Security News > 2022 > March > VMware fixes command injection, file upload flaws in Carbon Black security tool

VMware has patched two security flaws, an OS command injection vulnerability and a file upload hole, in its Carbon Black App Control security product running on Windows.

According to VMware, it could allow authenticated attackers with high privileges and network access to the VMware App Control administration interface to remotely execute commands on the server.

Security consultant Jari Jääskelä found both bugs and reported them to VMware.

The Carbon Black App Control flaws follow earlier security alerts including two critical guest-to-host vulnerabilities in the XHCI and UHCI USB controllers in VMware's ESXi hypervisor.

In all, more than 100 VMware products were impacted by the Log4j blunder, which kept VMware busy issuing a slew of patches between December 2021 and February 2022.

Shortly after the vendor disclosed its first Log4J vulns, VMware identified another critical flaw: a server-side forgery request in VMware's Workspace ONE Unified Endpoint Management product.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/03/23/critical_bugs_vmware_carbon_black/