VMware warns of vCenter cross-site-scripting bug
Six quick fixes flicked to give vAdmins Friday snits
It's Friday! By later this afternoon you'll be working at half-pace and contemplating weekend fun.
Unless you run VMware's vCenter control freak, because Virtzilla has just revealed a nasty cross-site scripting flaw in the product.
“VMware vCenter Server Appliance (vCSA) contains a vulnerability that may allow for Cross Site Scripting. Exploitation of this vulnerability in vCenter Server requires tricking a user to click on a malicious link or to open a malicious web page while they are logged in into vCenter,” says VMware's advisory, issued late on Thursday US time.
Another newly-identified issue, one of six revealed here, means “vCenter Server does not properly validate the presented certificate when establishing a connection to a CIM Server residing on an ESXi host.” That makes Man-in-the-middle attacks against the CIM service possible.
Virtzilla's other patches look less worrying as they address small issues and third-party code on which VMware products depend.
The good news is that while there are patches coming for some of the problems, the first two can be sorted with updates to vCenter Server. Only vCenter 5.1 needs the update for the XSS bug, but all versions from 5.0 to 5.5 need attention for the certificate mess.
Rushed update implementations aren't any fun, but if VMware says your production systems need them – on Friday – who are you to disagree? ®