This week, VMware announced three vulnerability updates that could require your attention. The first two affect VMware's vSphere Data Protection (VDP) solution and the other affects VMware's Horizon View Client for Mac (View Client).
According to a security advisory published on Tuesday of this week, two critical vulnerabilities were identified in VMware's vSphere Data Protection solution which could allow an attacker to execute commands on the virtual appliance, among other outcomes. The US-CERT (United States Computer Emergency Readiness Team) said on Wednesday that it encourages users and administrators to apply the necessary updates.
VMware vSphere Data Protection is a backup solution for use in vSphere environments, usually run in tandem with VMware's vCenter Server and vSphere Web Client.
According to VMware's security advisory published on Tuesday, the product suffers from a Java deserialization issue that could let a remote attacker execute commands.
VMware also warned of a second vulnerability in VDP that deals with how it stores credentials. According to the advisory, "VDP locally stores vCenter Server credentials using reversible encryption. This issue may allow plaintext credentials to be obtained."
And if the key is ever compromised, the data can be compromised as well.
Users running versions 6.1.x, 6.0.x, 5.8.x, and 5.5.x are encouraged to update to the newest versions, 6.1.4, 6.0.5, 6.0.5, and 6.0.5 respectively, to address both the deserialization issue and the reversible encryption issue.
And finally, according to a security advisory published on Thursday of this week, VMware announced that its VMware Horizon View Client contains a command injection vulnerability in the service startup script. Successful exploitation of this issue could allow unprivileged users to escalate their privileges to root on the Mac OSX system where the client is installed.
Those running VMware Horizon View Client for Mac (versions 2.x, 3.x and 4.x) are being asked to patch the vulnerability by replacing those versions with VMware Horizon View Client for Mac 4.5.0 which will address the issue.