VMware patches XSS flaws in vRealize

VMware's Linux version of two vRealize products received the first maintenance release for version 7 and also became the subject of a security alert on Tuesday (March 16).

If exploited, the products could lead to the compromise of a user’s client workstation.

The issue in the Automation version was dug up by independent researcher, Lukasz Plonka while the issue in the Business and Enterprise version was discovered by Alvaro Trigo Martin de Vidales, a senior IT security consultant with Deloitte Spain in vRealize Business, a product designed to automate the core financial processes needed to plan and optimize the cost and value of IT in an organization.

The bugs, stored cross-site scripting (XSS) vulnerabilities and rated important, exist in the company’s vRealize Automation and vRealize Business Advanced and Enterprise platforms.

The vulnerability has been patched with the release of VMware vRealize Automation 6.2.4. vRealize Automation 7.x for Linux and vRealize Automation 5.x for Windows are not affected.

The new bits include a management agent to automate the installation of Windows components and to collect logs, and an installation Wizard that automates a Minimal or Enterprise installation.

Though the fix has been generated but there are many things in the new version which can be problem posers. For example, Virtual machine is deleted during reprovisioning when a datastore is moved from one SDRS cluster to another and after upgrading to vRealize Automation 7.0, duplicate catalog items for the same business group appear in the catalog. But nevertheless, the fix will at least fix on compromising the workstations of clients.

It’s the third issue that VMware has patched its products this year. The updates follow a set of patches the company released to address last month’s critical glibc vulnerability and a series of updates it pushed in January to address a privilege escalation bug in ESXi, Fusion, Player, and Workstation.

The company was forced to reissue a patch in February, from last October that it issued which failed to address serious remote code execution vulnerability in vCenter which let remote attackers connect to the vCenter Server and run code. While Windows Firewall mitigated the issue, officials with VMware still encouraged users to reapply the tweaked patch.

Share this with Your friends: