VMware issued a security advisory containing several security updates for its vSphere ESXi and VMware vCenter Server products to patch command injection and information disclosure vulnerabilities.
Two of the vulnerabilities, CVE-2019-5532 and CVE-2019-5534, are rated as “important” with CVE-2017-16544 and CVE-2019-5531 considered “moderate” issues, VMware reported.
CVE-2019-5534 covers an issue where virtual machines deployed in an Open Virtualization Format (OVF) could expose login information via the virtual machine's vAppConfig properties. This can be resolved by updating to the latest version.
CVE-2019-5532 covers a situation where a malicious user with access to the log files containing vCenter OVF-properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF. This is typically done through the root account of the virtual machine. A patched version is now available for upload.
CVE-2019-5531 involves an information disclosure vulnerability in clients arising from insufficient session expiration that would allow an attacker with physical access or an ability to mimic a websocket connection to a user’s browser to possibly obtain control of a VM Console after the user has logged out or their session has timed out. A patched version is now available for upload.
CVE-2017-16544 is a vulnerability in ESXi where it contains a command injection vulnerability due to the use of vulnerable version of busybox that does not sanitize filenames. An attacker may exploit this issue by tricking an ESXi Admin into executing shell commands by providing a malicious file, VMware wrote. A patched version is now available for upload.