Fancy the new HTML vSphere client? Go get it: The old one has a security problem
Virtzilla has one other security worry too, in Identity Manager
VMware's popped out a couple of security advisories, one of which helps it in a perverse way.
vAdmins have long complained that vSphere's interface is … let's spare VMware some blushes and just say “sub-optimal”. Virtzilla has therefore created a shiny new HTML 5 client that's been well-received. And now, thanks to Positive Technologies and a security researcher named Lukasz Plonka, you have a very good reason to consider that client because the old one “contains an XML External Entity (XXE) vulnerability in the Log Browser, the Distributed Switch setup, and the Content Library.
That vulnerability means that “A specially crafted XML request issued to the server by an authorized user may lead to unintended information disclosure.”
The fix is simple: download a new version of the old client and re-install. Or just ditch the client and go to the shiny new HTML 5 version, just like VMware wants you to.
The same problem, known as VMSA-2016-0022, also impacts vCenter Server and vRealize Automation. Updating to latest versions of those products is a fine idea.
VMSA-2016-0021 also emerged this week and offers a partial information disclosure vulnerability in VMware Identity Manager.
“Successful exploitation of the vulnerability may allow read access to files contained in the /SAAS/WEB-INF and /SAAS/META-INF directories remotely,” says VMware's advisory, which says an upgrade from version 2.x to 2.7.1 is the remedy. You'll also need to upgrade vRealize Automation 7.x to 7.2.0, because it ships with a version of Identity Manager.
As the incident numbers above suggest, these are VMware's 21st and 22nd bugs of the year, rather more than 2015's nine. A couple of this year's flaws were not VMware's fault, but derived from third party problems, but even with about 20 of its own errors fixed VMware is well behind – or maybe ahead – of other vendors who patch hundreds of problems each year. ®