Virtualisation giant VMware has issued a patch to address a critical vulnerability in its vCenter Server management software that could be used to execute arbitrary code remotely.
The vulnerability affects vCenter Server versions 6.0 and 6.5 and was disclosed on 4 April, VMWare said.
It originates in the open source Java-based Flex BlazeDS remoting and messaging protocol, developed by Adobe and now maintained by the Apache Foundation.
BlazeDS utilises Action Message Format version 3 binary messaging files to let Adobe Flash applications communicate with each other and to translate the company's ActionScript coded graphs into data types.
By deserialising untrusted Java objects, attackers could execute any code they wish, VMware said.
According to the company, the issue is present in the vCenter Server Customer Experience Improvement Program (CEIP). Even if customers opt out of the CEIP, the vulnerability remains.
Markus Wulftange from security vendor Code White discovered the bug. He said the AMF 3 vulnerability could affect other vendors as well, including Adobe, Atlassian, HPE, and SonicWall which also use the Java libraries in question.
Atlassian has acknowledged the flaw, and patched the critical vulnerability in its JIRA Server Workflow Designer plugin in March this year.
_(22).jpg&h=140&w=231&c=1&s=0)
iTnews Executive Retreat - Security Leaders Edition
_(1).jpg&h=140&w=231&c=1&s=0)
