VMware released a handful of patches late last week to fix several vulnerabilities, including a nasty cross-site scripting issue in one of its server virtualization platforms.
The vulnerabilities lie in VMware’s vCenter Server Appliance (vCSA) – a module for VMware’s vCenter Server. The main bug, an XSS vulnerability (CVE-2014-3797) was dug up by Tanya Secker, a researcher at Trustwave Spiderlabs and could have been exploited if an attacker got a user to click on a malicious link or gotten them to click through to a malicious web page. This vulnerability really only affects vCSA 5.1 and at-risk users can upgrade to 5.1 Update 3.
The second issue (CVE-2014-8371) – discovered by Google’s security team – could have allowed an attacker to carry out a man-in-the-middle attack against the infrastructure’s Common Information Model (CIM) service. The main problem here is that before the patch, vCenter Server didn’t properly validate certificates when connecting to CIM servers on an ESXi host. Users running all versions of vCenter Server are vulnerable to the certificate issue and to fix it they can either replace or apply a patch to bring their systems up to date with either 5.5 Update 2, 5.1 Update 3, or 5.0 Update 3c, depending on the product they’re running.
Six CVEs in three different third-party libraries, ESXi Python, ESXi Curl, and ESXi libxml2, were also addressed last week. While WMware isn’t planning on patching those issues in the older ESX 5.0, it has pushed patches for ESXi 5.1 and is awaiting patches for the most recent build, ESXi 5.5.
The update also brings both vCenter Server and vCenter Update Manager up to date with Oracle Java SE’s last Critical Patch Update. As each product version is different, patches are still pending for 5.0, patches are available for 5.1, and there will be no patches for 5.5.
New TPS default settings for ESXi 5.1 and new (VMSA-2014-0012) and updated advisories (CVE-2014-3797, CVE-2014-8371), http://t.co/Fh2yufvzkn
— VMware Sec Response (@VMwareSRC) December 5, 2014
Per usual VMware is urging users to review the patch/release notes to verify if they’re running an affected version and patch it. If need be, VMware is encouraging end users with any questions to direct them to VMware’s support.