Security News > 2021 > February > VMware warns of critical remote code execution flaw in vSphere HTML5 client

VMware has revealed a critical-rated bug in the HTML5 client for its flagship vSphere hybrid cloud suite.

"The vSphere Client contains a remote code execution vulnerability in a vCenter Server plugin," says VMware's notification.

While you're patching that nasty, you may as well also knock off a second HTML client bug that VMware says could allow "a malicious actor with network access to port 443" to "Exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure."

Your work's not done once that's sorted because VMware has also fixed up an 8.8-rated flaw in its ESXi hypervisor, where "a malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution."

VMware has tipped its hat to Mikhail Klyuchnikov of Positive Technologies for the vSphere client bugs and Lucas Leong of Trend Micro's Zero Day Initiative for the OpenSLP bug.

VMware's HTML5 client replaced a Flash-based tool because Virtzilla knew that Adobe's buggy mess was on death row.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/02/23/vmware_vsphere_critical_bugs/