On Tuesday, 4th of April 2017 a remote code-execution issue in the BlazeDS library (CVE-2017-5641) was disclosed in a US-CERT security advisory. We have reviewed the issue and determined that VMware vCenter Server 6.5 and 6.0 are affected due to the use of BlazeDS to process AMF3 messages. VMware vCenter Server 5.5 is not affected.
We have released the following new security advisory which documents the fixes for VMware vCenter Server 6.5 and 6.0 along with the workarounds:
VMSA-2017-0007– VMware vCenter Server update resolves a remote code execution vulnerability via BlazeDS
Successful exploitation of this issue may allow an attacker to execute arbitrary code when deserializing an untrusted Java object. The issue is present in the the Customer Experience Improvement Program (CEIP) functionality. The vulnerability will still be present even if a customer has opted out of CEIP. Resolution of this vulnerability requires applying the fixes or the workarounds. We have also investigated this issue against the other VMware products. VMware products which are not listed in the security advisory are not affected.
We would like to thank Markus Wulftange of Code White GmbH for reporting this issue to us.
Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.