VMware Reissues Patch for vCenter

Wednesday, February 17, 2016 @ 01:02 PM gHale

If it doesn’t work the first time, then try again and that is exactly what happened to VMware’s vCenter Server.

It first started last year when a security update released to address the vCenter’s serious vulnerability. However, that fixed was incomplete, so the company released the second patch to fix the problem.

VMware Fixes Privilege Escalation Flaw
VMware Update after Apache Fix
VMware Working on Fix for Zero Day
‘Unintended Vulnerability’ on Dell Systems

VMware published an advisory in October 2015 to inform users of software updates designed to address critical security flaws affecting vCenter and ESXi.

One of the vulnerabilities the company attempted to patch at the time, CVE-2015-2342, ended up related to a remotely accessible JMX RMI service not securely configured. The weakness could allow a remote, unauthenticated attacker who can connect to the service to execute arbitrary code on affected vCenter Server installations, and allow a local attacker to elevate privileges.

The security hole, reported by Doug Mcleod of 7 Elements and an anonymous researcher via the Zero Day Initiative, should have been fixed in VCenter Server for Windows with the release of versions 5.0 U3e, 5.1 U3b and 5.5 U3. However, VMware later learned the updates did not address the issue, so it just released an additional patch, KB2144428, to properly resolve the vulnerability.