Information Technology News.


VMware pushes out a few security advisories for vSphere

Share on Twitter.

Sponsered ad: Get a Linux Enterprise server with 92 Gigs of RAM, 16 CPUs and 8 TB of storage at our liquidation sale. Only one left in stock.

Sponsered ad: Order the best SMTP service for your business. Guaranteed or your money back.

November 24, 2016

VMware said earlier today that it has issued some security advisories, one of which helps it in a curious manner.

System admins that have experience in the virtualization segment of the IT industry have long complained that vSphere's interface is sub-optimal.

In response to those complaints, VMware has created a new HTML5 client interface that's been well-received.

Security researcher Lukasz Plonka says you now have a good reason to consider that interface since the old one contains an XML External Entity security vulnerability in the Log Browser, the Distributed Switch setup, and also in the Content Library.

That security issue simply means that “a specially crafted XML request issued to the server by an authorized user may lead to unintended information disclosure.”

But the good news is that the fix is simple-- just download a new version of the old client and re-install it. That's it.

Or an alternative method would be to ditch the client and go to the new HTML5 version just created, just like VMware wants you to.

The same issue, known as VMSA-2016-0022, also impacts vCenter Server and vRealize Automation. And updating to the latest versions of those products would be a wise idea.

To be sure, VMSA-2016-0021 also popped up this week and also offers a partial information disclosure security vulnerability in VMware's Identity Manager.

“Successful exploitation of the security problem may allow read access to files contained in the /SAAS/WEB-INF and /SAAS/META-INF directories remotely,” says VMware's advisory, which says an upgrade from version 2.x to 2.7.1 is the remedy.

You'll also need to upgrade vRealize Automation 7.x to 7.2.0, because it ships with a version of Identity Manager.

As the incident numbers above suggest, these are VMware's 21st and 22nd bugs for 2016, rather more than last year's nine.

However, a few of this year's security holes were not VMware's fault, but derived from third party problems, but even with about twenty of its own errors fixed, VMware is still behind of other competing vendors who patch hundreds of security issues each year.

Source: VMware.


Sponsered ad: Get a Linux Enterprise server with 92 Gigs of RAM, 16 CPUs and 8 TB of storage at our liquidation sale. Only one left in stock.

Sponsered ad: Order the best SMTP service for your business. Guaranteed or your money back.

Share on Twitter.

IT News Archives | Site Search | Advertise on IT Direction | Contact | Home

All logos, trade marks or service marks on this site are the property of their respective owners.

Sponsored by Sure Mail™, Avantex and
by Montreal Server Colocation.

       © IT Direction. All rights reserved.