-0007, a nasty that means vCenter Server possesses a remotely accessible JMX RMI service that is not securely configured. News of that problem emerged, along with a patch, on October 1st 2015 to address CVE-2015-2342.
So far, so good … until last Friday, February 12th 2016, when VMware updated its original advisory with news that the patch was “did not address the issue”.
“VMSA-2015-0007.2 and earlier versions of this advisory documented that CVE-2015-2342 was addressed in vCenter Server 5.0 U3e, 5.1 U3b, and 5.5 U3,” Virtzilla writes. “Subsequently, it was found that the fix for CVE-2015-2342 in vCenter Server 5.0 U3e, 5.1 U3b, and 5.5 U3/U3a/U3b running on Windows was incomplete and did not address the issue.”
Which means it is time for another patch, to be found here in the VMware knowledge base.
This looks to be one to do in haste, but perhaps not a rush because the bug only bites vCenter on Windows, and even then won’t be a problem if you run Windows Firewall on your vCenter Server.
VMware nonetheless reckons that “Even if the Windows Firewall is enabled, users are advised to install the additional patch in order to remove the local privilege elevation.”
VMware patched nine flaws in 2015, a small number compared to many other enterprise software vendors. ®
Service Virtualisation for Dummies