CVE-2016-7460

Name of the Vulnerable Software and Affected Versions VMware vCenter Server versions 5.5 before U3e and 6.0 before U2a VMware vRealize Automation versions 6.x before 6.2.5

Description The issue is related to the Single Sign-On feature in VMware products, specifically an XML External Entity (XXE) problem. This is due to incorrect restriction of XML links to external objects. Exploitation can allow a remote attacker to cause a denial of service or gain access to confidential information by using specially crafted XML requests. The vulnerability can be exploited by sending an XML document containing an external entity declaration in conjunction with an entity reference, allowing attackers to read arbitrary files.

Recommendations For VMware vCenter Server versions 5.5 before U3e, update to U3e or later. For VMware vCenter Server versions 6.0 before U2a, update to U2a or later. For VMware vRealize Automation versions 6.x before 6.2.5, update to 6.2.5 or later. As a temporary workaround, consider restricting access to the Single Sign-On feature until a patch is applied.