Security News > 2021 > February > VMware warns of critical remote code execution flaw in vSphere HTML5 client
VMware has revealed a critical-rated bug in the HTML5 client for its flagship vSphere hybrid cloud suite.
"The vSphere Client contains a remote code execution vulnerability in a vCenter Server plugin," says VMware's notification.
While you're patching that nasty, you may as well also knock off a second HTML client bug that VMware says could allow "a malicious actor with network access to port 443" to "Exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure."
Your work's not done once that's sorted because VMware has also fixed up an 8.8-rated flaw in its ESXi hypervisor, where "a malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution."
VMware has tipped its hat to Mikhail Klyuchnikov of Positive Technologies for the vSphere client bugs and Lucas Leong of Trend Micro's Zero Day Initiative for the OpenSLP bug.
VMware's HTML5 client replaced a Flash-based tool because Virtzilla knew that Adobe's buggy mess was on death row.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/02/23/vmware_vsphere_critical_bugs/
Related news
- Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications (source)
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- VMware fixes critical RCE, make-me-root bugs in vCenter - for the second time (source)
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)