Virtualization Technology News and Information
VMware Patches Critical Vulnerability In View Server Software

On Thursday, VMware addressed a critical directory traversal vulnerability in its View server product.  If exploited, a remote attacker could gain access to arbitrary files from affected View Servers.

This vulnerability affects both the VMware View Connection Server and the View Security Server.  VMware recommends that customers update both servers immediately.  Affected versions include VMware View 5.x prior to version 5.1.2, and VMware View 4.x prior to version 4.6.2.

For those who are who are unable to immediately patch their View Servers, VMware offered the following workaround options:

  • Disable Security Server - Disabling the Security Server will prevent exploitation of this vulnerability over untrusted remote networks. To restore functionality for remote users, allow them to connect to the Connection Server via a VPN.
  • Block directory traversal attempts - It may be possible to prevent exploitation of this issue by blocking directory traversal attacks with an intrusion protection system or application layer firewall.

VMware credited researchers from Digital Defense, Inc. (DDI) Vulnerability Research Team (VRT) for reporting the issue.

The release notes with additional details and download links are available here: View 5.1.2 Release Notes and Download Page -- View 4.6.2 Release Notes and Download Page


Published Friday, December 14, 2012 9:25 AM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<December 2012>