Jump to content
Aerosol

VMware warns of vCenter cross-site-scripting bug

Recommended Posts

Posted

It's Friday! By later this afternoon you'll be working at half-pace and contemplating weekend fun.

Unless you run VMware's vCenter control freak, because Virtzilla has just revealed a nasty cross-site scripting flaw in the product.

“VMware vCenter Server Appliance (vCSA) contains a vulnerability that may allow for Cross Site Scripting. Exploitation of this vulnerability in vCenter Server requires tricking a user to click on a malicious link or to open a malicious web page while they are logged in into vCenter,” says VMware's advisory, issued late on Thursday US time.

Another newly-identified issue, one of six revealed here, means “vCenter Server does not properly validate the presented certificate when establishing a connection to a CIM Server residing on an ESXi host.” That makes Man-in-the-middle attacks against the CIM service possible.

Virtzilla's other patches look less worrying as they address small issues and third-party code on which VMware products depend.

The good news is that while there are patches coming for some of the problems, the first two can be sorted with updates to vCenter Server. Only vCenter 5.1 needs the update for the XSS bug, but all versions from 5.0 to 5.5 need attention for the certificate mess.

Rushed update implementations aren't any fun, but if VMware says your production systems need them – on Friday – who are you to disagree?

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...