Since Rami posted about a newer version of VMware getting released, I figured I’d put it out there. Anyone running the above mentioned versions may want to apply 4 patches that were addressed by VMware this past week. I will list them out below:
CVE-2019-5534 covers an issue where virtual machines deployed in an Open Virtualization Format (OVF) could expose login information via the virtual machine’s vAppConfig properties. This can be resolved by updating to the latest version.
CVE-2019-5532 covers a situation where a malicious user with access to the log files containing vCenter OVF-properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF. This is typically done through the root account of the virtual machine. A patched version is now available for upload.
CVE-2019-5531 involves an information disclosure vulnerability in clients arising from insufficient session expiration that would allow an attacker with physical access or an ability to mimic a websocket connection to a user’s browser to possibly obtain control of a VM Console after the user has logged out or their session has timed out. A patched version is now available for upload.
CVE-2017-16544 is a vulnerability in ESXi where it contains a command injection vulnerability due to the use of vulnerable version of busybox that does not sanitize filenames. An attacker may exploit this issue by tricking an ESXi Admin into executing shell commands by providing a malicious file, VMware wrote. A patched version is now available for upload.
Source Link: https://www.scmagazine.com/home/security-news/vulnerabilities/patches-issued-for-vmwares-vsphere-esxi-vmware-vcenter-server/
Penghui Ai says
Hi, Jaimin,
Thank you for sharing the patches. It is always important to keep track the patches with the software we installed, and keep updated.
Numneung Koedkietpong says
I totally agree with Penghui. Patch management is one of significant controls which every organization should concern about it. If they have not regularly updated new release of patches, it increases vulnerabilities which hackers are able to exploit systems and steal sensitive data.