VMware Fixes Critical Flaws

Tuesday, June 14, 2016 @ 02:06 PM gHale


VMware fixes vulnerabilities in its products, including an information disclosure issue rated critical.

The company said VMware NSX and vCloud Networking and Security (vCNS) suffer from a critical input validation flaw. The vulnerability can end up exploited by a remote attacker to gain access to sensitive information.

RELATED STORIES
VMware Patches MitM Hole
VMware Reissues Patch for vCenter
VMware Fixes Privilege Escalation Flaw
VMware Update after Apache Fix

The flaw affects NSX Edge 6.1 and 6.2, and vCNS Edge 5.5. VMware suggested users to update to versions 6.1.7, 6.2.3 and 5.5.4.3, respectively.

In addition, vCNS has reached end of availability and it has been removed from vCloud Suite 6, although it’s still available as part of vCloud Suite 5.5. VMware advised customers using vCNS, which is not available as a standalone product since 2013, to migrate to NSX.

A separate advisory published by VMware describes important and moderate severity issues affecting vRealize Log Insight.

VMware said Lukasz Plonka discovered the product suffers from a stored cross-site scripting (XSS) vulnerability that allows an attacker to hijack an authenticated user’s session.

Plonka also discovered vRealize Log Insight suffers from a cross-site request forgery (CSRF) flaw an attacker could exploit to replace content in the user interface.

These vulnerabilities affect vRealize Log Insight 2.x and 3.x running on virtual appliances, and they have been addressed with the release of version 3.3.2.