VMware Patches MitM Hole

Tuesday, April 19, 2016 @ 05:04 PM gHale


VMware released a security advisory for a critical issue in the firm’s Client Integration Plugin (CIP) that could allow man-in-the-middle (MitM) attacks or web session hijacking.

The vulnerability is present in versions of the CIP shipped with vCenter Server 6, vCenter Server 5.5 U3a, U3b, U3c, vCloud Director 5.5.5, and vRealize Automation Identity Appliance 6.2.4, according to the April 14 advisory.

RELATED STORIES
VMware Reissues Patch for vCenter
VMware Fixes Privilege Escalation Flaw
VMware Update after Apache Fix
VMware Working on Fix for Zero Day

Researchers said the issue ends up caused by the plugin not handling session content in a safe way.

In order to remediate the issue, researchers said users will need to update the server side and the client side of the application.

“After installing the updated version, the Client Integration Plugin will need to be updated on all systems from which the vSphere Web Client is used to connect to vCenter Server, vCloud Director and vRealize Automation Identity Manager,” the advisory said.