Critical VMware Security Advisory VMSA-2017-0004.3 Remote Code Exploit

0
266
VMware Logo
VMware Logo

VMware just released a critical Security Advisory: VMSA-2017-0004.3. The exploit being patched is a critical vulnerability because it allows for the remote code execution and complete takeover of the server being attacked.

About the Critical VMware Security Advisory VMSA-2017-0004.3

We are going to re-post details here:
Advisory ID: VMSA-2017-0004.4
Severity: Critical
Synopsis: VMware product updates resolve remote code execution vulnerability via Apache Struts 2
Issue date: 2017-03-13
Updated on: 2017-03-16
CVE numbers: CVE-2017-5638
1. Summary

VMware product updates resolve remote code execution vulnerability via Apache Struts 2

2. Relevant Products
  • Horizon Desktop as-a-Service Platform (DaaS)
  • VMware vCenter Server (vCenter)
  • vRealize Operations Manager (vROps)
  • vRealize Hyperic Server (Hyperic)
3. Problem Description

Remote code execution vulnerability via Apache Struts 2

Multiple VMware products contain a remote code execution vulnerability due to the use of Apache Struts 2. Successful exploitation of this issue may result in the complete compromise of an affected product.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-5638 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

4. SolutionPlease review the patch/release notes for your product and version and verify the checksum of your downloaded file.
Horizon Desktop as-a-Service Platform 7.0.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON_DAAS_700&productId=638&rPId=14833
https://kb.vmware.com/kb/2149495Horizon Desktop as-a-Service Platform 6.1.6
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN&productId=405&rPId=6527
https://kb.vmware.com/kb/2149500

VMware vCenter Server 6.5
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VC650B&productId=614&rPId=15190

VMware vCenter Server 6.0
Downloads and Documentation:

https://kb.vmware.com/kb/2149434

vRealize Operations Manager
Downloads and Documentation:
https://kb.vmware.com/kb/2149472

6. Change log

2017-03-13: VMSA-2017-0004

Initial security advisory in conjunction with the release of workarounds for VMware vCenter Server 6.5 and 6.0.

2017-03-14: VMSA-2017-0004.1

Security advisory update removing workaround for VMware vCenter Server 6.5 due to customer reported issues.

2017-03-14: VMSA-2017-0004.2
Security advisory update in conjunction with the release of VMware vCenter Server 6.5b.

2017-03-15: VMSA-2017-0004.3
Security advisory update in conjunction with the release of HorizonDesktop as-a-Service Platform 6.1.6 fixes and a vRealize Operations Manager workaround.

2017-03-16: VMSA-2017-0004.4
Security advisory update in conjunction with the release of Horizon Desktop as-a-Service Platform 7.0.0 fixes.

(Source: VMware)
For those who are running VMware Horizion for Desktop as a Service or vCenter for virtualization, get patching. Concerning is that VMware did not release an immediate patch for vCenter 6.0.