Network Security, Patch/Configuration Management, Vulnerability Management

VMware fixes bugs in vCenter Service Appliance, three hypervisors

VMware on Tuesday patched a series of vulnerabilities in its ESXI, Workstation Pro, and Fusion hypervisors, as well as its vCenter Server Appliance.

According to a company security advisory, ESXi versions 6.0 and 5.5, Workstation version 12.x, and Fusion version 8.x contain a stack overflow bug, designated CVE-2017-4941, that authenticated users can exploit to cause remote code execution in a virtual machine. Moreover, ESXi 6.5, Wrokstation 12.x, and Fusion 8.x were also discovered to have a heap overflow vulnerability, CVE-2017-4922, that authenticated users can exploit to cause a heap overflow. Two researchers from Cisco Systems' Talos division, including Lilith Wyatt, were credited with discovering these two issues.

Additionally, the ESXI Host Client for product versions 6.5 and 6.0 and 5.5 contain a bug that enables stored cross-site scripting XSS. “An attacker can exploit this vulnerability by injecting Javascript, which might get executed when other users access the Host Client,” the security advisory warns. Alain Homewoord of Insomnia Security found this problem, which is designated CVE-2017-4940.

Finally, researcher Lukaz Plonka found a local privilege escalation vulnerability in the “showlog” plugin in version 6.5 of the vCentre Service Appliance. If exploited, this flaw, CVE-2017-4943, could allow a user with low privileges user to gain root-level access over the appliance base operating system.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.