VMware issued a security advisory containing several
security updates for its vSphere ESXi and VMware vCenter Server products to
patch command injection and information disclosure vulnerabilities.
Two of the vulnerabilities, CVE-2019-5532 and CVE-2019-5534,
are rated as “important” with CVE-2017-16544 and CVE-2019-5531 considered “moderate”
CVE-2019-5534 covers an exit where virtual machines deployed
in an Open Virtualization Formatting (OVF) could expose login information via the
virtual machine’s vAppConfig properties. This can be resolved by updating to
the newest version.
CVE-2019-5532 covers a situation where a malicious user with
access to the log files containing vCenter OVF-properties of a virtual machine
deployed from an OVF may be able to view the credentials used to deploy the
OVF. This is typically done through the root account of the virtual machine. A
patched version is now obtainable for upload.
CVE-2019-5531 involves an information disclosure
vulnerability in clients arising from insufficient session expiration that
would allow an attacker with physical accession or an ability to mimic a websocket
connection to a user’s browser to possibly obtain control of a VM Console after
the user has logged out or their session has timed out. A patched version is
now available for upload.
CVE-2017-16544 is a vulnerability in ESXi where it contains
a command injection vulnerability owed to the use of vulnerable version of
busybox that does not sanitize filenames. An attacker may exploit this way out by
tricking an ESXi Admin into executing shell commands by providing a malicious
file, VMware wrote. A patched version is now available for upload.
The post Patches issued for VMware’s vSphere ESXi, VMware vCenter Server appeared first on SC Media.