VMware Patches XSS Vulnerabilities in vRealize for Linux

March 21, 2016 Off By David

By David Marshall

The stored XSS flaws in vRealize only affect some versions, but could lead to the compromise of user workstations

VMware has patched two cross-site scripting issues this week in several editions of the company’s vRealize software. The flaws reportedly could be exploited in stored XSS attacks and lead to remote code execution and the compromise of business workstations.

A VMware security advisory was posted on Tuesday, citing issues with Linux versions of VMware vRealize Automation 6.x prior to 6.2.4, and VMware vRealize Business Advanced and Enterprise 8.x prior to 8.2.5.

Linux users operating affected versions are urged to patch their environments as soon as possible to address the problem. According to the National Institute of Standards and Technology (NIST), the vulnerability could allow "remote authenticated users to inject arbitrary web script or HTML via unspecified vectors."

SecurityTracker, which keeps track of the industry’s latest security vulnerabilities, further described the issue, adding:

The software does not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user’s browser. The code will originate from the target user’s client workstation and will run in the security context of that system. As a result, the code will be able to access the target user’s cookies (including authentication cookies), if any, associated with the system, access data recently submitted by the target user via web form to the system, or take actions on the system acting as the target user.

The vulnerability identified in the VMware vRealize Automation solution (CVE-2015-2344) was reported by independent researcher Lukasz Plonka; while senior IT security consultant Alvaro Trigo Martin de Vidales of Deloitte Spain found and reported the second issue (CVE-2016-2075) with the vRealize Business Advanced and Enterprise versions.

Builds on other operating systems including Microsoft Windows were not affected, according to VMware.

Patches for these new exploits have already been made available for download. You can find out more information about each of these issues and gain access to the security patches, here.

This is already the third update for VMware in 2016. Last month, VMware reissued a security fix for a problem thought to have been patched in October 2015, a critical remote code execution vulnerability in vCenter that could let unauthenticated users connect to the vCenter Server and run code.

About the Author

David Marshall is an industry recognized virtualization and cloud computing expert, a seven time recipient of the VMware vExpert distinction, and has been heavily involved in the industry for the past 16 years. To help solve industry challenges, he co-founded and helped start several successful virtualization software companies such as ProTier, Surgient and Hyper9 and also spent a few years transforming desktop virtualization while at Virtual Bridges.

David is also a co-author of two very popular server virtualization books: "Advanced Server Virtualization: VMware and Microsoft Platforms in the Virtual Data Center" and "VMware ESX Essentials in the Virtual Data Center." He was also the Technical Editor on Wiley’s "Virtualization for Dummies" and "VMware VI3 for Dummies" books. David also authored countless articles for a number of well known technical magazines, including: InfoWorld, Virtual-Strategy and TechTarget. And in 2004, he founded the oldest independent virtualization and cloud computing news site, VMblog.com, which he still operates today.

Follow David Marshall

Twitter: @vmblog
LinkedIn: https://www.linkedin.com/in/davidmarshall
Blog: http://vmblog.com

CategoryNews

SoftNAS Triples Growth as Software-Defined Storage Adoption Accelerates

Why Are Developers Considering the Cloud?