VMware patched a critical vulnerability in its vCenter Server platform late last week that could have let an attacker execute arbitrary code in some scenarios.

The vulnerability affected two versions of vCenter, 6.5 and 6.0. Users are encouraged to update to the most recent versions, 6.5c, and 6.0U3b, pushed on Thursday.

US-CERT warned about the vulnerability, stressing exploitation could result in an attacker taking control of an affected system, in an alert posted on Friday.

vCenter Server, formerly known as VirtualCenter, is a tool used for managing vSphere virtual environments.

The vulnerability technically stems from the usage of BlazeDS to process AMF3 messages. BlazeDS, originally developed by Adobe, is a server-based Java remoting and web-based messaging technology. AMF3, or Action Message Format 3, is a compact binary is a message format, also developed by Adobe, used by Flash apps to communicate and to serialize ActionScript object graphs.

The vulnerability could allow an attacker to execute arbitrary code when deserializing an untrusted Java object, according to VMware’s security advisory.

VMware says the issue (CVE-2017-5641) is present in the Customer Experience Improvement Program (CEIP) functionality of the platform. Even if a user has opted out of the functionality, the vulnerability still exists, VMware claims.

Markus Wulftange, a penetration tester at the German security firm Code White discovered the AMF bug and published a thorough write-up earlier this month.

Wulftange disclosed the vulnerabilities, insecure deserialization and XML external entities references, to US-CERT two weeks ago and suggested at the time they could affect products made by VMware, along with Atlassian, HPE, and SonicWall.

Atlassian, for its part, fixed the vulnerability, which affected JIRA (CVE-2017-5983), several weeks ago. According to a JIRA ticket on the vulnerability, the bug affected versions from 4.2.4 prior to version 6.3.0 and fetched a CVSS rating of 9.8. In addition to remote code execution, the vulnerability also could have lead to the disclosure of private files or the execution of a denial of service attack against a JIRA server.

According to US-CERT’s Vulnerability Note on Wulftange’s findings, it’s still unknown whether HPE, SonicWall, or Exadel software is affected.

Categories: Vulnerabilities

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>