Patch/Configuration Management, Vulnerability Management

VMware patches vulnerabilities that enable malicious code execution, privilege escalation

VMware issued two product updates on Tuesday to patch and present workarounds for two vulnerabilities, one considered critical and the other important.

The critical flaw, designated CVE-2016-3427, corresponds to multiple versions of VMware's vCenter Server, vCloud Director, vSphrere Replication and vRealize Operations Manager products. According to VMware, the “RMI [Remote Method Invocation] server of Oracle JRE [Java Runtime Environment] JMX [Java Management Extensions] deserializes any class [of objects] when deserializing authentication credentials.” Deserialization is the process of converting a stream of bytes of information back into the original object it came from. If exploited, this flaw could allow an authenticated bad actor to cause deserialization flaws and execute malicious commands.

The other issue is a host privilege escalation vulnerability, CVE-2016-2077 affecting Windows versions of VMware Workstation and VMware Player. Because these two programs do not properly reference one of their executables, a local attacker on the host could potentially elevate his privileges.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.