VMware released a security advisory for a critical issue in the firm’s Client Integration Plugin (CIP) that could allow man-in-the-middle (MitM) attacks or web session hijacking.
The vulnerability is present in versions of the CIP that are shipped with vCenter Server 6, vCenter Server 5.5 U3a, U3b, U3c, vCloud Director 5.5.5, and vRealize Automation Identity Appliance 6.2.4, according to the April 14 advisory.
Researchers said in the advisory that the issue is caused by the plugin not handling session content in a safe way.
In order to remediate the issue, researchers said users will need to update both the server side and the client side of the application.
“After installing the updated version, the Client Integration Plugin will need to be updated on all systems from which the vSphere Web Client is used to connect to vCenter Server, vCloud Director and vRealize Automation Identity Manager,” the advisory said.