VMware Fixes vCenter Server Hole

VMware patched its vCenter Server to address a critical remote code execution flaw because of a vulnerable third-party component.

Three potentially serious deserialization-related flaws in several Java implementations of AMF3, the latest version of Adobe’s Action Message Format, ended up discovered by Markus Wulftange, senior penetration tester at Code White, according to a report from CERT/CC.

RELATED STORIES
VMware Patches Virtual Machine Holes
VMware Mitigates AirWatch Holes
VMware Fixes Info Disclosure Holes
VMware Fixes Workstation, Fusion Flaw

An attacker could leverage the vulnerabilities for denial-of-service (DoS) attacks, remote code execution and to obtain sensitive data.

The affected software includes Apache’s Flex BlazeDS, Atlassian’s JIRA, Exadel’s Flamingo, GraniteDS, Spring spring-flex, and WebORB for Java by Midnight Coders.

One of the BlazeDS vulnerabilities, tracked as CVE-2017-5641, affects VMware vCenter Server, which uses BlazeDS to process AMF3 messages.

“The issue is present in the Customer Experience Improvement Program (CEIP) functionality. If a customer has opted out of CEIP the vulnerability is still present. Also, opting out will not remove the vulnerability,” VMware said in an advisory.

The security hole affects vCenter Server 6.0 and 6.5. Version 5.5 or other VMware products do not suffer from the issue. VMware has advised users to apply the 6.5c and 6.0U3b patches to address the vulnerability.

The deserialization vulnerabilities Wulftange found also affect products from HPE and SonicWall, CERT/CC researchers said.