- Rockwell Working on PowerMonitor 1000 Fix
- Horner Clears Cscape Vulnerability
- Delta Fixes it Industrial Automation CNCSoft
- Intel Has Fix for Data Center Manager SDK Holes
- Thermal Fatigue Led to MS Gas Plant Blast …
- … 3D Model of Failed Heat Exchanger
- Fukushima Report: Robot Lifts Melted Fuel
- TÜV, Nozomi Ink Partnership Pact
- Pangea Patches Bypass Vulnerability
- Fuji Fixes FRENIC Devices
- ARC: Safety and Profitability Work Together
- Public Needs to Know About Chem Releases: Judge
- Robot Testing Radioactive Fuel at Fukushima
- Siemens Fixes CP1604, CP1616 Holes
- Siemens has Upgrade for Intel AMT
- Siemens Fixes Hole in SIMATIC S7-300 CPU
Chemical Safety Incidents
VMware Fixes vCenter Server Hole
Tuesday, April 18, 2017 @ 05:04 PM gHale
VMware patched its vCenter Server to address a critical remote code execution flaw because of a vulnerable third-party component.
Three potentially serious deserialization-related flaws in several Java implementations of AMF3, the latest version of Adobe’s Action Message Format, ended up discovered by Markus Wulftange, senior penetration tester at Code White, according to a report from CERT/CC.
RELATED STORIES
VMware Patches Virtual Machine Holes
VMware Mitigates AirWatch Holes
VMware Fixes Info Disclosure Holes
VMware Fixes Workstation, Fusion Flaw
An attacker could leverage the vulnerabilities for denial-of-service (DoS) attacks, remote code execution and to obtain sensitive data.
The affected software includes Apache’s Flex BlazeDS, Atlassian’s JIRA, Exadel’s Flamingo, GraniteDS, Spring spring-flex, and WebORB for Java by Midnight Coders.
One of the BlazeDS vulnerabilities, tracked as CVE-2017-5641, affects VMware vCenter Server, which uses BlazeDS to process AMF3 messages.
“The issue is present in the Customer Experience Improvement Program (CEIP) functionality. If a customer has opted out of CEIP the vulnerability is still present. Also, opting out will not remove the vulnerability,” VMware said in an advisory.
The security hole affects vCenter Server 6.0 and 6.5. Version 5.5 or other VMware products do not suffer from the issue. VMware has advised users to apply the 6.5c and 6.0U3b patches to address the vulnerability.
The deserialization vulnerabilities Wulftange found also affect products from HPE and SonicWall, CERT/CC researchers said.
Leave a Reply
You must be logged in to post a comment.