Security News > 2021 > February > VMware warns of critical remote code execution flaw in vSphere HTML5 client
VMware has revealed a critical-rated bug in the HTML5 client for its flagship vSphere hybrid cloud suite.
"The vSphere Client contains a remote code execution vulnerability in a vCenter Server plugin," says VMware's notification.
While you're patching that nasty, you may as well also knock off a second HTML client bug that VMware says could allow "a malicious actor with network access to port 443" to "Exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure."
Your work's not done once that's sorted because VMware has also fixed up an 8.8-rated flaw in its ESXi hypervisor, where "a malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution."
VMware has tipped its hat to Mikhail Klyuchnikov of Positive Technologies for the vSphere client bugs and Lucas Leong of Trend Micro's Zero Day Initiative for the OpenSLP bug.
VMware's HTML5 client replaced a Flash-based tool because Virtzilla knew that Adobe's buggy mess was on death row.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/02/23/vmware_vsphere_critical_bugs/
Related news
- Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution (source)
- Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution (source)
- Apache fixes critical OFBiz remote code execution vulnerability (source)
- Broadcom fixes critical RCE bug in VMware vCenter Server (source)
- Critical VMware vCenter Server bugs fixed (CVE-2024-38812) (source)
- Week in review: Critical VMware vCenter Server bugs fixed, Apple releases iOS 18 (source)
- Critical Flaw in Microchip ASF Exposes IoT Devices to Remote Code Execution Risk (source)