VMware Patches vSphere Flaws, Applies Critical Java Update


VMware issued an update to its VCenter appliance and update manager, addressing multiple security vulnerabilities impacting its server software.

The virtualization vendor also issued updates to apply security patches to its implementation of OpenSSL and Java, repairing vulnerabilities that could be used to bypass security restrictions to elevate privileges, execute malicious code or cause the system to crash.

VMware said its ESXi hypervisor software contains a session ID handling error that could enable authenticated users to elevate their session privileges. "To reduce the likelihood of exploitation, vSphere components should be deployed on an isolated management network," the company said in its advisory issued Thursday.

[Related: Emerging Vendors 2013: Virtualization Vendors
]

The Palo Alto, Calif., company said its vCenter server running on Windows contains authentication flaws with its integration with Microsoft Active Directory. The errors could enable an attacker to bypass the login process by simply entering a valid user name and keeping the password field blank.

"The issue is present on vCenter Server 5.1, 5.1a and 5.1b if AD anonymous LDAP binding is enabled," VMware said in its advisory.

VMware's vCenter server appliance contains a remote code execution vulnerability, enabling an attacker with stolen credentials to run existing files as root. The issue impacts vCSA 5.1 running on Linux, VMware said. In addition, the VAMI Web interface, which is used to provide end users of virtual appliances with a Web console and command line, contains a flaw that enables an attacker to create new files or overwrite existing files, according to VMware.

VMware also said its updates include additional guest operating system customization support and database support for Microsoft SQL Server 2012 Service Pack 1.

PUBLISHED OCT. 18, 2013