Security News > 2020 > November > Critical VMware Zero-Day Bug Allows Command Injection; Patch Pending
The U.S. Cybersecurity and Infrastructure Security Agency is warning of a zero-day bug affecting six VMware products including its Workspace One, Identity Manager and vRealize Suite Lifecycle Manager.
The critical unpatched bug is a command injection vulnerability.
In a separate VMware advisory, the company did not indicate whether the vulnerability was under active attack.
The workaround tradeoff, once implemented, is that in each of the VMware services, configurator-managed setting changes will not be possible while the workaround is in place.
"If changes are required please revert the workaround following the instructions make the required changes and disable again until patches are available. In addition, most of the system diagnostics dashboard will not be displayed," VMware explained.
News URL
https://threatpost.com/vmware-zero-day-patch-pending/161523/
Related news
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- Progress urges admins to patch critical WhatsUp Gold bugs ASAP (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits (source)
- Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited (source)
- Microsoft October 2024 Patch Tuesday fixes 5 zero-days, 118 flaws (source)
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (source)
- VMware fixes critical RCE, make-me-root bugs in vCenter - for the second time (source)