Cloud computing specialist VMware has patched a critical vulnerability in its vCenter Server platform.
The vulnerability, which affected two versions of vCenter, 6.5 and 6.0. allows a remote attacker to execute arbitrary code and take control of a system within a limited scenario—specifically, when deserializing an untrusted Java object.
vCenter Server is a management console for virtual environments; it offers centralized visibility and extensibility for VMware vSphere, so users can automate and deliver a virtual infrastructure more easily. As such, it has communications abilities with other parts of that infrastructure—which makes compromise of the system potentially catastrophic.
The problem comes in with vCenter’s implementation of a messaging tool known as BlazeDS. The BlazeDS library is a server-based, open-source Java remoting and web messaging technology that allows users to connect to back-end distributed data and push data to Adobe Flex and Adobe Integrated Runtime (AIR) Rich Internet applications (RIA).
VMware said that the issue, disclosed in a US-CERT security advisory earlier in April, is present in the Customer Experience Improvement Program (CEIP) functionality—and that it will still be present even if a customer has opted out of CEIP. Resolution of the vulnerability thus requires applying the patch, so users are encouraged to update to the most recent versions, 6.5c, and 6.0U3b.
The company said that it investigated the issue against the other VMware products and didn’t find others that were affected.