VMware released security updates to contend with a vulnerability in vCenter Server.
According to the company’s security advisory VMSA-2017-0007, the upgrade mitigates a remote code execution vulnerability via BlazeDS. The vulnerability was designated critical.
Successful exploitation of the flaw could enable a remote attacker to gain control of an affected system.
The remote code execution vulnerability in VMware vCenter Server is owing to use of BlazeDS to process AMF3 messages, the company stated. “This issue may be exploited to execute arbitrary code when deserializing an untrusted Java object.”
The flaw exists in the functionality of the Customer Experience Improvement Program (CEIP). Should a customer opt out of the program, the bug is still present.
The Common Vulnerabilities and Exposures project assigned the identifier CVE-2017-5641 to this issue.
US-CERT advised users and administrators to review the advisory and update as necessary.