ATTN: VMware administrators.  Do you have plans this afternoon?  What about this weekend? 

"Patch now!" is the word coming down from the VMware mothership after the company revealed a new security flaw (VMSA-2016-0004) this week in the VMware Client Integration Plug-in that if exploited by an attacker could lead to a man-in-the-middle attack.

This announcement comes only a month after VMware announced a previous critical vulnerability, a cross-site scripting issue in vRealize for Linux. 

According to this latest advisory, the problem existed in VMware’s Client Integration plug-in, a collection of tools found in a handful of other products shipped by the virtualization giant, including some versions of its vCenter Server, vCloud Director and vRealize Automation Identity Appliance.  The plug-in helps users access a virtual machine’s console and is used in tandem with vSphere, VMware’s web client.

The issue is that the plug-in fails to handle session content in a safe way, something that could have allowed an attacker to carry out a Man-in-the-Middle attack or a Web session hijacking in case the user of the vSphere Web Client visits a malicious Web site.

In order to remediate the issue, both the server side (i.e. vCenter Server, vCloud Director, and vRealize Automation Identity Appliance) AND the client side (i.e. CIP of the vSphere Web Client) would need to be updated.

Not all versions of the software are vulnerable.  So far, VMware has only identified: vCenter Server 6.0 (any 6.0 version prior to 6.0 U2); vCenter Server 5.5 U3a, U3b, U3c; vCloud Director 5.5.5; and vRealize Automation Identity Appliance 6.2.4.

Sounds like the recently announced HTML5 Web Client couldn't come soon enough.