Security News > 2020 > April > VMware plugs critical flaw in vCenter Server, patch ASAP!
VMware has fixed a critical vulnerability affecting vCenter Server, which can be exploited to extract highly sensitive information that could be used to compromise vCenter Server or other services which depend on the VMware Directory Service for authentication.
vCenter Server is server management software for controlling VMware vSphere environments.
"Under certain conditions vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller, does not correctly implement access controls. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 10.0," the company noted in an advisory published last week.
The vulnerability exists in vCenter Server 6.7, running on Windows or a virtual appliance, only if the installations were upgraded from a previous release line such as 6.0 or 6.5.
"Clean installations of vCenter Server 6.7 are not affected. vCenter Server versions 6.5. and 7.0 are unaffected," the company pointed out.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/D84QW5YsiWs/
Related news
- New critical Apache Struts flaw exploited to find vulnerable servers (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
- Patch Alert: Critical Apache Struts Flaw Found, Exploitation Attempts Detected (source)
- Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now (source)
- Rsync vulnerabilities allow remote code execution on servers, patch quickly! (source)
- SAP fixes critical vulnerabilities in NetWeaver application servers (source)
- Critical SimpleHelp vulnerabilities fixed, update your server instances! (source)
- SonicWall Urges Immediate Patch for Critical CVE-2025-23006 Flaw Amid Likely Exploitation (source)
- Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management (source)
- Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) (source)