VMware has patched several serious security vulnerabilities in its vCenter Operations Center Management suite, one of which could lead to remote code execution on vulnerable machines.

All of the vulnerabilities that the company patched lie in the Apache Struts Java application framework, and the most serious of them is CVE-2014-0112, which allows an attacker to run arbitrary code.

“ParametersInterceptor in Apache Struts before does not properly restrict access to the getClass method, which allows remote attackers to “manipulate” the ClassLoader and execute arbitrary code via a crafted request,” the vulnerability description says.

Apache fixed the vulnerability in a new release of Struts back in April. The issue was created because of an incomplete patch for a previous vulnerability in Struts. The three Struts vulnerabilities all are addressed in the release of version 5.8.2 of VMware vCOPS, the company said.

The other two, less serious vulnerabilities fixed in the new version of vCOPS are CVE-2014-0050 and CVE-2014-0094. The first flaw is problem that could lead to a denial-of-service condition if exploited by a remote attacker.

“MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop’s intended exit conditions,” the advisory says.

CVE-2014-0094 is also remotely exploitable by an unauthenticated attacker, who could manipulate a component of Struts.

“The ParametersInterceptor in Apache Struts before allows remote attackers to “manipulate” the ClassLoader via the class parameter, which is passed to the getClass method,” the advisory says.

Categories: Vulnerabilities, Web Security