VMware has released patches for its vCenter Server product to address a critical remote code execution flaw that exists due to the use of a vulnerable third-party component.
Earlier this month, CERT/CC informed users that Markus Wulftange, senior penetration tester at Code White, had identified three potentially serious deserialization-related flaws in several Java implementations of AMF3, the latest version of Adobe’s Action Message Format.
The vulnerabilities can be exploited for denial-of-service (DoS) attacks, remote code execution and to obtain sensitive data. The affected software includes Apache’s Flex BlazeDS, Atlassian’s JIRA, Exadel’s Flamingo, GraniteDS, Spring spring-flex, and WebORB for Java by Midnight Coders.
One of the BlazeDS vulnerabilities, tracked as CVE-2017-5641, has been found to affect VMware vCenter Server, which uses BlazeDS to process AMF3 messages.
“The issue is present in the the Customer Experience Improvement Program (CEIP) functionality. If a customer has opted out of CEIP the vulnerability is still present. Also opting out will not remove the vulnerability,” VMware said.
The security hole affects vCenter Server 6.0 and 6.5; version 5.5 or other VMware products are not impacted. VMware has advised users to apply the 6.5c and 6.0U3b patches to address the vulnerability.
According to CERT/CC, the deserialization vulnerabilities identified by Wulftange could also affect products from HPE and SonicWall.