VMware released a security fix for its products affected by a Java RTE flaw last Thursday.
The vulnerability patch, which patches a critically rated information disclosure flaw in JRE known as "SKIP-TLS," should only be applied for those running older versions of Oracle's software. Those running JRE 1.7 Update 75 or newer and JRE 1.6 Update 91 or newer are already protected from the flaw and no security updates are needed, according to a security advisory released by VMware .
SKIP-TLS includes multiple bugs in the TLS/SSL protocols that can lead to errors when an unknown message is managed by a client or server. If the issues were leveraged with the aid of a malicious server, a man-in-the-middle attack could occur.
Last week's security update addresses the issue in the following VMware offerings:
- Horizon View 6.x or 5.x
- Horizon Workspace Portal Server 2.1 or 2.0
- vCenter Operations Manager 5.8.x or 5.7.x
- vCloud Automation Center 6.0.1
- vSphere Replication prior to 220.127.116.11 or 18.104.22.168
- vRealize Automation 6.2.x or 6.1.x
- vRealize Code Stream 1.1 or 1.0
- vRealize Hyperic 5.8.x, 5.7.x or 5.0.x
- vSphere AppHA Prior to 1.1.x
- vRealize Business Standard prior to 1.1.x or 1.0.x
- NSX for Multi-Hypervisor prior to 4.2.4
- vRealize Configuration Manager 5.7.x or 5.6.x
- vRealize Infrastructure 5.8, 5.7
While VMware has applied the fix to many of its products, the company said the security update is still pending for some, including the Horizon DaaS Platform 6.1, vCloud Networking and Security, vCloud Site Recovery Manager 5.5.x and vRealize Operations Manager 6.0, to name a few.