Heads Up! JRE Update For All Log Insight Versions

VMware released a JRE security update applicable to ALL versions of Log Insight. Read on to learn more!
li-logo

JRE version 1.7.0_76 is being made available for all versions of Log Insight to address CVE-2014-6593. What is CVE-2014-6593? The National Vulnerability Database states:

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.

Well, that is not too helpful. RedHat states:

It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled.

OK, becoming a little clearer. In short, there is a SSL/TLS vulnerability. More specifically, this is the SKIP-TLS vulnerability. To get the patch for your version of Log Insight, see vRealize Log Insight 1.x and 2.x JRE update to include a fix for CVE-2014-6593. Also note this vulnerability is applicable to other VMware products as well, for a complete list of products impacted, see VMSA-2015-0003.1

© 2015, Steve Flanders. All rights reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top