The stored XSS flaws in vRealize only affect some versions, but could lead to the compromise of user workstations
VMware has patched two cross-site scripting issues this week in several editions of the company's vRealize software. The flaws reportedly could be exploited in stored XSS attacks and lead to remote code execution and the compromise of business workstations.
A VMware security advisory was posted on Tuesday, citing issues with Linux versions of VMware vRealize Automation 6.x prior to 6.2.4, and VMware vRealize Business Advanced and Enterprise 8.x prior to 8.2.5.
Linux users operating affected versions are urged to patch their environments as soon as possible to address the problem. According to the National Institute of Standards and Technology (NIST), the vulnerability could allow "remote authenticated users to inject arbitrary web script or HTML via unspecified vectors."
SecurityTracker, which keeps track of the industry's latest security vulnerabilities, further described the issue, adding:
The software does not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the target user's client workstation and will run in the security context of that system. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the system, access data recently submitted by the target user via web form to the system, or take actions on the system acting as the target user.
The vulnerability identified in the VMware vRealize Automation solution (CVE-2015-2344) was reported by independent researcher Lukasz Plonka; while senior IT security consultant Alvaro Trigo Martin de Vidales of Deloitte Spain found and reported the second issue (CVE-2016-2075) with the vRealize Business Advanced and Enterprise versions.
Builds on other operating systems including Microsoft Windows were not affected, according to VMware.
Patches for these new exploits have already been made available for
download. You can find out more information about each of these issues
and gain access to the security patches, here.
This is already the third update for VMware in 2016. Last month, VMware reissued a security fix for a problem thought to have been patched in October 2015, a critical remote code execution vulnerability in vCenter that could let unauthenticated users connect to the vCenter Server and run code.