A patch released in October by VMware failed to completely fix a remote code execution vulnerability (CVE-2015-2342) in vCenter Server that had been rated critical, but corrected the issue by releasing an additional patch Saturday.
After the original patch was issued, “subsequently, it was found that the fix…was incomplete and did not address the issue,” the VMware advisory said. The company gave the nod to Doug McLeod of 7 Elements Ltd. and an anonymous researcher working through the HP Zero Day Initiative for discovering the shortcoming.
The company urged users to patch immediately. “Even if the Windows Firewall is enabled, users are advised to install the additional patch in order to remove the local privilege elevation,” the advisory said.