VMware released a JRE security update applicable to ALL versions of Log Insight. Read on to learn more!
JRE version 1.7.0_76 is being made available for all versions of Log Insight to address CVE-2014-6593. What is CVE-2014-6593? The National Vulnerability Database states:
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.
Well, that is not too helpful. RedHat states:
It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled.
OK, becoming a little clearer. In short, there is a SSL/TLS vulnerability. More specifically, this is the SKIP-TLS vulnerability. To get the patch for your version of Log Insight, see vRealize Log Insight 1.x and 2.x JRE update to include a fix for CVE-2014-6593. Also note this vulnerability is applicable to other VMware products as well, for a complete list of products impacted, see VMSA-2015-0003.1
© 2015, Steve Flanders. All rights reserved.